Analysis
-
max time kernel
299s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-05-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe
Resource
win10-20240404-en
General
-
Target
4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe
-
Size
1.8MB
-
MD5
b7f0c6b555edf8d1f5afce5984f1a104
-
SHA1
47f76e4001898764b207ef278c388d819bed0951
-
SHA256
4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94
-
SHA512
b7f8e6e6cfe63cb3d3317c4e0847dda3e5844f144b86671fbe34234dd4b45eda6fbfcea34f129b6e2f4c88c3445fdc965b503ca645abcbce68952960930939e1
-
SSDEEP
49152:R3/bnbOKjNxk7gYTrR86fvtsZZecPKlMW+:Rjnb/MgUd8QqZcG
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
risepro
147.45.47.93:58709
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
https://productivelookewr.shop/api
https://incredibleextedwj.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Detect ZGRat V1 6 IoCs
resource yara_rule behavioral2/memory/5812-470-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 behavioral2/files/0x000900000001ac46-478.dat family_zgrat_v1 behavioral2/memory/5440-500-0x0000000000460000-0x0000000000520000-memory.dmp family_zgrat_v1 behavioral2/memory/4744-1256-0x000001F32F080000-0x000001F332978000-memory.dmp family_zgrat_v1 behavioral2/memory/4744-1260-0x000001F34D1F0000-0x000001F34D300000-memory.dmp family_zgrat_v1 behavioral2/memory/4744-1264-0x000001F34CEE0000-0x000001F34CF04000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral2/files/0x000700000001ac14-159.dat family_redline behavioral2/memory/600-167-0x0000000000520000-0x0000000000572000-memory.dmp family_redline behavioral2/files/0x000900000001ac46-478.dat family_redline behavioral2/memory/5416-480-0x0000000000F50000-0x0000000000FA2000-memory.dmp family_redline behavioral2/files/0x000900000001ac3f-479.dat family_redline behavioral2/memory/5440-500-0x0000000000460000-0x0000000000520000-memory.dmp family_redline -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 92f880c3ee.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 106 6096 rundll32.exe 137 1600 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 6892 netsh.exe -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 92f880c3ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 92f880c3ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation jok.exe -
Executes dropped EXE 44 IoCs
pid Process 3424 explorta.exe 2140 amert.exe 4480 explorha.exe 4672 92f880c3ee.exe 2036 swiiiii.exe 3732 5048d8fe87.exe 2604 NewB.exe 4464 ISetup8.exe 600 jok.exe 3532 swiiii.exe 4748 toolspub1.exe 5536 file300un.exe 5652 4767d2e713f2021e8fe856e3ea638b58.exe 5848 jfesawdr.exe 6000 work.exe 2896 gold.exe 5248 podaw.exe 5280 explorha.exe 5288 explorta.exe 5824 alexxxxxxxx.exe 5836 NewB.exe 5416 keks.exe 5440 trf.exe 2640 svrht.exe 5124 u3g0.0.exe 6108 run.exe 5532 4767d2e713f2021e8fe856e3ea638b58.exe 1652 u3g0.3.exe 5220 explorha.exe 5196 explorta.exe 4464 NewB.exe 6700 csrss.exe 6796 injector.exe 4640 windefender.exe 3404 windefender.exe 5492 explorha.exe 6172 explorta.exe 6572 NewB.exe 7112 explorta.exe 5172 explorha.exe 6820 NewB.exe 6508 explorha.exe 6504 explorta.exe 6888 NewB.exe -
Identifies Wine through registry keys 2 TTPs 15 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine 92f880c3ee.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Wine explorha.exe -
Loads dropped DLL 8 IoCs
pid Process 6068 rundll32.exe 6096 rundll32.exe 1600 rundll32.exe 6108 run.exe 5124 u3g0.0.exe 5124 u3g0.0.exe 2640 svrht.exe 2640 svrht.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000800000001ac3f-354.dat vmprotect behavioral2/memory/5248-361-0x0000000000130000-0x0000000000A21000-memory.dmp vmprotect -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\92f880c3ee.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\92f880c3ee.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\5048d8fe87.exe = "C:\\Users\\Admin\\1000021002\\5048d8fe87.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000700000001abf9-80.dat autoit_exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 4812 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe 3424 explorta.exe 2140 amert.exe 4480 explorha.exe 4672 92f880c3ee.exe 5280 explorha.exe 5288 explorta.exe 5220 explorha.exe 5196 explorta.exe 5492 explorha.exe 6172 explorta.exe 7112 explorta.exe 5172 explorha.exe 6504 explorta.exe 6508 explorha.