Resubmissions
14-03-2024 11:45
240314-nw4b5sbb5v 1013-03-2024 15:01
240313-sdxtvsfh9x 1013-03-2024 14:22
240313-rpjkyagg56 10Analysis
-
max time kernel
213s -
max time network
658s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-03-2024 11:45
Static task
static1
Behavioral task
behavioral1
Sample
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
Resource
win11-20240221-en
General
-
Target
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
-
Size
242KB
-
MD5
8f44c565b6605afccbab295faaf420b8
-
SHA1
a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3
-
SHA256
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0
-
SHA512
cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206
-
SSDEEP
3072:sY1hNzde2qx1Y7CzY8hv2BXhssNPhslWeQYmbd/5NOVAAC:11Twx2uzYvVhsspSlWbYId
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
LiveTraffic
20.218.68.91:7690
Extracted
amadey
4.17
http://185.215.113.32
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Detect ZGRat V1 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\F1C1.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\F1C1.exe family_zgrat_v1 behavioral1/memory/1376-228-0x0000000000550000-0x0000000000AEE000-memory.dmp family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe family_zgrat_v1 C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe family_zgrat_v1 -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-133-0x0000000000400000-0x0000000000450000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe family_redline C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe family_redline C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe family_redline C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
explorgu.exerandom.exeB44C.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ B44C.exe -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 13 2052 rundll32.exe 14 4628 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
random.exeB44C.exeexplorgu.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B44C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B44C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe -
Deletes itself 1 IoCs
Processes:
pid process 3304 -
Executes dropped EXE 14 IoCs
Processes:
B44C.exe3006.exe3006.exeexplorgu.exeosminog.exegoldprime1234.exeF1C1.exeCCC0.exeEEE0.exealex12341.exeolehpsp.exeTWO.exedais.exerandom.exepid process 1488 B44C.exe 1532 3006.exe 1416 3006.exe 2168 explorgu.exe 2940 osminog.exe 3020 goldprime1234.exe 1376 F1C1.exe 2472 CCC0.exe 2568 EEE0.exe 3728 alex12341.exe 2064 olehpsp.exe 1180 TWO.exe 3832 dais.exe 4700 random.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
B44C.exeexplorgu.exerandom.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Wine B44C.exe Key opened \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Wine random.exe -
Loads dropped DLL 6 IoCs
Processes:
regsvr32.exe3006.exerundll32.exerundll32.exerundll32.exeF1C1.exepid process 468 regsvr32.exe 1416 3006.exe 1172 rundll32.exe 2052 rundll32.exe 4628 rundll32.exe 1376 F1C1.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1416-52-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1416-55-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1416-56-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1416-57-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1416-58-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1416-59-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 91.211.247.248 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
explorgu.exe3006.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000874021\\random.cmd" explorgu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 3006.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
description ioc process File opened (read-only) \??\D: -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1276 ipinfo.io 1535 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
EEE0.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 EEE0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
B44C.exeexplorgu.exepid process 1488 B44C.exe 2168 explorgu.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
3006.exegoldprime1234.exeosminog.exeF1C1.exealex12341.exedescription pid process target process PID 1532 set thread context of 1416 1532 3006.exe 3006.exe PID 3020 set thread context of 2336 3020 goldprime1234.exe RegAsm.exe PID 2940 set thread context of 4372 2940 osminog.exe RegAsm.exe PID 1376 set thread context of 960 1376 F1C1.exe MsBuild.exe PID 3728 set thread context of 1056 3728 alex12341.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
