Resubmissions
05-09-2024 21:46
240905-1m3eps1cqc 1005-09-2024 21:46
240905-1ml3qa1cpb 305-09-2024 21:44
240905-1lhc5s1cle 8Analysis
-
max time kernel
216s -
max time network
281s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2024 21:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z
Resource
win10v2004-20240802-en
General
-
Target
https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z
Malware Config
Extracted
redline
deepweb
91.92.253.107:1334
Extracted
vidar
https://t.me/edm0d
https://steamcommunity.com/profiles/
http://147.45.68.138:80
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
stealc
w9
http://45.152.113.10
-
url_path
/92335b4816f77e90.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
147.45.47.36:30035
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Signatures
-
Detect Vidar Stealer 8 IoCs
Processes:
resource yara_rule behavioral1/memory/5064-1519-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/5064-1521-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/5064-1518-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2720-1621-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2720-1618-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/2720-1615-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/5064-1652-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 behavioral1/memory/5064-1665-0x0000000000400000-0x0000000000657000-memory.dmp family_vidar_v7 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/5680-1513-0x000002138E390000-0x000002138E3AE000-memory.dmp family_redline behavioral1/memory/5204-1539-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5680-1513-0x000002138E390000-0x000002138E3AE000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
GO_Ca5jjZX5U9lz5BGKy_EPz.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GO_Ca5jjZX5U9lz5BGKy_EPz.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
GO_Ca5jjZX5U9lz5BGKy_EPz.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GO_Ca5jjZX5U9lz5BGKy_EPz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GO_Ca5jjZX5U9lz5BGKy_EPz.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ExpressZipFileCompression.exenchsetup.exeexpresszip.exeFile.exeSaudi.pifdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation ExpressZipFileCompression.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation nchsetup.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation expresszip.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation File.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation Saudi.pif -
Drops startup file 1 IoCs
Processes:
NNv7GdEIyj1lbxZYaDW6hSt1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk NNv7GdEIyj1lbxZYaDW6hSt1.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 33 IoCs
Processes:
ExpressZipFileCompression.exenchsetup.exe7za32.exeexpresszip.exeexpresszip.exe7zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exeFile.exeSaudi.pifSaudi.pifBTqjSABeCtv8yHb1qPiMJd4R.exeNNv7GdEIyj1lbxZYaDW6hSt1.exezg1EjgBRZE4ayT0vPs1bYUbS.exe88sS1nw4IvRvGdrWCnRQefiF.exey0Xdk2wqDzPmEAKkld_kZo6c.exeGO_Ca5jjZX5U9lz5BGKy_EPz.exepM5ldsIlm71ykYo9JzpWqQyw.exeRoWB6x1Fod6s5pUNfULGqaqE.exeXMZ3kL2PX91f3QD1EahBAYbe.exe5jDTTBRpFtgvvakaZqmADDHa.exejHF5e5vmW667jx8oRrYZZBNT.exeU2ZabmTrcOTszK02TU_UMUrV.exewfvYBYSgsCderoIdAxyVCiIf.exeXMZ3kL2PX91f3QD1EahBAYbe.tmpBTqjSABeCtv8yHb1qPiMJd4R.exeNNv7GdEIyj1lbxZYaDW6hSt1.exeaudiocutterjoiner32_64.exepid process 1344 ExpressZipFileCompression.exe 5732 nchsetup.exe 968 7za32.exe 3916 expresszip.exe 5928 expresszip.exe 5916 7zip.exe 3204 7Zip.exe 3752 7Zip.exe 4036 7Zip.exe 3620 7Zip.exe 5500 7Zip.exe 2600 7Zip.exe 2312 7Zip.exe 5680 File.exe 492 Saudi.pif 5676 Saudi.pif 5412 BTqjSABeCtv8yHb1qPiMJd4R.exe 6064 NNv7GdEIyj1lbxZYaDW6hSt1.exe 5680 zg1EjgBRZE4ayT0vPs1bYUbS.exe 6076 88sS1nw4IvRvGdrWCnRQefiF.exe 5928 y0Xdk2wqDzPmEAKkld_kZo6c.exe 2068 GO_Ca5jjZX5U9lz5BGKy_EPz.exe 5032 pM5ldsIlm71ykYo9JzpWqQyw.exe 1620 RoWB6x1Fod6s5pUNfULGqaqE.exe 4528 XMZ3kL2PX91f3QD1EahBAYbe.exe 2912 5jDTTBRpFtgvvakaZqmADDHa.exe 1944 jHF5e5vmW667jx8oRrYZZBNT.exe 4136 U2ZabmTrcOTszK02TU_UMUrV.exe 3440 wfvYBYSgsCderoIdAxyVCiIf.exe 5640 XMZ3kL2PX91f3QD1EahBAYbe.tmp 5064 BTqjSABeCtv8yHb1qPiMJd4R.exe 3092 NNv7GdEIyj1lbxZYaDW6hSt1.exe 1656 audiocutterjoiner32_64.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
GO_Ca5jjZX5U9lz5BGKy_EPz.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Wine GO_Ca5jjZX5U9lz5BGKy_EPz.exe -
Loads dropped DLL 12 IoCs
Processes:
expresszip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exeXMZ3kL2PX91f3QD1EahBAYbe.tmppid process 3512 3916 expresszip.exe 3916 expresszip.exe 3916 expresszip.exe 3204 7Zip.exe 3752 7Zip.exe 4036 7Zip.exe 3620 7Zip.exe 5500 7Zip.exe 2600 7Zip.exe 2312 7Zip.exe 5640 XMZ3kL2PX91f3QD1EahBAYbe.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
nchsetup.exeNNv7GdEIyj1lbxZYaDW6hSt1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ExpressZipInstall = "C:\\Users\\Admin\\Downloads\\ExpressZipFileCompression.exe" nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" NNv7GdEIyj1lbxZYaDW6hSt1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 235 ipinfo.io 219 api64.ipify.org 220 api64.ipify.org 234 ipinfo.io -
Power Settings 1 TTPs 12 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4756 powercfg.exe 2608 powercfg.exe 4220 powercfg.exe 4684 powercfg.exe 3868 powercfg.exe 3856 powercfg.exe 1432 powercfg.exe 2900 powercfg.exe 3068 powercfg.exe 3124 powercfg.exe 5376 powercfg.exe 4800 powercfg.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2120 tasklist.exe 2752 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
GO_Ca5jjZX5U9lz5BGKy_EPz.exepid process 2068 GO_Ca5jjZX5U9lz5BGKy_EPz.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