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2036 set thread context of 2360 2036 swiiiii.exe 81 PID 3532 set thread context of 4296 3532 swiiii.exe 104 PID 2896 set thread context of 5340 2896 gold.exe 122 PID 5824 set thread context of 5812 5824 alexxxxxxxx.exe 131 PID 6108 set thread context of 5396 6108 run.exe 156 PID 5396 set thread context of 6096 5396 cmd.exe 169 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 4767d2e713f2021e8fe856e3ea638b58.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\explorha.job amert.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\rss 4767d2e713f2021e8fe856e3ea638b58.exe File created C:\Windows\rss\csrss.exe 4767d2e713f2021e8fe856e3ea638b58.exe File created C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\explorta.job 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1380 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4332 2036 WerFault.exe 78 5324 2896 WerFault.exe 120 5928 5824 WerFault.exe 129 5744 4748 WerFault.exe 103 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3g0.3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3g0.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u3g0.3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svrht.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u3g0.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u3g0.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svrht.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7064 schtasks.exe 1268 schtasks.exe 5900 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-492 = "India Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 4767d2e713f2021e8fe856e3ea638b58.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "420766757" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d389d4dd1b9cda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 92b0bcf31b9cda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f8c9dce31b9cda01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 07fedbf81b9cda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d07bcee31b9cda01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 jok.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 jok.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4812 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe 4812 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe 3424 explorta.exe 3424 explorta.exe 2140 amert.exe 2140 amert.exe 4480 explorha.exe 4480 explorha.exe 4672 92f880c3ee.exe 4672 92f880c3ee.exe 4060 chrome.exe 4060 chrome.exe 6096 rundll32.exe 6096 rundll32.exe 6096 rundll32.exe 6096 rundll32.exe 6096 rundll32.exe 6096 rundll32.exe 6096 rundll32.exe 6096 rundll32.exe 6096 rundll32.exe 6096 rundll32.exe 5248 podaw.exe 5248 podaw.exe 5428 powershell.exe 5428 powershell.exe 5428 powershell.exe 5428 powershell.exe 5280 explorha.exe 5280 explorha.exe 5288 explorta.exe 5288 explorta.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 600 jok.exe 5440 trf.exe 5440 trf.exe 5440 trf.exe 5440 trf.exe 5416 keks.exe 5416 keks.exe 5416 keks.exe 5416 keks.exe 5416 keks.exe 5416 keks.exe 5912 powershell.exe 5912 powershell.exe 5912 powershell.exe 5912 powershell.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 3128 MicrosoftEdgeCP.exe 3128 MicrosoftEdgeCP.exe 3128 MicrosoftEdgeCP.exe 3128 MicrosoftEdgeCP.exe 3128 MicrosoftEdgeCP.exe 3128 MicrosoftEdgeCP.exe 6108 run.exe 5396 cmd.exe 5396 cmd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 5536 file300un.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 5428 powershell.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 5440 trf.exe Token: SeDebugPrivilege 600 jok.exe Token: SeShutdownPrivilege 4060 chrome.exe Token: SeCreatePagefilePrivilege 4060 chrome.exe Token: SeDebugPrivilege 6024 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6024 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6024 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 6024 MicrosoftEdgeCP.exe Token: SeBackupPrivilege 5440 trf.exe Token: SeSecurityPrivilege 5440 trf.exe Token: SeSecurityPrivilege 5440 trf.exe Token: SeSecurityPrivilege 5440 trf.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3732 5048d8fe87.exe 3732 5048d8fe87.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 4060 chrome.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3732 5048d8fe87.exe 3732 5048d8fe87.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 4060 chrome.