B44C.exedescription ioc process File created C:\Windows\Tasks\explorgu.job B44C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4248 4372 WerFault.exe RegAsm.exe 1716 960 WerFault.exe MsBuild.exe 4148 960 WerFault.exe MsBuild.exe 2936 2472 WerFault.exe CCC0.exe 11908 6024 WerFault.exe RegAsm.exe -
NSIS installer 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exetaskmgr.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 8312 schtasks.exe 5664 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies registry class 64 IoCs
Processes:
taskmgr.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f443a5c000000000000000000000000000000000000000000 Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5" Key created \Registry\User\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\NotificationData Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 60003100000000006e58015e122050524f4752417e330000480009000400efbec55259616e58035e2e000000f004000000000100000000000000000000000000000087fa3e00500072006f006700720061006d004400610074006100000018000000 Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
pid process 3304 3304 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exepid process 1612 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 1612 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 3304 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3304 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exepid process 1612 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
osminog.exegoldprime1234.exepowershell.exetaskmgr.exedescription pid process Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeDebugPrivilege 2940 osminog.exe Token: SeDebugPrivilege 3020 goldprime1234.exe Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeDebugPrivilege 2124 powershell.exe Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeDebugPrivilege 3400 taskmgr.exe Token: SeSystemProfilePrivilege 3400 taskmgr.exe Token: SeCreateGlobalPrivilege 3400 taskmgr.exe Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 Token: SeCreatePagefilePrivilege 3304 Token: SeShutdownPrivilege 3304 -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe 3400 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid process 3304 3304 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3304 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exe3006.exeexplorgu.exegoldprime1234.exeosminog.exerundll32.exerundll32.exeF1C1.exedescription pid process target process PID 3304 wrote to memory of 1488 3304 B44C.exe PID 3304 wrote to memory of 1488 3304 B44C.exe PID 3304 wrote to memory of 1488 3304 B44C.exe PID 3304 wrote to memory of 2000 3304 regsvr32.exe PID 3304 wrote to memory of 2000 3304 regsvr32.exe PID 2000 wrote to memory of 468 2000 regsvr32.exe regsvr32.exe PID 2000 wrote to memory of 468 2000 regsvr32.exe regsvr32.exe PID 2000 wrote to memory of 468 2000 regsvr32.exe regsvr32.exe PID 3304 wrote to memory of 1532 3304 3006.exe PID 3304 wrote to memory of 1532 3304 3006.exe PID 3304 wrote to memory of 1532 3304 3006.exe PID 1532 wrote to memory of 1416 1532 3006.exe 3006.exe PID 1532 wrote to memory of 1416 1532 3006.exe 3006.exe PID 1532 wrote to memory of 1416 1532 3006.exe 3006.exe PID 1532 wrote to memory of 1416 1532 3006.exe 3006.exe PID 1532 wrote to memory of 1416 1532 3006.exe 3006.exe PID 1532 wrote to memory of 1416 1532 3006.exe 3006.exe PID 1532 wrote to memory of 1416 1532 3006.exe 3006.exe PID 1532 wrote to memory of 1416 1532 3006.exe 3006.exe PID 2168 wrote to memory of 2940 2168 explorgu.exe osminog.exe PID 2168 wrote to memory of 2940 2168 explorgu.exe osminog.exe PID 2168 wrote to memory of 2940 2168 explorgu.exe osminog.exe PID 2168 wrote to memory of 3020 2168 explorgu.exe goldprime1234.exe PID 2168 wrote to memory of 3020 2168 explorgu.exe goldprime1234.exe PID 2168 wrote to memory of 3020 2168 explorgu.exe goldprime1234.exe PID 3020 wrote to memory of 2336 3020 goldprime1234.exe RegAsm.exe PID 3020 wrote to memory of 2336 3020 goldprime1234.exe RegAsm.exe PID 3020 wrote to memory of 2336 3020 goldprime1234.exe RegAsm.exe PID 3020 wrote to memory of 2336 3020 goldprime1234.exe RegAsm.exe PID 3020 wrote to memory of 2336 3020 goldprime1234.exe RegAsm.exe PID 3020 wrote to memory of 2336 3020 goldprime1234.exe RegAsm.exe PID 3020 wrote to memory of 2336 3020 goldprime1234.exe RegAsm.exe PID 3020 wrote to memory of 2336 3020 goldprime1234.