Saudi.pifBTqjSABeCtv8yHb1qPiMJd4R.exey0Xdk2wqDzPmEAKkld_kZo6c.exeNNv7GdEIyj1lbxZYaDW6hSt1.exepM5ldsIlm71ykYo9JzpWqQyw.exeU2ZabmTrcOTszK02TU_UMUrV.exe5jDTTBRpFtgvvakaZqmADDHa.exedescription pid process target process PID 492 set thread context of 5676 492 Saudi.pif Saudi.pif PID 5412 set thread context of 5064 5412 BTqjSABeCtv8yHb1qPiMJd4R.exe BTqjSABeCtv8yHb1qPiMJd4R.exe PID 5928 set thread context of 5204 5928 y0Xdk2wqDzPmEAKkld_kZo6c.exe RegAsm.exe PID 6064 set thread context of 3092 6064 NNv7GdEIyj1lbxZYaDW6hSt1.exe NNv7GdEIyj1lbxZYaDW6hSt1.exe PID 5032 set thread context of 5388 5032 pM5ldsIlm71ykYo9JzpWqQyw.exe RegAsm.exe PID 4136 set thread context of 2720 4136 U2ZabmTrcOTszK02TU_UMUrV.exe RegAsm.exe PID 2912 set thread context of 1524 2912 5jDTTBRpFtgvvakaZqmADDHa.exe RegAsm.exe -
Drops file in Program Files directory 36 IoCs
Processes:
nchsetup.exe7zip.exe7za32.exedescription ioc process File created C:\Program Files (x86)\NCH Software\Components\zipcloak2\9b0__wt nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe 7zip.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\zipcloak2.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\shellmenu.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\unzip32.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\zip32z64.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\7za.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\7za32\__wt 7za32.exe File created C:\Program Files (x86)\NCH Software\Components\7za32\7zxa.dll 7za32.exe File created C:\Program Files (x86)\NCH Software\Components\infozip3\zip32z64.dll nchsetup.exe File opened for modification C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\arj\arj.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\shellmenua.msix nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\unlha32.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\7za32\7Za32.exe 7za32.exe File created C:\Program Files (x86)\NCH Software\Components\infozip3\unzip32.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\unlha32\9b0__wt nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\par2.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\zipcloak2\zipcloak2.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\7zip\__wt 7zip.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\arj.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\par2\9b0__wt nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\par2\par2.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\unlha32\unlha32.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\7zip\7z.dll 7zip.exe File created C:\Program Files (x86)\NCH Software\Components\7za32\7za.dll 7za32.exe File created C:\Program Files (x86)\NCH Software\Components\infozip3\9b0__wt nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\unrar.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\zlib1.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\7z.dll nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\Components\arj\9b0__wt nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe\:SmartScreen:$DATA nchsetup.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\shellmenub.msix nchsetup.exe -
Drops file in Windows directory 6 IoCs
Processes:
File.exedescription ioc process File opened for modification C:\Windows\SourcesShowing File.exe File opened for modification C:\Windows\BehaviourVibrator File.exe File opened for modification C:\Windows\AtomBoobs File.exe File opened for modification C:\Windows\AntarcticaTucson File.exe File opened for modification C:\Windows\WonderAvailable File.exe File opened for modification C:\Windows\DecreaseHands File.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4040 sc.exe 5372 sc.exe 2264 sc.exe 2816 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4708 5024 WerFault.exe RegAsm.exe 5956 2720 WerFault.exe RegAsm.exe 3020 3560 WerFault.exe RegAsm.exe -
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe5jDTTBRpFtgvvakaZqmADDHa.exenchsetup.exefindstr.exefindstr.execmd.exeSaudi.pifRoWB6x1Fod6s5pUNfULGqaqE.exeBTqjSABeCtv8yHb1qPiMJd4R.exeaudiocutterjoiner32_64.exey0Xdk2wqDzPmEAKkld_kZo6c.exeU2ZabmTrcOTszK02TU_UMUrV.exeRegAsm.exeexpresszip.exeexpresszip.exefindstr.exeSaudi.pifXMZ3kL2PX91f3QD1EahBAYbe.tmpRegAsm.exeExpressZipFileCompression.execmd.exeNNv7GdEIyj1lbxZYaDW6hSt1.exeXMZ3kL2PX91f3QD1EahBAYbe.exejHF5e5vmW667jx8oRrYZZBNT.exeschtasks.exeFile.exetasklist.exeBTqjSABeCtv8yHb1qPiMJd4R.exe88sS1nw4IvRvGdrWCnRQefiF.exeNNv7GdEIyj1lbxZYaDW6hSt1.exepM5ldsIlm71ykYo9JzpWqQyw.exeschtasks.exe7za32.exetasklist.execmd.exechoice.exeGO_Ca5jjZX5U9lz5BGKy_EPz.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jDTTBRpFtgvvakaZqmADDHa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nchsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Saudi.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RoWB6x1Fod6s5pUNfULGqaqE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BTqjSABeCtv8yHb1qPiMJd4R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiocutterjoiner32_64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language y0Xdk2wqDzPmEAKkld_kZo6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language U2ZabmTrcOTszK02TU_UMUrV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expresszip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expresszip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Saudi.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XMZ3kL2PX91f3QD1EahBAYbe.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ExpressZipFileCompression.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NNv7GdEIyj1lbxZYaDW6hSt1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XMZ3kL2PX91f3QD1EahBAYbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jHF5e5vmW667jx8oRrYZZBNT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language File.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BTqjSABeCtv8yHb1qPiMJd4R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88sS1nw4IvRvGdrWCnRQefiF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NNv7GdEIyj1lbxZYaDW6hSt1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pM5ldsIlm71ykYo9JzpWqQyw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GO_Ca5jjZX5U9lz5BGKy_EPz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