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 3732 5048d8fe87.exe 1652 u3g0.3.exe 1652 u3g0.3.exe 1652 u3g0.3.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3648 MicrosoftEdge.exe 3128 MicrosoftEdgeCP.exe 6024 MicrosoftEdgeCP.exe 3128 MicrosoftEdgeCP.exe 6108 run.exe 6108 run.exe 6096 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 3424 4812 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe 73 PID 4812 wrote to memory of 3424 4812 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe 73 PID 4812 wrote to memory of 3424 4812 4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe 73 PID 3424 wrote to memory of 5096 3424 explorta.exe 74 PID 3424 wrote to memory of 5096 3424 explorta.exe 74 PID 3424 wrote to memory of 5096 3424 explorta.exe 74 PID 3424 wrote to memory of 2140 3424 explorta.exe 75 PID 3424 wrote to memory of 2140 3424 explorta.exe 75 PID 3424 wrote to memory of 2140 3424 explorta.exe 75 PID 2140 wrote to memory of 4480 2140 amert.exe 76 PID 2140 wrote to memory of 4480 2140 amert.exe 76 PID 2140 wrote to memory of 4480 2140 amert.exe 76 PID 3424 wrote to memory of 4672 3424 explorta.exe 77 PID 3424 wrote to memory of 4672 3424 explorta.exe 77 PID 3424 wrote to memory of 4672 3424 explorta.exe 77 PID 4480 wrote to memory of 2036 4480 explorha.exe 78 PID 4480 wrote to memory of 2036 4480 explorha.exe 78 PID 4480 wrote to memory of 2036 4480 explorha.exe 78 PID 3424 wrote to memory of 3732 3424 explorta.exe 80 PID 3424 wrote to memory of 3732 3424 explorta.exe 80 PID 3424 wrote to memory of 3732 3424 explorta.exe 80 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 2036 wrote to memory of 2360 2036 swiiiii.exe 81 PID 3732 wrote to memory of 4060 3732 5048d8fe87.exe 82 PID 3732 wrote to memory of 4060 3732 5048d8fe87.exe 82 PID 4060 wrote to memory of 4024 4060 chrome.exe 84 PID 4060 wrote to memory of 4024 4060 chrome.exe 84 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 PID 4060 wrote to memory of 2012 4060 chrome.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe"C:\Users\Admin\AppData\Local\Temp\4a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 8366⤵
- Program crash
PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe"5⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe" /F6⤵
- Creates scheduled task(s)
PID:1268
-
-
C:\Users\Admin\AppData\Local\Temp\1000231001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000231001\ISetup8.exe"6⤵
- Executes dropped EXE
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\u3g0.0.exe"C:\Users\Admin\AppData\Local\Temp\u3g0.0.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5124
-
-
C:\Users\Admin\AppData\Local\Temp\u3g0.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u3g0.2\run.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe9⤵
- Suspicious use of SetWindowsHookEx
PID:6096
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u3g0.3.exe"C:\Users\Admin\AppData\Local\Temp\u3g0.3.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD18⤵PID:4744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000232001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000232001\toolspub1.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 4927⤵
- Program crash
PID:5744
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"6⤵
- Executes dropped EXE
PID:5652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5912
-
-
C:\Users\Admin\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000233001\4767d2e713f2021e8fe856e3ea638b58.exe"7⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1328
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"8⤵PID:6852
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes9⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:6892
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6928
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6844
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:6700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6060
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
PID:5900
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f9⤵PID:6904
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6876
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6828
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll9⤵
- Executes dropped EXE
PID:6796
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
PID:7064
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"9⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵PID:5288