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2940 wrote to memory of 4372 2940 osminog.exe RegAsm.exe PID 2168 wrote to memory of 1172 2168 explorgu.exe rundll32.exe PID 2168 wrote to memory of 1172 2168 explorgu.exe rundll32.exe PID 2168 wrote to memory of 1172 2168 explorgu.exe rundll32.exe PID 1172 wrote to memory of 2052 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 2052 1172 rundll32.exe rundll32.exe PID 2052 wrote to memory of 3544 2052 rundll32.exe netsh.exe PID 2052 wrote to memory of 3544 2052 rundll32.exe netsh.exe PID 2052 wrote to memory of 2124 2052 rundll32.exe powershell.exe PID 2052 wrote to memory of 2124 2052 rundll32.exe powershell.exe PID 2168 wrote to memory of 4628 2168 explorgu.exe rundll32.exe PID 2168 wrote to memory of 4628 2168 explorgu.exe rundll32.exe PID 2168 wrote to memory of 4628 2168 explorgu.exe rundll32.exe PID 3304 wrote to memory of 1376 3304 F1C1.exe PID 3304 wrote to memory of 1376 3304 F1C1.exe PID 3304 wrote to memory of 1376 3304 F1C1.exe PID 3304 wrote to memory of 3400 3304 taskmgr.exe PID 3304 wrote to memory of 3400 3304 taskmgr.exe PID 1376 wrote to memory of 960 1376 F1C1.exe MsBuild.exe PID 1376 wrote to memory of 960 1376 F1C1.exe MsBuild.exe PID 1376 wrote to memory of 960 1376 F1C1.exe MsBuild.exe PID 1376 wrote to memory of 960 1376 F1C1.exe MsBuild.exe PID 1376 wrote to memory of 960 1376 F1C1.exe MsBuild.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1612
-
C:\Users\Admin\AppData\Local\Temp\B44C.exeC:\Users\Admin\AppData\Local\Temp\B44C.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
PID:1488
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\E967.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\E967.dll2⤵
- Loads dropped DLL
PID:468
-
C:\Users\Admin\AppData\Local\Temp\3006.exeC:\Users\Admin\AppData\Local\Temp\3006.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\3006.exeC:\Users\Admin\AppData\Local\Temp\3006.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1416
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:4372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 11284⤵
- Program crash
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2336
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:3544
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\637591879962_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe"C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:876
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1056
-
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"4⤵
- Executes dropped EXE
PID:2064 -
C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe"C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe"4⤵
- Executes dropped EXE
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe"C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe"2⤵
- Executes dropped EXE
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4700 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:8312 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:5664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd" "2⤵PID:2496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb30603cb8,0x7ffb30603cc8,0x7ffb30603cd84⤵PID:3012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:24⤵PID:1388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:34⤵PID:760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:84⤵PID:2816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:14⤵PID:1580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:14⤵PID:1208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:14⤵PID:904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:14⤵PID:5264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:14⤵PID:5420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:14⤵PID:5516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5624 /prefetch:84⤵PID:5296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:84⤵PID:5836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:84⤵PID:6028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:14⤵PID:2600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:14⤵PID:5148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:14⤵PID:5836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:14⤵PID:1732
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2660 /prefetch:84⤵PID:5684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,15283687223561376014,355363841788225220,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6772 /prefetch:24⤵PID:9556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/3⤵PID:4512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffb30603cb8,0x7ffb30603cc8,0x7ffb30603cd84⤵PID:1168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,11600439447427278000,4273508431963935441,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:24⤵PID:1340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,11600439447427278000,4273508431963935441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:34⤵PID:3556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video3⤵PID:4392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb30603cb8,0x7ffb30603cc8,0x7ffb30603cd84⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"2⤵PID:6412