BTqjSABeCtv8yHb1qPiMJd4R.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BTqjSABeCtv8yHb1qPiMJd4R.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BTqjSABeCtv8yHb1qPiMJd4R.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2568 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
Processes:
nchsetup.exeexpresszip.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.z\Shell\ = "Open" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.apk\Shell\open nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\deprojfile\shell nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dv\Shell\NCHeditvideo\command nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\cr3file\DefaultIcon nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rar\Shell nchsetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\OpenWithProgIds\NCH.ExpressZip.rar = "0" nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\deprojfile\DefaultIcon nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.3g2\Shell nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.heif nchsetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.zab\OpenWithProgIds\NCH.ExpressZip.zab = "0" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.deb nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.ogv\Shell\NCHeditvideo nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.shn\Shell\NCHconvertsound\ = "Convert sound file format with Switch" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.dv\Shell\NCHeditvideo nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.gif\Shell\NCHslideshow nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.docx\Shell\NCHconvertdoc nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz nchsetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\OpenWithProgIds\NCH.ExpressZip.tgz = "0" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\NCHconvertimage nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\shellex\ContextMenuHandlers nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.mpeg\Shell\NCHeditvideo nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.VhdFile\shell\VHD File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\mpdpfile\shell\open nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.ras\ = "rasfile" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.apk\shell nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\.vmdk\OpenWithProgIds nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.pkpass\Shell\APK Archive File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wav\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind Switch \"%L\"" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.gif\Shell\NCHconvertimage\command nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\shellex nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pkpass\shellex\ContextMenuHandlers\ExpressZip nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.m4v\Shell\NCHconvertvideo nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rtf\Shell\NCHconvertdoc nchsetup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff expresszip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip\.rar\Shell nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ape\Shell\NCHconvertsound\ = "Convert sound file format with Switch" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xar nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.rpm\Shell\open\command nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.rpm\Shell\RPM File\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" \"%L\"" nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\voxfile nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mov\Shell\NCHeditvideo nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\shellex\DropHandler\ = "{8EEA165E-0B8B-4BA7-9796-50214C767171}" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\expresszip.exe\ = "Express Zip File Compression" nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.zipx\shell\open\command nchsetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\OpenWithProgIds\NCH.ExpressZip.apk = "0" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.z\Shell\open\command nchsetup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.z\OpenWithProgIds\NCH.ExpressZip.z = "0" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nch.expresszip\shell\open nchsetup.exe Key created \REGISTRY\MACHINE\Software\Classes\NCH.ExpressZip.xz\DefaultIcon nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.wps nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.wim\DefaultIcon\ = "C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe,4" nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.xz\ = "NCH.ExpressZip.xz" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.m4a\Shell\NCHeditsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind WavePad \"%L\"" nchsetup.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tgafile\DefaultIcon nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.7z\DefaultIcon\ = "C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe,4" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NCH.ExpressZip.vmdk\Shell\VMDK File\command nchsetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\dfxfile\shell\open\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind DeskFX \"%L\"" nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wma\Shell\NCHconvertsound\command\ = "\"C:\\Program Files (x86)\\NCH Software\\ExpressZip\\expresszip.exe\" -extfind Switch \"%L\"" nchsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp4\Shell\NCHconvertvideo\command nchsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif\Shell\NCHslideshow\ = "Create slideshow with PhotoStage" nchsetup.exe -