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)11⤵
- Launches sc.exe
PID:1380
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600 -
C:\Users\Admin\AppData\Local\Temp\svrht.exe"C:\Users\Admin\AppData\Local\Temp\svrht.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2640
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Checks processor information in registry
PID:4296
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
-
C:\Users\Admin\AppData\Local\Temp\1000077001\jfesawdr.exe"C:\Users\Admin\AppData\Local\Temp\1000077001\jfesawdr.exe"5⤵
- Executes dropped EXE
PID:5848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "6⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD7⤵
- Executes dropped EXE
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5248
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Loads dropped DLL
PID:6068 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6096 -
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵PID:5136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\699363923187_Desktop.zip' -CompressionLevel Optimal7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5428
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:5340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 5166⤵
- Program crash
PID:5324
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:5812
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5440
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5416
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵PID:5760
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵PID:4396
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 5046⤵
- Program crash
PID:5928
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\92f880c3ee.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\92f880c3ee.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4672
-
-
C:\Users\Admin\1000021002\5048d8fe87.exe"C:\Users\Admin\1000021002\5048d8fe87.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffedcc9758,0x7fffedcc9768,0x7fffedcc97785⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1544 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:25⤵PID:2012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:85⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1868 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:85⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:15⤵PID:3404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:15⤵PID:4812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4424 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:15⤵PID:4560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:85⤵PID:5236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:85⤵PID:5244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=2332,i,4042295981124441331,588989322558019200,131072 /prefetch:85⤵PID:5360
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5288
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5280
-
C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe1⤵
- Executes dropped EXE
PID:5836
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3648
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5316
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3128
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6024
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1212
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5312
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4636
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:4980
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1432
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5952
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5760
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5220
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5196
-
C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe1⤵
- Executes dropped EXE
PID:4464
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3404
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6172
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5492
-
C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe1⤵
- Executes dropped EXE
PID:6572
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7112
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5172
-
C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe1⤵
- Executes dropped EXE
PID:6820