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵PID:2272
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵PID:8000
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵PID:5344
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵PID:6944
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵PID:6852
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"4⤵PID:7520
-
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"4⤵PID:10988
-
C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe"C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe"2⤵PID:6680
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:6024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 11324⤵
- Program crash
PID:11908 -
C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe"C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe"2⤵PID:9220
-
C:\Users\Admin\AppData\Local\Temp\1000936001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000936001\toolspub1.exe"2⤵PID:11240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4372 -ip 43721⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\F1C1.exeC:\Users\Admin\AppData\Local\Temp\F1C1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 11243⤵
- Program crash
PID:1716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 11003⤵
- Program crash
PID:4148
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 960 -ip 9601⤵PID:3184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 960 -ip 9601⤵PID:4388
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\CCC0.exeC:\Users\Admin\AppData\Local\Temp\CCC0.exe1⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 5122⤵
- Program crash
PID:2936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2472 -ip 24721⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\EEE0.exeC:\Users\Admin\AppData\Local\Temp\EEE0.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2568
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3820
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5316
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D81⤵PID:5588
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5820
-
C:\Users\Admin\AppData\Roaming\bdasdgaC:\Users\Admin\AppData\Roaming\bdasdga1⤵PID:7688
-
C:\Users\Admin\AppData\Local\Temp\617C.exeC:\Users\Admin\AppData\Local\Temp\617C.exe1⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"2⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵PID:9776
-
C:\Users\Admin\AppData\Local\Temp\april.exe"C:\Users\Admin\AppData\Local\Temp\april.exe"2⤵PID:7360
-
C:\Users\Admin\AppData\Local\Temp\is-DAADB.tmp\april.tmp"C:\Users\Admin\AppData\Local\Temp\is-DAADB.tmp\april.tmp" /SL5="$30458,1478464,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"3⤵PID:6672
-
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe"C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -i4⤵PID:6488
-
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe"C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -s4⤵PID:9696
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵PID:8116
-
C:\Users\Admin\AppData\Local\Temp\3E7F.exeC:\Users\Admin\AppData\Local\Temp\3E7F.exe1⤵PID:7552
-
C:\Users\Admin\AppData\Local\Temp\is-7IPG4.tmp\3E7F.tmp"C:\Users\Admin\AppData\Local\Temp\is-7IPG4.tmp\3E7F.tmp" /SL5="$40420,1634991,54272,C:\Users\Admin\AppData\Local\Temp\3E7F.exe"2⤵PID:9112
-
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe"C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -i3⤵PID:9668
-
C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe"C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -s3⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵PID:9444
-
C:\Users\Admin\AppData\Local\Temp\3880.exeC:\Users\Admin\AppData\Local\Temp\3880.exe1⤵PID:8764
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵PID:5048
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵PID:5904
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵PID:8380
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵PID:11476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6024 -ip 60241⤵PID:10772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6024 -ip 60241⤵PID:5220
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\cd0e42c921a94894b7f746395ef78e5a /t 9576 /p 59041⤵PID:8620
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵PID:5864
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d4b23a07d6a976d8ecbe9d3945fd4942