Processes:
BTqjSABeCtv8yHb1qPiMJd4R.exeRegAsm.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 BTqjSABeCtv8yHb1qPiMJd4R.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BTqjSABeCtv8yHb1qPiMJd4R.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exenchsetup.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 640128.crdownload:SmartScreen msedge.exe File created C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v11.13.exe\:SmartScreen:$DATA nchsetup.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3056 schtasks.exe 4932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exenchsetup.exemsedge.exeSaudi.pifGO_Ca5jjZX5U9lz5BGKy_EPz.exe88sS1nw4IvRvGdrWCnRQefiF.exeBTqjSABeCtv8yHb1qPiMJd4R.exewfvYBYSgsCderoIdAxyVCiIf.exeXMZ3kL2PX91f3QD1EahBAYbe.tmpRegAsm.exepid process 4596 msedge.exe 4596 msedge.exe 1540 msedge.exe 1540 msedge.exe 4980 identity_helper.exe 4980 identity_helper.exe 5952 msedge.exe 5952 msedge.exe 5336 msedge.exe 5336 msedge.exe 3380 msedge.exe 3380 msedge.exe 5732 nchsetup.exe 5732 nchsetup.exe 5732 nchsetup.exe 5732 nchsetup.exe 5248 msedge.exe 5248 msedge.exe 5248 msedge.exe 5248 msedge.exe 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif 2068 GO_Ca5jjZX5U9lz5BGKy_EPz.exe 2068 GO_Ca5jjZX5U9lz5BGKy_EPz.exe 6076 88sS1nw4IvRvGdrWCnRQefiF.exe 6076 88sS1nw4IvRvGdrWCnRQefiF.exe 5064 BTqjSABeCtv8yHb1qPiMJd4R.exe 5064 BTqjSABeCtv8yHb1qPiMJd4R.exe 3440 wfvYBYSgsCderoIdAxyVCiIf.exe 3440 wfvYBYSgsCderoIdAxyVCiIf.exe 5640 XMZ3kL2PX91f3QD1EahBAYbe.tmp 5640 XMZ3kL2PX91f3QD1EahBAYbe.tmp 5064 BTqjSABeCtv8yHb1qPiMJd4R.exe 5064 BTqjSABeCtv8yHb1qPiMJd4R.exe 1524 RegAsm.exe 1524 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
expresszip.exepid process 3916 expresszip.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
Processes:
msedge.exepid process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exe7Zip.exetasklist.exetasklist.exezg1EjgBRZE4ayT0vPs1bYUbS.exeRegAsm.exedescription pid process Token: SeRestorePrivilege 3204 7Zip.exe Token: 35 3204 7Zip.exe Token: SeSecurityPrivilege 3204 7Zip.exe Token: SeRestorePrivilege 3752 7Zip.exe Token: 35 3752 7Zip.exe Token: SeSecurityPrivilege 3752 7Zip.exe Token: SeRestorePrivilege 4036 7Zip.exe Token: 35 4036 7Zip.exe Token: SeSecurityPrivilege 4036 7Zip.exe Token: SeSecurityPrivilege 4036 7Zip.exe Token: SeRestorePrivilege 3620 7Zip.exe Token: 35 3620 7Zip.exe Token: SeSecurityPrivilege 3620 7Zip.exe Token: SeRestorePrivilege 5500 7Zip.exe Token: 35 5500 7Zip.exe Token: SeSecurityPrivilege 5500 7Zip.exe Token: SeSecurityPrivilege 5500 7Zip.exe Token: SeRestorePrivilege 2600 7Zip.exe Token: 35 2600 7Zip.exe Token: SeSecurityPrivilege 2600 7Zip.exe Token: SeRestorePrivilege 2312 7Zip.exe Token: 35 2312 7Zip.exe Token: SeSecurityPrivilege 2312 7Zip.exe Token: SeSecurityPrivilege 2312 7Zip.exe Token: SeDebugPrivilege 2120 tasklist.exe Token: SeDebugPrivilege 2752 tasklist.exe Token: SeDebugPrivilege 5680 zg1EjgBRZE4ayT0vPs1bYUbS.exe Token: SeDebugPrivilege 5388 RegAsm.exe Token: SeBackupPrivilege 5388 RegAsm.exe Token: SeSecurityPrivilege 5388 RegAsm.exe Token: SeSecurityPrivilege 5388 RegAsm.exe Token: SeSecurityPrivilege 5388 RegAsm.exe Token: SeSecurityPrivilege 5388 RegAsm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exeSaudi.pifpid process 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 1540 msedge.exe 492 Saudi.pif 492 Saudi.pif 492 Saudi.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
expresszip.exepid process 3916 expresszip.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1540 wrote to memory of 452 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 452 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 2908 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 4596 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 4596 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe PID 1540 wrote to memory of 5088 1540 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kinglinkdubai.com/wp-content/upgrade/appget7854.7z1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb057346f8,0x7ffb05734708,0x7ffb057347182⤵PID:452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:2908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:82⤵PID:5088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:4068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:1308
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:82⤵PID:5112
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:2608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:4780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:3380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵PID:3524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:82⤵PID:4412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:12⤵PID:5236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:12⤵PID:5684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5088 /prefetch:82⤵PID:5944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5952 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:12⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:12⤵PID:3224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:12⤵PID:5308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5336 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:5900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:5908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:12⤵PID:3420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:12⤵PID:2528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:12⤵PID:2724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 /prefetch:82⤵PID:6032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380 -