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6504
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6508
-
C:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000069001\NewB.exe1⤵
- Executes dropped EXE
PID:6888
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
1.3MB
MD50d1c2c993512d32978fe538f3938d72e
SHA1df667af1bc0858f20fb6063f7b1df4ddfc2dce2e
SHA25631a54990d290ea57bed002b0e821e4c51ee96fff05c0b6e1dd6e488c521cd446
SHA51271521917a6c174b2b5cc818fe99656dc354dadb11f1575470037ce44d49925b0a283fdfe13c15ea0c4935fbcfe9a6623bd76026713899b02ab5c92c34f51807f
-
Filesize
970KB
MD597d40f921b940fa818c789f577e69887
SHA1292eca517d9a773d061df942e80babff85a6fc5b
SHA2569a7ee0296c2ffd3019df99bd410a64c3f1912232c33660c679544bbfaa11e68b
SHA512142cdce699b8b8c8a5076fbe755acc6081af851c534dc2d67c27942b6e546ec051dfb7ffd63794fdbc6670268c7d2b15ab2eb1fd99114ce4c73fa4c14a9a5acd
-
Filesize
92KB
MD555d8864e58f075cbe2dbd43a1b2908a9
SHA10d7129d95fa2ddb7fde828b22441dc53dffc5594
SHA256e4e07f45a83a87aff5e7f99528464abaad495499e9e2e3e0fcd5897819f88581
SHA51289ce123d2685448826f76dce25292b2d2d525efd8b78fd9235d1e357ad7ae2d4b3461ef903e2994cd2b8e28f56b0cc50137dd90accdd3f281472e488f6c7cf2e
-
Filesize
1.0MB
MD5ac2cba4d1c49c8dd20123cf2ab9f36b6
SHA18c3737b67289e624e6b844d71b57050a8eab0230
SHA25687e1d160dcc62f1ea7bf9a93c660263e1d3cb52bd14fc23855c1601b9bd848af
SHA5120167c5926671a5c1fc0bae503a0a5b2cbf285af46e5b8cab9e291db13835ddd6a07036f5ace40e3020ac40d47a8622687a38d2e1bac868e8ee747eba6a1fec11
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.1MB
MD50c9f4a1781dfe8a2e969e56b913a6140
SHA1f9023a60deb493938af0f693ff01767e5498cf4c
SHA2564f547822854b13ee46adafb4f03b690ff891031e2391f31bb945baa0db58ac65
SHA5124b012d026587e69e2aad0e85d3b9cf51973f0ab6e52cb17e0cbd5f4144f9d57409befcfc5fbadeda78029c87b15381e4bff5aa84b8efbfdb0c21777f98bba1dd
-
Filesize
216B
MD5ea434d313c8e97a557c987fea4938e3f
SHA155ba8c8404bf49a42a7a391cd7915013ef16a731
SHA256cb85ec4d78881ce4627c9781c2ee3ac6578c0e4c60fccd848a3471e4b51cd775
SHA512fa4e2cebf0dc44ac6ba3c1077b7876a5e4162899ba031706ea37a1191913c947590bbb4605508a9e14deeb7cf981e893a7fcbf93d15d53809f62de0ce2568676
-
Filesize
707B
MD50907170db6740099f0ae1ba182fdb92b
SHA1afc451fa31ef6d583965c6cfa2087b39ffa5bd51
SHA2562295ba413e5f349bd6e0bd20ce2390ebbc93029141848a75fbbdc636c75cdae8
SHA5121d8cb188f6fee6e87cd61ae2aca57e44177bfee920d5c6562ecd0e5cfc376974cfa935f8c31da2da1f5cd24a2fc58c6dffaf0f9609d88fed09bac1f73308ddb3
-
Filesize
6KB
MD567c6ba3f1ae373e7b074346d6f3e08f2
SHA1c24daf25dd5fd900bd2f0537cf7335dd78a02f13
SHA256ce48916836b8a41928c49de8d0c0bb76a99909108a16fd3f04a58182deac2886
SHA512bfb205816c0d919248be9de9a23b36be954c0dc95f1367e108ef55860d5681314a8aa2585a40149220c11a9e3b053f83dd0ca4d199174c8421bcb8d39b5ed72d
-
Filesize
12KB
MD5e1b0ec2cfd58a9f40851e626ac4b56fd
SHA150547e310879858415be428803c618e7146c2288
SHA256443771d1938900e56d548b2a7dfc91bd828551bd541dede0e6fe0d2311515562
SHA512b5603f7d8d67cc4b53415c0cc17aef3f2c75ed790a483ffc43ef8478f3a5f1eed878587420a15a2f6c9b516f79447539c9768b351f081d970fb440d9a279459b
-
Filesize
272KB
MD5d4b2e0fc3de12160ab2bc11a24cde840
SHA1c23edaacbdc0caf7d66cc3e7e084276a383249d5
SHA25657b6b7bd9e9c2557c278770abc9cc0eeb9514b45be8c33ef1951034df2818303
SHA51217a51dc0ddb1db3d56b96172299da56491a0bfde5c2825fa8c2c93a96be2935adbd92e5ea793d93f0fa4d61973c66cc8f7f78781b98e2f4c3f8425dde84b45ce
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\CA6891RA\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\JP474AK4\favicon[2].png
Filesize2KB
MD518c023bc439b446f91bf942270882422
SHA1768d59e3085976dba252232a65a4af562675f782
SHA256e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735
-
Filesize
1.8MB
MD5ded748a2dc4c933ef3cdd0e5f229473f
SHA1537dc8c0d89f435016a1f51ce1eb92a80708d008
SHA256d22051811029da582348dbb0a166d9b5bb27eac5a2c0e45e067cdb279c09e24e
SHA512d6996308e86d2b0464b165274025b68c59b38b5557cce2db942a37d566f0e5a5fae30ea1cd8f121071e5c5a974cf4a8916699e1652b3cc0f4acaef6f16df6dc1
-
Filesize
2.3MB
MD5e8dcc58adb90bf7961a7d870ea702230
SHA1ab6effa5eaaadaaf9c925ec4515153c5f0074888
SHA2564689092bad6b1ac29d2569679fa463268455c35fce69e6b905b0f2dda011e74c
SHA51287be87b9cc8cbd0020ea499882b35ebbc68cca0aa3e09e2aadd123bde0b137a7e3e4007cc03ee67d5c209659c579a8a442fdd62e4829c78232cea443ae7b2d14
-
Filesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
Filesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
Filesize
392KB
MD5ccc754d02cc1188f0a0477b306539065