SHA187406e5ffb24869fa3a73babddca69900085bdc8
SHA2560f9dff2e66d625dd5d8b1f6ee68157f1f5771168a1a0cd38ed3aa4f8d065be56
SHA5127fc002d6f9aa01087c793ad2870755df2af7968a0a686d5fb945f49932a947cbeeab4011d9febbe498f00b4c5fb01502097865a5595b8b5a1a6d79fead240d03
-
Filesize
2KB
MD547b3bb3bf3bd31854ef77da134dc534f
SHA179f7ee98bfce765215cb9bc54d6c27a748af50f3
SHA25627bd7f1def6afae36983285feba3f689c7a006617a7d48cdac752bbd8ca39683
SHA512f0d52c49fe5de3abd83875dc52755fbdd7d70aa92d31abae733a8104742372cee2f2e59c5b71f6d667144e52c97c543b095a718ea63410e1709f55b73b4953d0
-
Filesize
152B
MD5656bb397c72d15efa159441f116440a6
SHA15b57747d6fdd99160af6d3e580114dbbd351921f
SHA256770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab
SHA5125923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c
-
Filesize
152B
MD5d459a8c16562fb3f4b1d7cadaca620aa
SHA17810bf83e8c362e0c69298e8c16964ed48a90d3a
SHA256fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a
SHA51235cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5ed3c427029c0aeaa2bc343fc17cb27a1
SHA109ebed30150478ac2c12c4ebf95b796119875554
SHA2560ebf3b48aa1c57593a8b52bc41173399ba3269abcf82f540aa04725aab6c5439
SHA512db176657d8d7f69ffc353219618e2c382b7de9c02179269c843226829e04d16254d741e75fa71236df7362d881c530c82abb1ed01cd2268cdb49c37b06e4b330
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD565ee5758072147cca9ce2526c1af9284
SHA161983152b0d331511eae43b331a413fa9cad4cd4
SHA256e4930deac23e8b628949cccdc213cc04110581663315d123584b367a13538c70
SHA512696bb4fa55347cb87d8a610c1f8a6adcbc11490c72fe91968a6bf987b879bd448ab9c7affdc576e5a8841651682ba8d1cffa22194b96ba3127fd654a2b72d451
-
Filesize
5KB
MD511c83f27515bdc3b53183658946594ff
SHA1baa504abb67ba68c6dcd3cb9b8c9950abbca5604
SHA25642b63357d8b8b2512197aea3f821232833bc17ecfe387f79c3ee62569bf6627d
SHA512871670503b44d1951fb4c678e5a63b80a43cb5841dd23fbe21cf64c003f927f81d5bfa6d31c5370676c2b1bef80b8052618fb47019378a724eb76e7326c9d7da
-
Filesize
7KB
MD59ff3239a7f743e02d71771333afbc961
SHA1edbeb3284e18fa48cbfa9a74c76752ab25d7fcc5
SHA2569b957a8e128b157e3e1fc1531ad2f33f94e495fc0fec5e96cf15945471cea6f1
SHA512b274452faf94b55a49faef69ceaf1a288fb3564b3b6e059f89a91a51733e6c33cd41226e4e8ee867b8d9026b52cba7bf11212ec39c970d9c75bb92462cce9659
-
Filesize
7KB
MD5f76c8c8c02999944580a36fe8a01d301
SHA1063740de39a8204a6352b1aa951688252e6beb7b
SHA256e5a7037278266acf4509dac6e4686f142f96fac123c8bdde6a659e72b31e0252
SHA51216946da357bb320d42672ea9f41016e9707c2a8a6037814a566c9720c83fb444bb41af0094c131b7763afde56318cb7fbb44993fdec6790d09bcbe44787080cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\addaf0b1-32be-46b2-ba2a-2097080d17fe\index-dir\the-real-index
Filesize2KB
MD50520900f2e95a736c6a013225e8fe387
SHA14e57b8b7cc13c19b8e45260c6218ad37684f641e
SHA256b1bd6b7de741c4a94bc644799c3d6a46515985d72cfc3199732d1f85fda4149d
SHA512d4b0b2b88ff0337efeb51f0815891582575853cfa38104e6ee43876122be28637f5fcb09c107440bc42d111d60cf0134b61f73a15eeb6841347d933332e242e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\addaf0b1-32be-46b2-ba2a-2097080d17fe\index-dir\the-real-index~RFe5ae8db.TMP
Filesize48B
MD525daadb60fc0e833bd119fdfb60a553c
SHA15bb4cf7cfe4f5c07eb06db721da60121229b18e1
SHA25609ec9108f6eb8bac37c57e4a690bd4b0550d3f80cc77d46a69aa8a17aa52704e
SHA512594a2258db1d1ec26ea1ea4d3200fb168197aca0438ab8f0d1d829467f6baf58d6d00b939fbe3f9f63c8504f9730e7ae409898b30b9121a2a9769ed4e1025f61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD566f6be9b9b7af68a2253db380386c62e
SHA172238a1fb1d6b30f0ff9e5596486f2bf1d497e00
SHA256e926d3b02fe60ef32f2c95bf442b263f917896b4d2db4b7f0d7391b6375f8b8e
SHA5128b9fef262d86f7e763d069a00683f7094772ee1ac9dd9f1c041e1b3a6ae096a9fd0fd309ae68a48b8fa947dbd849c1e8a03c9ff61d3b92f7f1c7e3b365e55499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5192d08906fd53a938f2e32e97839d648
SHA18335361f4c1dfb42ac4316e27869e90f79356f6d
SHA2560c06f39fd8b233fede1820d3ed70b37da139911abca537ed51157bb0c81024cc
SHA512797840091b28735973209d3d700e0161f792f0bae9ec047963a9918c73f05ce06cce5624c3e90c96e33efc65538385a0e4e523e883c661724f8fba3f55393d00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize84B
MD5dd4da35bd2e45df570de5488a41b0a1e
SHA11e11dbb577e76e294fb6754fae9042e4a9143e18
SHA25647958f1a5f5496a54eb3992a18f1ec07bf050accef5a6c0c98c07e0eb936a180
SHA5124730391f9831708f3cf8d9c636180f96d78da9058ec110651468a5f1c207649acd37f6840677a33dbf95bdaee56b73a2635e4a1f65f8b8e65f6e17b7c70f6f5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5a90c8.TMP
Filesize89B
MD58a3b99e470426e2edf5ab3d1f4d39ff8
SHA1ab09be82dd737621cbff6c518eaf7899303936d6
SHA256a5b944965a9e626743043f5a6c986438c0cfd0eb06612f9469522e90f36bb1cb