C:\Users\Admin\Downloads\ExpressZipFileCompression.exe"C:\Users\Admin\Downloads\ExpressZipFileCompression.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe"C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\Downloads\ExpressZipFileCompression.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5732 -
C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe"C:\Program Files (x86)\NCH Software\ExpressZip\7za32.exe" -LQUIET -instby fiExpressZip -instsvar EXPRESSZIPRelatedprogramspaidon4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:968 -
C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe"C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe"C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-3\7zip.exe" -LQUIET -instby coExpressZip -instsvar EXPRESSZIPRelatedprogramspaidonLLIBInstquickoffLLIBControlonHyenLLIBSpltxtfadeonEXPRESSZIPExtractfontlargeoffEXPRESSZIPIconstextoffEXPRESSZIPTvwatermarkonQvuxTKYgCG5tEXPRESSZIPAddarchtextoffEXPRESSZIPRelocateopenfiletboffEXPRESSZIPToolsencryptv3onEXPRESSZIPToolsemailv2onEXPRESSZIPClouduploadonA6lhN24gEXPRESSZIPSplitsson -instrefdata refdate%3D1725598048%26referrer%3Dhttps%253A%252F%252Fwww.bing.com%252F%26ref%3Dbingads%26ref2%3Dcf5fee8e27ff1f3873c0885401221af2%26ref3%3Dkw%253Dwinzip%2526m%253De%2526d%253Dc%2526c%253D76828563876589%2526ag%253D1668175108%26kw%3Dwinzip%26theme%3D%26pageconfig%3D%26download%3DExpressZipFileCompression%26clientid%3D%26platform%3DWin%26language%3DEN%26browser%3DEdge%26screenwidth%3D0%26screenheight%3D0%26cpucores%3D0%26webvar%3D5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5916 -
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\Downloads\appget7854.7z"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\Downloads\appget7854.7z"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3752 -
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" x "C:\Users\Admin\Downloads\appget7854.7z" -o"C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\" "fo1der687.7z" -aos5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4036 -
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3620 -
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" t "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -p"1234"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5500 -
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" l -sccutf-8 "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -p"1234"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe"C:\Program Files (x86)\NCH Software\Components\7zip\7Zip.exe" x "C:\Users\Admin\AppData\Local\Temp\ExpressZip-3568-4\fo1der687.7z" -o"C:\Users\Admin\Downloads\appget7854" -r -i@"C:\Users\Admin\AppData\Local\Temp\expresszip7zfilelist.temp.txt" -aos -p"1234"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe"C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe" -installsched4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵PID:6136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵PID:836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵PID:6044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:12⤵PID:4024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:12⤵PID:4600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:12⤵PID:4268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵PID:336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:2432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:12⤵PID:468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:3564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17696145451645092929,2857328909333368708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:12⤵PID:5332
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:748
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3864
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5756
-
C:\Users\Admin\Downloads\appget7854\File.exe"C:\Users\Admin\Downloads\appget7854\File.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Desktop Desktop.bat & Desktop.bat & exit2⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\cmd.execmd /c md 7992753⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\findstr.exefindstr /V "TransformationComponentBrideInvasion" Calculate3⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Evaluations + ..\Kansas + ..\Monkey + ..\Cookies + ..\Frontpage + ..\Ownership + ..\Thu + ..\Momentum + ..\Nvidia + ..\Kits + ..\Take + ..\Statements + ..\Earlier + ..\Presentations + ..\Runs + ..\Deviant + ..\Indicate + ..\Award + ..\Engineer + ..\Ty + ..\Feb + ..\Ads + ..\Sounds + ..\M + ..\Logan + ..\Pixel + ..\Atm + ..\Ports + ..\Ireland + ..\Chance + ..\Stewart + ..\Puzzle + ..\Milf + ..\Basics + ..\Invitations O3⤵
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pifSaudi.pif O3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:492 -
C:\Users\Admin\AppData\Local\Temp\799275\Saudi.pifC:\Users\Admin\AppData\Local\Temp\799275\Saudi.pif4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exeC:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6064 -