SHA18a73b2e84fbdcadfaa98cc325c2222096bdc309b
SHA2562dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38
SHA5126cabd1b19ddd94280528e4c2512e222bacc9bea6806e1df5610ffd3d993f52c4599e65fc7573d3d426e4d6d8c3756244e3e242b55b499796222f971b15ca8e0a
-
Filesize
6.1MB
MD59fb56dd5b5beb0b9c5d0102f22373c0b
SHA15559dc162d09c11c1ed80aedf8e9fa86fd531e4c
SHA256a65b290aa9ebfb82746cf75440c19956169f48d7dcbebafde6996c9b46039539
SHA512ab6c88acddf3350f4da37e20e38fc1bd4ac56433d5320fa071649ddf261cf1b6bb4692b54791e08e47b9e887a87ba5704afde6cb9aa9220c1da7f27c85400a1c
-
Filesize
460KB
MD5b22521fb370921bb5d69bf8deecce59e
SHA13d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA5121f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c
-
Filesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
Filesize
433KB
MD5824300cf5cafbe498e22648c44e24185
SHA1cd42a721c21a774fc5c5419ee790afe0e2077c12
SHA256cc7481436aadeae5a18e3cedc012768e0fd428e9076d1d246ae9faf85266f58c
SHA51249ee87fbe5735d8867b2c90e1684442c00942f8eaa91f03cbad4168d09e5c1c8b7e2369266d106c87c1055c927f57c7ecda2d8986b7154bfad2a2821d6f69176
-
Filesize
260KB
MD5cf2a49424928afff26947ff8ad128f77
SHA18cdf0834e2d1cae732c76e37f6058ebf37e06aa4
SHA25637316eae376e8e8c5281b5016d2ab4a65b0201ed139edef72ac4ba102eaf41cb
SHA5126924ea2c5bcb0a3371405e9bf0d0166d512f839be0310d723b21e1acf8e6e7232857e20af800d1331c38f40bbe27a02c4145e661ed6da350a486ad7f1301ba49
-
Filesize
4.2MB
MD58a3fe4db1e83d59cb6c6645b3c8679bf
SHA150867ff7f9225e23d62929cd63cd586518d34f4e
SHA2565afd9cbe92416d134533742271298245510430fc6b98da57869ffc37344a5ff1
SHA512d24f898852d528c837acdedad77cff1161ecb04a8ce854a442ddc4491dc7ee2be5ffc00c9a141b42950d29bd857492b85eef32715c9ebbda026175a8c075e258
-
Filesize
1.8MB
MD5b7f0c6b555edf8d1f5afce5984f1a104
SHA147f76e4001898764b207ef278c388d819bed0951
SHA2564a8ea5d13abdfd006f58897cbe55773cdc98df31133c1e1ad6ba2b13140e2f94
SHA512b7f8e6e6cfe63cb3d3317c4e0847dda3e5844f144b86671fbe34234dd4b45eda6fbfcea34f129b6e2f4c88c3445fdc965b503ca645abcbce68952960930939e1
-
Filesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
Filesize
5.8MB
MD58eeea65d388106b4489d07e025e17fed
SHA196651968f724c7daec51e74476403899bc7bf8c2
SHA25669efe73bf8f9669427fb25962d104fb63ae7a4fdb4fb2f0022c7541a72c8a2c3
SHA5121c5966906a89b8e7e83bf382c382e5ece1cf6827e7ba7e4ab4fc0ba0c91284bf398bf4822c53aab250520f7ffde231090a9e44d11493b6be8921899fb6d944d7
-
Filesize
5.5MB
MD5125c7efdef3f11c70b514739b1bab646
SHA1526560d1ff7636ea4f0404eb74f5da68f7eb8e23
SHA2562ca04fad5b8a81264292bb9877cb9c1c9f7a484cd03815ec9bb686ddf70edefa
SHA512e08218e2415a051b9b8b7e6d28e6822341227fc5256f418c22b2b39f6d3d89e763f58b77dbbdfc792f8a8a17870136be5757c736db1c98d3437e76500f768261
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
3KB
MD5a286f7c0b3d58a819d35032ad0bb9121
SHA127f1ab8d87f854b88732f599dcb71576e5e653a1
SHA2566f39e99ed33fe17d8a45bb37584a901b2497807d175b098a6a6bf661c01c3a78
SHA51282e0b289e8d717f197ef3532a8ee6e616e32ce82feba4891b38cbb466a5d129aac8f74df61df910da568b7fe97d91baa24f26ec1992e924c8e2c586a5433b426
-
Filesize
346KB
MD5f42bdef761c1ca4496542cdc8024073e
SHA15990c707a5bf75f76eb84aedaca381d854c4fbf9
SHA256f09c622512228d56ad3555f21d6ae45549a8d25847c81385c081e5d6bfd9d813
SHA51241fa338c987676883c29b9911459a3eb38b4cd21b16da4971945a5accc000d72c5aae4175982a4209526d103b5b3d29b8505346af444677aa8ae605300ce1b1b
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
289KB
MD5652681cfc42cc05b4812c914e4f02ba9
SHA139118acf00963bb2b9bafc13072cc4a3f6ce9c48
SHA2567d417991d6a5a0d30421d721168db76c170c4a022c53a5deece2fd9d072e4246
SHA51210dc092ec21e06efbbfa6e0fc5d286c272160d71430f3facf2c5c15f264965c052a5dac3bc516c3d514c372ca77e8f9bac9a86ffa28b8f59c4c60510ff9af0b6
-
Filesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
Filesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
Filesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
Filesize
2KB
MD5bbd926e228027517d5c6176c85a68569
SHA1ba334fd2111fe358cc710598cc23a28c680beecf
SHA2561a7def19519d17495270381b82f955f870ec38e4e9c8835dc59d2edf2572b865
SHA5127a0f9a22fe40acdb41f6524d7a0c70c81fbe79170cb2016153c90aba05924bc0963f59d0eee77917c39b77b7355ef4e41ca9807d070649d55fec55f48ca29044
-
Filesize
2KB
MD50bec956918559002fc1b8e16decd87ed
SHA1a44676aacf97442a5e361f25a217440e0c416613
SHA2565dfcc41af9821d7d22151155f04904fce08c103200f6acc165e5debb33489de4
SHA5124e7594359d6b2dde6f352bc40930f8a25a288f79887785a394b4859ae85f31edaafee957d59b56fc661f257e05af5c8bec110c831a11cf24ec472062e691e908