SHA512d10a34d4252d5dcd86d0c7c45d242192e2da562f56b322fa989bcd4926f80645a0b86ef26556b31ac38c2efa1184f4f5f568a73ca1cc35a15643accd1290326a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD53fe3817871cc6e2555fdda9af976550d
SHA1f1ef4a7798f026e3274c7aa70770e25002bf82aa
SHA256156bca20c05d6577c6e0472aee06f7d18980d06d273d7567ffeed234dda4bb42
SHA512a8e0a3ef9eff7522fe362c169d29ddefa40eabaa475aa6a74634c6dd829fe2012fb184abc07570a3f56bb1ca460f89541e2ed1f8173d02e1eaca8f00f105d62a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ae0eb.TMP
Filesize48B
MD5c040d62fcd9925aa89bff95ce664b4d4
SHA1e5e692274b8db603ba872ddc134ac4fc13e9004e
SHA256bc05dc3ec6066ad89816ea3e183b155b5714afc91b647adb5b4880443313b05e
SHA5127ce5f78643c2ba88d20077bba47da91fcbc27ce1eea4569837d39d160ab4ef3436bdbe33b4bbe1b4bb272553a3500f96ea45db5e922f21449f858fcfcbecee26
-
Filesize
874B
MD555455fecbd117748522b26ef89939eb6
SHA145abed1f15a0d1b5ae90c8c0e61234e8e8e53213
SHA256149763b55666d3b14259913d332e9db81856f2bbed9fdce256e2d03cca6009e4
SHA512571e531776d51097007c4ff27a003ea0f0dc29b61c2e39c6743af87b328fc94d75b4105d692ba9b569c42a1c7f9ccad0d8439706e81630aabc9348ac68f635b7
-
Filesize
874B
MD57a215e269de7d3e8a81359c0434c7a69
SHA18a8b63b1b2a0008ad6e9c8605822eca01b9da646
SHA25649e0554b76f949948567f52bc02f5323b54cf88b04f914996cd2275ac2252d6d
SHA512059c574e7140d6999aaec21b3c7cd1358f228c85e706fca1626acf85292fa4a1148bb79d91d0c443518efc02ddfe3228747125a4befeb4108d6c07cb983367e4
-
Filesize
874B
MD5270db498696e01c16f00424c1ef1d8ce
SHA14157a6aa106023bdff26c3f2d3d0f8ee17448ebe
SHA25625c52eea27a0802af8dcc012424ccf2eb2c1cf9d0283d9fbd8bc7c9ac1d162e0
SHA5128f3bd64f411642044e5944d88f0d9eb4cf605097ba91bc53bc3b50a4e471412ee42992dae6d2a62e9bc0ff150275bd864e698016477e9e87bd007c32b0190b09
-
Filesize
874B
MD51de9119cd8cc0834003fa4d779d22754
SHA11f67d9abd601d78d635a5fadfe5cdfe1642568bf
SHA256376a95032465cbc88b7244ffa5588adbcdd91cf0bd785bbd00d8ce37a479fd98
SHA512d53c6a4ba2ee34631e067595823ecc9fc947e1ab5322d8a035a5697ca12644a42040fa756501ab9456792976e5cec85e06ec21ae1e083945a991655d87b97758
-
Filesize
707B
MD528e47ac79883b63cacd40e6b91db7e57
SHA1871db53115e772e70f93bf4e158cc0cd7c934e3c
SHA25661ec1bdca8db0569edd5a4ea807a88a78ee502d2a313b14fab99996ea74971cb
SHA5122dff33fea309baad9f2ebf861d38f69350b9d5fc4b6ee6b7e13fa6d7148a2b7d5b51820a99ce480673699bf5a5ba345c4faaf1f1b19175cb443f02f4a473cb0c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD565bf07bb7a211b110d43ce685bcd6cd2
SHA127e8ee53db360181692e9d867d94bab0932968f3
SHA256e18ec90b2cc6a89cf29497e6ad24ce296bd68dc7ffcd145c621684caea26ccd1
SHA5120f032f97304c854e5795d6f03230fa59b517d86f6aa7ec0add6c4a268bd8aad0bc04d82044546682c41c8b0ef7af353e4406d45c850e45e03d76e51eb3baab35
-
Filesize
11KB
MD5b51d3f5f20f6a2bde90a546502b593b6
SHA1e19cb2e5009cbe798325f3505841039bb6886d53
SHA256ce464ae9ac166e380a677c80d43d29aa00a744a21952e1968f687085498574dd
SHA512a516cde79ef7af44ce37694b3a54b1c60e1b5b0555fb40d2aa40bc151a3af54979f801a500ef0aacf40923ce1fff28c6bb5b131929a66c202b58ff8efa4047ee
-
Filesize
11KB
MD58e69565860f98ab009c45d1aeb2a28cb
SHA1574b6a7c8beb5339a59ed63e64555c050b4404f1
SHA2564d84e4c87cf869dd40f25f618fc90801f953c54292edb01acdb18bf56df992f8
SHA512abfd64812dd85ce440fe312654992346ff796618493cc798c80f87454a9c01ae98b8e342b93ec9b6532fc14a49d166e241fcc94d95a34be0bce01a5df12f785e
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
1.6MB
MD5e712319f829bb8cd615b7c2cc97c97e3
SHA10bcdf2d7e6414b2282669871694e12e96c4ffe90
SHA25609a291d9a0b89ef5c54703dbbbebab48175f5265aacae397e1f5c366d544250b
SHA51258b9f2f21b0ba75d5c3985e16949f3deb5ca7e18049e1e4bbd19faac8c472a41f49cb23098815b4dd7484e8db63efb4e1d0d0c5192659750ab558314c8072e42
-
Filesize
1.2MB
MD5e05fdc969c15296b1a90da509294ed10
SHA19d71ee83bcd71b57d1795046c4d4f933202c34cf
SHA256288ec4a87b88bc2077f77d2f6511fde993427394245ece02543479b61cb8b37a
SHA5129bad15184f8257d3937f88bb0454dc97c4616dd16db3e833206134ccbec398cd1c6fc843f315326f956cba7dfd8e9652b9733219d08b21e9648dd51fc012d0e5
-
Filesize
534KB
MD5a3f8b60a08da0f600cfce3bb600d5cb3
SHA1b00d7721767b717b3337b5c6dade4ebf2d56345e
SHA2560c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb
SHA51214f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d
-
Filesize
555KB
MD50c4fee8706a8ea370b7a272b7c5bbc85
SHA1bda2a1ebc921db843d06aa5074884207ccbe9242
SHA2569ec8397acd7c4106763ba84f4ebe1fd1cf39b4b0de442be8f89cd57de6151aac
SHA512dd2c1d00325533db2cc5fe14ab52747182a494a2524e4f891e3dcd3ce2ab9685322a9fe1f5f2bd2b9808d6f1efab2a9cdfcc762016935464a7ddd237e620f9a4
-
Filesize
4.3MB
MD56ae8bb98a051394f17d438a323043de2
SHA1b92b1b2d69c11dcd0ed7dda14fd85e31e2ec72df
SHA25696ba68504544a72a6f0cfa9622e8f475f5e779f4df1c1dc4be2be87ff3ec284b