C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe"C:\Users\Admin\Documents\iofolko5\NNv7GdEIyj1lbxZYaDW6hSt1.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3056 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4932 -
C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exeC:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5412 -
C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe"C:\Users\Admin\Documents\iofolko5\BTqjSABeCtv8yHb1qPiMJd4R.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:5064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HCFIIIJJKJKF" & exit7⤵PID:5800
-
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- Delays execution with timeout.exe
PID:2568 -
C:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exeC:\Users\Admin\Documents\iofolko5\zg1EjgBRZE4ayT0vPs1bYUbS.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680 -
C:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exeC:\Users\Admin\Documents\iofolko5\88sS1nw4IvRvGdrWCnRQefiF.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6076 -
C:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exeC:\Users\Admin\Documents\iofolko5\GO_Ca5jjZX5U9lz5BGKy_EPz.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2068 -
C:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exeC:\Users\Admin\Documents\iofolko5\y0Xdk2wqDzPmEAKkld_kZo6c.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:5204 -
C:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exeC:\Users\Admin\Documents\iofolko5\pM5ldsIlm71ykYo9JzpWqQyw.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5388 -
C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exeC:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp"C:\Users\Admin\AppData\Local\Temp\is-4UA7E.tmp\XMZ3kL2PX91f3QD1EahBAYbe.tmp" /SL5="$80352,3387544,54272,C:\Users\Admin\Documents\iofolko5\XMZ3kL2PX91f3QD1EahBAYbe.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5640 -
C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe"C:\Users\Admin\AppData\Local\Audio Cutter Joiner\audiocutterjoiner32_64.exe" -i7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exeC:\Users\Admin\Documents\iofolko5\jHF5e5vmW667jx8oRrYZZBNT.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"6⤵PID:4136
-
C:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exeC:\Users\Admin\Documents\iofolko5\RoWB6x1Fod6s5pUNfULGqaqE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exeC:\Users\Admin\Documents\iofolko5\5jDTTBRpFtgvvakaZqmADDHa.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJJECFIECBG.exe"7⤵PID:4068
-
C:\Users\AdminJJECFIECBG.exe"C:\Users\AdminJJECFIECBG.exe"8⤵PID:2852
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵PID:3560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 148010⤵
- Program crash
PID:3020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFCAKFCGCGI.exe"7⤵PID:1812
-
C:\Users\AdminFCAKFCGCGI.exe"C:\Users\AdminFCAKFCGCGI.exe"8⤵PID:5516
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵PID:5024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 135210⤵
- Program crash
PID:4708 -
C:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exeC:\Users\Admin\Documents\iofolko5\wfvYBYSgsCderoIdAxyVCiIf.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3440 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
PID:2608 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
PID:3068 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
PID:4756 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
PID:2900 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "VIFLJRPW"6⤵
- Launches sc.exe
PID:4040 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"6⤵
- Launches sc.exe
PID:5372 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog6⤵
- Launches sc.exe
PID:2264 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "VIFLJRPW"6⤵
- Launches sc.exe
PID:2816 -
C:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exeC:\Users\Admin\Documents\iofolko5\U2ZabmTrcOTszK02TU_UMUrV.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 15447⤵
- Program crash
PID:5956 -
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:3868
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5488
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x344 0x4741⤵PID:1776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5024 -ip 50241⤵PID:3464
-
C:\ProgramData\xprfjygruytr\etzpikspwykg.exeC:\ProgramData\xprfjygruytr\etzpikspwykg.exe1⤵PID:1788
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:3124 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:4684 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:4220 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:5376 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3032
-
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe"C:\ProgramData\xprfjygruytr\etzpikspwykg.exe"3⤵PID:1384
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:1432 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:3856 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:3868 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:4800 -
C:\Windows\system32\svchost.exesvchost.exe4⤵PID:5484
-
C:\Windows\system32\svchost.exesvchost.exe2⤵PID:1668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3560 -ip 35601⤵PID:5996
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:3664
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
466KB
MD5e18c1989d43b3760c4b97767ba4cf877
SHA1c683ceb15dbae84c885191806c17d1abe6b4209d
SHA256055c7bae37fc7ea245396b51521d41d16326d3fb6e46a2d4436901c9fba922d1
SHA5125301b5d5aa843f6ad8e08537ec88d0b8bd60996d02a9f081c6fe7ec2a2ae40129904688fb6aa573b45a5e89cac23b7648d9d038982220ab2dfe03ccdb0d5bbb6
-
Filesize
1.6MB
MD57580437d0fb8c1ae60d96dafb6883d30
SHA1be89b488b258555a8cf971e4d29c40ce92bf881d
SHA2563dce36d583ba1c741e95df1a265e47f0de581bef77ab48165dd67266be7a42ef