SHA5129708c78f1c7f8cd2f7c4e399940b8beb2ce341f10babd8acb961db05721cc15fd04ae9a1980545f1ddbf9054b5761a9b688329ebcc29289a6e462291ace4841b
-
Filesize
1.7MB
MD52b648280f8c5e94477ba7521982c0375
SHA1c7d31fd2ae975ae8f409f47dfb044e3972e548c0
SHA2560c3419ff8ddebff25027285ff876f30569e7915b993930411b230cfbf3e52214
SHA512168265315dfcfd666cb681da84d0616fb74f9e389073a5a377acbca45320206097f59cc629ea93b8618ec8a265ef6a0a0d5e4a45f26ef133f53ca40234eb314f
-
Filesize
310KB
MD51f22a7e6656435da34317aa3e7a95f51
SHA18bec84fa7a4a5e4113ea3548eb0c0d95d050f218
SHA25655fbfaaeee07219fa0c1854b2d594a4b334d94fad72e84f9f4b24f367628ca6c
SHA512a263145b00ff21ecaf04214996f1b277db13bdc5013591c3c9cf25e9082fc99bc5e357f56aba4cea4dbcc68f85262fe7bbd7f1cec93cde81c0b30dae77f1b95e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.0MB
MD52b62ddfa9c96cf01598569d4de667dd0
SHA14003a8d4227e816ba8e80bfd6db341e3bd8cf4be
SHA25696e553e13562bd052411b7d6a913779946c11c30a9e1c736f48d2f721badf462
SHA512c9fa8bff091d1782e42e13ffaee84e5f2c98604accbf24a27b779a388ac5d0f290afa4bff14359127215c59d97ee722df22c17bb8f77c50b13b9b126e94f62b7
-
Filesize
2.0MB
MD5f9da0b608cc297351c0f664283fc86cf
SHA102000aae3546cffd8c1e20f5b00f242695f453fa
SHA256dfca6745856d910aa5d0e4f6508d808946766a97f4764ec35a724a7575d2e92e
SHA5125adb675986dfbd8fbc8d5f95260941096c6faebff3197800e91398b399790a3b5cd250d6ee229e780e75f1550a4009991741f4084ad0304802dc48f8bac4f10d
-
Filesize
1024KB
MD55c7828cf9de5e778c2a212cff9de1252
SHA17e428673c6a7dd5f329fe58fcce9688bda522ce4
SHA2560e367e9da1bc639dddd9f6fac190f55cf4667f7642cc1e1bc8f2acd6a5520337
SHA512a4a1adbf829ad24453a2098c0afe0ffaa113104f8992a4c775fa557369c39faf4084821167eabe1b7415aa53ee21777e1ca9e37749e12f5759475976e0de3671
-
Filesize
104B
MD57ca00195b480ee284ddaebfea321f27e
SHA1a9ef34c03c1285c450b0414a20fce7f9533f7fa6
SHA256c133cb730f4483b60434981714e8544a30bdb422376495c74aabeb16b13fd5d6
SHA512c78ba3153ac0999f71c1ab0e5c4738e2e46d03f6567045e8c5ec3bd7157adabe4ce61b56554c546ce6070f09c84f26a64354ffaef0bf32175a4b40c27d4a3035
-
Filesize
192KB
MD5496b75d209831cb8345c35b7abe59057
SHA137f2388ed50ad73b989e7885f632cffa72291e6e
SHA2561f660ccec27336f1f2491db0f4ac532271dd2d144a57760c0c4723a6216b50fb
SHA5127821edc7a2c493b8e2c52d755015c6bbfe10ce10ab2d77949bfae1881fc7676cbd65e7c9c8b91e4f7af34d56f80b0ef11547936c8d546f9134b899145e3b5087
-
Filesize
192KB
MD5f59dabd1309e8fb292d7d997974f6c13
SHA138062eaf89b0a50cb3482d921f01f68b706f05ba
SHA256d43aa50a185a1acbcb6873d935833d4d6341bba82052ba8057c883e2d3a5e800
SHA512b7fd6a56ff701ad75c23e97a683281a95c85884256330a46327a656ee1697867ba389d77e3a06bc3612a23288bf6e46daf1ec6f088f7407e2ce278c7f0a772b8
-
Filesize
896KB
MD56028456bdbede902999333597e720871
SHA1fb1b51d3b46b767a24f950a6b0c41f6a9cc4eaf6
SHA256c59e4f36f1f0e0bdb05b899a47a4857b9aad387fa7cb2f8eb2a3c490960e960e
SHA5126f820aa57812aaa1b2c4f3cfee5435b304520031050f6a35f5ac068bb9fb531ccf9c3a01d327280adbb87ea6e4a9995cd144da71e7e4d45ce92448233b2ede1c
-
Filesize
64KB
MD5e76cb04c069b3d121d96526d84eaa596
SHA12181f919f956c75672cb53a658f6c2d956d5cd19
SHA2567c431ad9b6f7ea027c1ccabdf23a3b894e3449c1b6b5fe14755fefd7bb713092
SHA512d03a5bad6349399e90af0fa127c211c905346f6660334532ed7945eb93582169f608719228882ace9691fd5e41807b27cc9b3a81c4dc105fea29c55f45f5b20a
-
Filesize
1.8MB
MD5996c2b1fb60f980ea6618aeefbe4cebf
SHA1a8553f7f723132a1d35f7a57cae1a2e267cbc2ac
SHA256f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50
SHA5124af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056
-
Filesize
128KB
MD5f07ffc94cd213aba6744c5af7a43924b
SHA1c1dbfd9ac5a8e58f013ce8a64c77a943f492b544
SHA25628d5437ba0fbeb62913b396b10f0fbf9f149b138beb3376390b31531dd95c9de
SHA512bb951e2462a5c0c280ffcb0f0b8f80aa6094c0e5c51586db2ecd0813504f4f18ad49ac87742a35f7f06a477a2909f0245e0bd194e22bad1de42add8dda9b5639
-
Filesize
2.6MB
MD5c85a0e07782538a2be776b42ae50f843
SHA14a09a7acb4dfcdd6e94ae13c6cde67b6f2ad4de9
SHA2560d3d4af4810805d73509a80834dd319b8d5a89c1bba91b7da2f3702b20891442
SHA51294236febfd0773a3d5a8b58e3446c87e2972066578e5ce54a1ec0f6a9be6e648128dd757f66f59eec77e872d7e19b4e76cf53766c70a30d901eca561e872994c
-
Filesize
7.4MB
MD5c69a5cc0b86fc03281a9dca6da35d4f2
SHA150e9988d9024b6e74744ca650ca435a9593234be
SHA256ea4b5d8f1d3051c4e934976334eb6b9933d0787cd438170728801a52a5cebcef
SHA512f095f4ed12ef3ce9602f39bad143a62997ac7bec73c26ebb5c11d6e1f0294ffc4f6c81360fdbce732d997d7ef0cdbddceed82c1ff3eb905d2c546561aace4c42
-
Filesize
159KB
MD5c3f4b01efc18828706bd2d8b09e5e2b7
SHA133f0264b2a4f38c564a2342ecaa5b34df4b7ba2d
SHA2564ff0abeee00d6cd0beb770b57197ddb9d668be070c630a120b90f19a25ede7b2
SHA5128b41be33fb9232139bcd6319b4649e24f5dc0a8114228c4f9b473a4e1c361baa0918d0ab998fd679bc9357098961f48bec37d8b69e3b78677951d4995b2817db
-
Filesize
1.8MB
MD51f2075eafec0c5327118290b68666531