SHA512e67be84fb4c9bc87c20b72a1169f068b0afdbc9872be2cb0bfcf9eff65b2b246c60c7237350cbb38cefc004a75645f49d30c9acab12efb0e914450886c21e1eb
-
Filesize
615KB
MD581d94f5c09ba974ce676909fe5811817
SHA1914b9cef5a6cea203b20658ebe6a9f696a337b82
SHA2563c01370b6eb1f2cabac6e2afe6c9a0141544b554a3a2c146489f1111c41e39d9
SHA5121c9e1cb31b4cbfd07d345bddaccfa6f56abb90f18bcce5583d287daa078cb73544293557e73f946355535ebb4de57b4207eee2a3e7dab8414d76c9dcd95afb45
-
Filesize
264KB
MD5014b712a9b591a14c84e7fa1dd199554
SHA1857df15d9e55e018cc5b81c40ff4c1c649f3f01d
SHA25600ac8169236b8f9910c661e6d8b82c2f2e5800338a9c7775d691e622f3521ac9
SHA512f852e54a6725d5fd8d44ac07bd3ecf2519d707506beeda4d64fee2cbef0e280d0de30c4d27526539213454de272960d963d2f462c320d8d9b268865465284dab
-
Filesize
103KB
MD50216981a67cd11ee5803bb1b78f25262
SHA130919b9d43a65cc69ebbc50c6ce241991f64b179
SHA25617d044f52c7ffe0b737ecfa3563d6afd2dc6a9361036b910b640e73de568b230
SHA512153d63e3ed7ebd65eb00fd9a5eacb0fc357f374ff60b00640506930100d2661e5b6c4f504d347c02ca6e5a64b79ee612b4031adef449736ea00cb337a17afdd7
-
Filesize
296KB
MD5bafe41bcaed61df51b17f390ae1cdfe1
SHA1c6e502cddaf9031b7fa703a289be11121b01f003
SHA256521900b12c8734a6a56eba855c663cf49cb9b2b352c755c0cd747cbd6f18ee8f
SHA512256338f880b5ea8f33a3b4a5b4db5341ec30c37a6c857a342bced7cc37400e51ca1678de6aec888af28f450fde90ca6381b7d8768b0162db1304689b5eddeeea
-
Filesize
371KB
MD5ae041e680ae569a4860e600188fa0adf
SHA1fc86cff5f51df5cc08b9849100e56eee9738d0d3
SHA256126f81c57d54c1ca6bbcdd524c647af635cdb408401a5bc21216b4a0a792dc5c
SHA512b2ab7e985f0de3dedaeccfac23d43c0b1910cba5401de19be94cf8cb3c7287c6f9a315776819c5a2c8c4c986a2de70ff568e0892cc7a277fcb37a0cb8b55e2b9
-
Filesize
308KB
MD5d636e5b90daa1596718081ede840d03f
SHA1e5f54ee365a63ff0980f781bbc30547ed54eb12c
SHA25659b4d9afd66d8e33c7ba2e4b8617030f364ee905410610f8c96209df62a3a734
SHA51235ee29b25c50ef2aae22fb53077234ca5f2c8c145f95cfa03fb226b736d8f26ff1dbaed3586e93d9ac82b4aa90c64aeea3c25a3930ace993cfa9447cd501c68d
-
Filesize
284KB
MD5ce5fb67da5c10a00cf502728c63b76e5
SHA197e927e8a670443be87bcde1989fd2d60d705434
SHA2568e40c7805f57da244a20ee289ca2c018b4f3fbb9047fb06fa2fed954da237b67
SHA512c678c0e960c8473c9712239ea31d5224baf7a0f7ed05bbe69d422c045f29b5d0b664a3811a5d11ab4b0b9d0b06ad51bbb03707cd21ec36859a4bec7b4f2cb41a
-
Filesize
152KB
MD5aa7a48540eb79ba2280f81da93c1599f
SHA1e8856c21151b91d6a270964d5541fc09f2f05283
SHA25639edcf477e1463ac9de52ffe4006128546cbf12a19d91b8aaf856f3c19d49aa2
SHA51206ab843d9e8e017b1389282d5d2b005f52f5bb5a815db6f63238258888b03202adc72c415e0f682f53f00940f8acb093129254f69b638f897bd015e9c876844a
-
Filesize
2.1MB
MD5bb93e0794549090f9b51330f4cf18174
SHA1aff16714e0aca8b6f8e86d2b34d7810bfc693e36
SHA256969d33b5f4aedbe805282a630da8cb43c80d3d81f466c59d292ecd6682a69e1d
SHA5122a9a3fb67009b57991872cf78c42b3d4a75085bb6afb27640f73b39bb06e7345f3143c48dd403be22dd9ea2c6e2269598e40a440fe4f27f11fdb1fd1e6bcfdca
-
Filesize
11KB
MD5fe776dd032bebe227d52e0a0fce3bf43
SHA1a681f3dc51cb61b627eab1291f0728253e2f234c
SHA256e582d57e1b6ebcd262052d02149530a8077b4d14c6e3855fc7ebc823eca56af2
SHA512be322e942264d9f161ad2f44b17eabcd5db36a6746db1a9f107481307081cc6d074d56f7f95eec8734a256377b73e466d89d8c20657e9bec53404ec262f50f15
-
Filesize
114KB
MD5db26309558628fa1ef6a1edd23ab2b09
SHA19bfb0530d0c2dcc6f9b3947bc3ca602943356368
SHA256e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070
SHA5124171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
124KB
MD579ae7ac8836dadd84a38235a63831048
SHA155b1b4aabb5edf4e44d5211461b4d059c5e457cd
SHA256acbfe327bd4e8c3c9f77742b5feb9733effad9e1ce4172f5f28a64dbf83aea0d
SHA5120a9cbd3a4f4f766767218679f0fdf10404a7de18ca0f019a12867cf55cb9c233c34e11f82936cfdecd8ca1ed69694c19ae10c1456652dc92248032bf839daba1
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD520069500756a1a645a477c9e9d57e4d0
SHA17d5d14a9feec763954a936318f1d9890b728622a
SHA2560b9c59cbdac33da5e2b39a0be1bf9d5861e0188c0442cf300fcdc70cbf9a3cb7
SHA51229ee4033c4552dde83f70d5038593efb9eb5f1afd19edbf003d3996f0615552189f9f9d08ad36628a0da1e82a10efc82233f543a0bc4d622923632228854f91a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_435F19BB71255BCD780EEF90E8C1A7FE
Filesize727B
MD517b3f5125c44a52481cc3abcb3d4181a
SHA10b74bfa0f60dac8000de17115661cda7526eba5c
SHA25682dfe5fe4bab81f3acbf9de0b99705450db1b6b5c8557f50680d894eec24a950
SHA5124f0c20f060c604f8351a45dad9e8eca15d07d89cefea91ffb74adee82e265e8e2572b8f61d40a690d6904ef892a3028dce3e420e37df0a42e36a5c71a090ead5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5c210f6689aca680446c0d8ecdef2e46b
SHA166cba496d984f92fed05f77101c45734f193e211
SHA2568f8540c24fcc6ddfddbcabf8f028f8052addf41601d5226ffe378a6e7d4caf5d
SHA5129c62a6b2a129a50e2094566d88acd7c25ee29600ed1596e6972f684edd48d11366605dca0d90133d489b51eb38bbb6c1a5ad68d0ec9f81c8d23055d03e9540b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD505e3180c2e7e4c82550b1ec617788438
SHA18860f4b6bdbe3335ec806c826e8eaa77c40d002c
SHA2568d77860796749d893f6bcd8c983f03a1e26c308f6009fbb21886894b7328ef4b
SHA512d6daac486647af9aa38f81f5aa068057529a479e4d4eb52ef00f363ed2d65a736b18e8007bcb9771f081d675bb08166ca81aae4d3e7b7582912030f07ee753f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_435F19BB71255BCD780EEF90E8C1A7FE
Filesize412B
MD5609ee00dc8d0c80be9a028088167f7a1
SHA1a1991b03f27d5c735a3c35b03f14b3c7a184bc69
SHA256d94b3a4c3f4ab3f7a0fc27d1554a99b048fa6a9a8c245ba4688a8f4012132d14
SHA512c9caa2dd2b9aa61d73c8271b0ae81c5c37e274d595b594827f567e5867f72005c77a4217f49e3eeb554fa108c16ec85c39be22b00f5557c2108c8e2da602e545
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5678f61ea30e42568194b9401aac05b06
SHA1448db80f4f3f221e426a87f852c1a994a1a0d57f
SHA256250c16b92379dc8d4a257e355cfbcc83af2505148c1dbf3d2416d42febac0816