SHA10e12d995b602f9aac7dd3558f01c32d68a8ac1ce
SHA256d1c60eb9343d583dbe9fca64e97f481368187d7927f8a8a60bddcfe092d526c3
SHA512e4113ed594d23c21e20111007e8dd025eb16e86f64e50e5f02cc6b075e8cb180a2aba3b5e6529729332c8f53e0392e46d1a769cc2add53a2c41e4a4c34673723
-
Filesize
6.5MB
MD5d8475e3eb1b8088c1b747799b20802be
SHA127727b8406dd18ae5ddc347257eac438f1dc08c2
SHA25640201bb18c81921d55236144105f37012832f6e321f41f5f48f7469420df0990
SHA51227bc79e9633f19f92efb72ae5e11603fe2ae0587cf532188b2bb8f2351123167556faf4ea347f0a394c6f3ab0d98374b9f9d7cecb4aa491117415fb9eed70726
-
Filesize
2.8MB
MD5b0fb18cfcac1983582e7fd67b2843ce8
SHA1ca29cf7cee80be38c5d667d5e8c00e6ea11b3294
SHA2564132c2587cfe85b944d95835d8d0bf92a08a0f831ea26a45c826146048347f45
SHA5124d9e1b14ef1a8adc15d38846c0a4e1d762e76fd944c76621ef6ac3a8482d14e40cfd4d7a14853d7a99cca2a99aa438eba996e842f1172f5f9a8f34ba1d97daf9
-
Filesize
554KB
MD5a1b5ee1b9649ab629a7ac257e2392f8d
SHA1dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA2562bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA51250ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b
-
Filesize
3.1MB
MD5e2db24dba48048a90b9a775a6050f4f5
SHA19c067bdfaf89d2255419ce0e3f6dc23d56fd8a7e
SHA25606b4dede30c5f402559c61459e745e0d86d988ae00728cb3a7d55945c92dffdc
SHA512e723c6ffbf8d71a7ae2fd2da4e78d2ab826d2d786ed97490129c6f56d60edb2b33b75969e4310017a1fe587a6141881160170a0d8ed5f147631a144b849e61dd
-
Filesize
3.3MB
MD57571d61af43d8b0d3614154c847f952a
SHA174751bbebcff1055fcba0382cbfb562ef6b7099c
SHA256d9ba761ab2cf8fdb2e6a5924eacff211760891abe53ab66619657ed360e9764a
SHA5129a02d917acf8ad1fdb6f4f57ef92bbccb113beaeaf7d7f9d4db2c74052d8c32940f38349b35394fda3e85d6df40fad8068fc3381d66ee172543ba67f591974c1
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
159KB
MD540ac385cf9b62d322c623662e2d65ce8
SHA17c2e8e708e64f36887219f4b8ecdc42d343708da
SHA2566261701bb08cb6856cd5ffa25af5e08efe9645c410ddfd5a030602b0646411e8
SHA512df6dc71e3c3c68380fd96e3ef5b3536a5bce31a49af66fb8f06231449980d605e8530e313098efcc1982b63069cefd7a4a85c5a5968eb0a1a2905253fce4764b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5227fd64f50b04b6ec34c29a97ffeb327
SHA198da522f8943b88dd75568ed7eaa93dd79ec2fe5
SHA256461fa725982955c29b92645e293c543c2255d3f0bb9c131ca9194f74008bea2e
SHA512b30179e355275163911bc670cb485292e631ed1df451691f9fa06629cbc54e85645b441d3d7a91a0377f8c613f430c6b4c4d9447d04937c54854ec6db4c6d81c
-
Filesize
896KB
MD5909cc21ca77aa84e90637926823577f4
SHA168a104ee3641a29e53e03533bb9ca7c3b32e9cc3
SHA2560a10223f76ff767f6dda39493d1f8d94c53e01c03e5e0c8669865bf32ead78d6
SHA5121b596d8603cb10bf87ce266346e43b1e9d8f0eaa78256314542c923d05c9d6eea2082f2ce40649170961a3519f16530908d1d4fffd13535cfe5494b785e15709
-
Filesize
92KB
MD582727ca228f125c6c472807a15c3402c
SHA19562c5f8c68309c2d660cd445e9f364edce93b8f
SHA256b2aa7c525764660b70c53bacdda9f334017db0b44c2abffa31621fa682bfb833
SHA51261a2ccae65cf18f6e1c29f1df72b341cdc272078a236d9db5223e024d8acc57f48d8f664f6a747223297e91715578fb9e311fbe42f03c529b85f4111cbf3d900
-
Filesize
112KB
MD59cf0b730c84728d555a21f9639e36b6d
SHA131b7bed8d5606241ea2fae3a99be20ad9a74fad7
SHA256002b1a9bee320aa70d416b1d264b77a021b03f57c68454ef805e885627fb5ba9
SHA5128444c3afac9d7755ccc3fc7e1a42d3e1ed890cf69255c1bf0720b36e1f8f30ca25150d7ae566cb5f7123fe0fef081cf359cc1e138234a8c293c4b8c47284d43e
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
122KB
MD56231b452e676ade27ca0ceb3a3cf874a
SHA1f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA2569941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
1.1MB
MD5fd17bf7b07fc556a1748e9aafed3a89f
SHA1ba458f77410c2cd7644bb5a6f37d88ed86ebdfcf
SHA256e649e0c94651f1201d50828cc7598eebf21dbae67631308b412febb3c9dbf9f6
SHA51253a3975029e7788acab6242527a9f056b98e246c72a88eb440cf1407b96c86ef6781fffe0bf441d3d25521be3577ef7c87218ffb42b9aae49453861854fda3c4
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
832KB
MD563609258b213e16c70bef1ca7bedf907
SHA16ef1504255f3d2880e44f50e3f77aac4f4ef242a
SHA256943e96a3617079e6f01ee232269ee57afca170b338a5f9e00b177420b55851ed
SHA512cfe0b153260f459ad5bcd1aa95d468ef93178da50c09885338baeecd232b21324197bc8680be3aab066b365c0e375e39505fcf463686a1acda9bdd8fed5348ec
-
Filesize
296KB
MD528f30e43da4c45f023b546fc871a12ea
SHA1ab063bbb313b75320f4335a8cd878f7a02e5f91c
SHA2561e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b
SHA512559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4
-
Filesize
278KB
MD5ea1279a3e9e0c0d6ef4fb266f153e734
SHA15aeef1a7233ff1dccfbdf6d24bccdd29eb4fa96c
SHA2569c38ecba653de6a28945eefb0d85def795dd25678d81c717b79fb00a07b70ad8
SHA512e52e2233c285d918774fb9b3f01258ab070da9500e7568458c7362adcb0755b9a2b0a3df073d6c6a864df962c7556bb07c85d323dab951b8279f9c3fbf7aea29