SHA512500cd25239a969479694bd8f8782fc315ec9a8b57084b70e56bba6b75715844d6f7c4c12a293f79c29b8e1f231a7a0c818ba51178c1507bd2232ec36fb5026b8
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
23KB
MD5a0423f1305547bb6b8f5a4fb1a9fc2d8
SHA1092dcf1fe57e6bb53821eb754e04188ee70602d5
SHA2566add651cb411ed9ce9a17883c1522920a6ee3b4eb676f5b411e72d1a5e7de6e8
SHA512b8487c60b40d332e562cc5d4fc7c515e3b3c2c82311700b788905754c1376ce6f0da650583545a4691d51f04ec5da0c0204997214d167c85b788d4c85236c4c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5fc99f179478bbcd5712791807667e460
SHA1bf6a4b618300dff9ff5f865481d862e76268ff5d
SHA25603571e1d3959d0ded485cc1314dbcc9fa7b886b719c385f7d19989181d975079
SHA51255d3814144ee7673039267f2a61d71d0f29c43ea023e288cfa2488fd824d795360ed96dffe3263c17203100ce721f6f479dd80add1dd39bbe4eb075ae1741f14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5e97992a0c79a783be7997f3b2fa0bc1f
SHA10b06e7475910473767d58668a770e37eea5477a3
SHA25698f3421d02c55a67ca1517ca9a8dd7d54eb2bc6b0d37443d2af5b8e4edea1d51
SHA5120dc4b79ac1f9f9ec8552403177e59a86ff980e903ef19cb652473768d685c8995249a727fb3df7e48d95fdb12e6dd9562501acb020966eb74965c611992b61f7
-
Filesize
3.3MB
MD53bdf96b3e02075e63f1a999ff37db119
SHA1525d559dfca20e676c4653aa9c018ef338ebf7ab
SHA256ccf9fcac880e8e0d633944a89aa861a8d89961a981b7fa26b0d7fa3f000ca3ce
SHA5129575019a8150769c110e0498e1758cdf9e54a5e399b3d5847d45b7d4ee8a84a83128e7cc438575f81da53769a4e8c5a84f3e0dadaa56299ad33fe426ba51d7e8
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD52e22d90c548c5774f1f1345e161f6476
SHA1e0451fda429fc4a8fad8a91856e974fc06d43289
SHA25636583f97fe5b0128129e7e2f19b1fb142731ffae7651d72ec3d89d3b05ed34bb
SHA512ca52bc4a2acf1bb9221d873f59e0547901dec2ae82e990f5901afccf43d099ca863cb6ae81750dea4f7c1197669d3adbca2c1d3a518356a729171be4126667a9
-
Filesize
2KB
MD5160d1e0d009ff6e2b6a521d1721b9be0
SHA120696afd2abaa4e90bb816ce943dcc09279897ba
SHA2561f95b4f27f8f2b4c4fc0f5ed52eb0b29965c1ae2fa9cfec6f70be7c7ead7b9cb
SHA512b8425f1d1e51d82285390e11ae0e1af185d99c1866acbeb6dd5403de890770bd44de4d7f35424bb54875196f79b772bf9e04445575e6009a152a974b6c15cb96
-
Filesize
6KB
MD50c8f837678a0a686dbc26c6788cfb3c3
SHA1266de6ae76db7055632146d809b7c8cc29dad1f3
SHA25602c0d4e9c0dd918515f774ba62fb3aa1fe5c5b76a8f0f7236f5106ffa48942df
SHA512683b97356a914d619b7e8d8f54d14f38e34250c2e182077db207934181428b3ee9f417eaf7acf088fec3d0e3c3a99e2be85cd4b174ed3d6f4c4132d294df3212
-
Filesize
5KB
MD5f68c7cfbad537ceed24c2a23398384bf
SHA1723b75a42383c35d4144dbb881fa5c676dc7452c
SHA256e9f3aa3239539c0d63d5197e51df2dd53ebe6fdcd7eb8fa19df8c8d6861bfed8
SHA512193db63e409cba915f7ef2431a981c49b60089a5934ec831789d457794d45a7e03fe59c292b92d28f5889a947169cf0c7ff7565f2cecf6fdba4a78dd5e9e65be
-
Filesize
6KB
MD5b4605e324074b1a0569c3dc8d40ab9f1
SHA1c692828cf502a09a146cf1ddb16d24aa7cf546ce
SHA2569b6884c06c13bccdbc9f378dfdfd7b3541f0ddf6ca90cea47e9edc43c48fdc4f
SHA5129c0095505f8a8f146e87c84c13e6e817dff1c5589ca2694489b7906205cfae0e7e278e4630cfaa1cd16b5469e57f03e38853bdf6fea27a56d3276ba1618b60b5
-
Filesize
7KB
MD5959272233f107c17ece32f9e9e818047
SHA10eaaea4b88a6f8527f191b49fb8d6c75396e4b45
SHA256c8f131e62a5a03d3ef06b7eedbc9dff0fffed42876ebf37c31a9654c7c625a01
SHA512877d93b016bb568ef213e6c591a87b865244f8072862f417354b6e454b1c14f4641856f6fdf1df8dd58704c468c51db1b62c027e2d8821f6aff1b70882920a7d
-
Filesize
8KB
MD5bd92b7cc28b14227cdc34deea80da04c
SHA18c03cb8a32fc605dd21fa80452c5d8014a836a85
SHA256cccdebfce7439b4068c224002c5d182e4c19c274fe359d38020e0fd38b5aa291
SHA512743a3025223e644f907e56c21d14038404458b7798d76e87552554dabf2810d02f8f5617f3f010b9660e7dd775d121ec1571bcf19b7c495e384d79ff7c0fe52e
-
Filesize
10KB
MD5bd6b455197e1761130bc8eda3752ee39
SHA1faca9abd4f6cfabc179279f05de446b1ccbb3488
SHA256edff748a52a82842de21c82b427e0d0745517fc4bc99117539e2a751df72c523
SHA51251d43ba6a56be77d954e838f87bc7e76edd15de5fc1cc170a97482d5c19cdccf67ec497f721c06c55363130b85f13d3964c22af7affbba537e8ad5c4523770a9
-
Filesize
9KB
MD581dc876d356c4f4f684d59e466270376
SHA1d7736cc46a7a07dbed0ce1d165346d213fc4a9c3
SHA256dcb6efd18f2ddfb2141b84ab86fac6c153007e18396ed4a0a21d71b08d49cf49
SHA5120eebf43e7e2a5b9ac01f43f07eeebae5e11ab802fa4999913a451259b30b6bf98e2fe130e75ef26c98a31ca72ac594f84a351d9ed19ff00d89fc4516e6e90666
-
Filesize
9KB
MD5c6c6dd777af40003f927a4e7b684bec3
SHA1e85f2cd3da6eb052c6d7f883f3992461c5cae575
SHA256c481646487ae705219d997cc22ecffd246e0543ced592e915a57481878139e21
SHA51259365bfd79d733e10edb1d8d0f4a1a6e9725c07a6074731cb27fedc319ade726de919d2de7ea1f194c78773117b2c8c47e15ab5a1015c7a37a934b1c1ff8035f
-
Filesize
1KB
MD54a2a2b986057f5d819a4da8aa9c2e4ae
SHA1a87b510f1ba6fb23350e49572b97e83f904e44ce
SHA25633a6294cf1f228b55a8cd08328b7c2f2e4880f7417d7ac69255ff355ab3b0c51
SHA512e68645390d4bd4eba3bc359137c3e58ddae1a48e63ede7ca19dbe3165b22ded3850b61b6c31f33417e2a31d2f9d97aa85aef7b676d0cf0bf87db5225628763c0
-
Filesize
1KB
MD5e49202c158825f1233cd1e161bb9708b
SHA11bad974f298949daafd3363cebccfa83bcc9e345
SHA256fcfffa5f82865e551bcc55fcf243aed443db9f7cb7307ed863f94b3af54a6c7e
SHA512ef5fd239f7006de8b64b7d2cee10764b78c90eb6bcad91a1fb249c647634ce08829b25db6f0efedf65472f9a8dc026d7cce5d5d05dc70702b104c43cc497047a
-
Filesize
1KB
MD5ebba0a39e27662b1d255e6b9c41b92c2
SHA1f9b18fc1b56dadad563fc188697415d5a0ffcafa
SHA256f82e6e2b80d5694c5caac9b1bbec7c6a2113178f9c4fa28258e61c50d5027463
SHA5127ae40278b32cff8b2fcec6f26c111f474b6127be29f8865f4af8bce16d6c3b8aced34d52a45aacb0cb3a792737d6333c8e36e7b3db6a3eb1fabd13938a37bd21
-
Filesize
1KB
MD51f6d7f68c3b14ee258d158047d595c25
SHA1aa778ca15367e599b497de962226496e60545c1b
SHA256d1b35518fa0925c5cfca502d6fe57e809674e792affd25a3c42d76f92f0d0f4b
SHA51273e83281b25d10876a61e8c1e5eb5317954c59d921c2ce19de3b3b5cb4e3f33a2ec1469852561bd538e8048a378aed4d0093230399668496a1e461c5ec2a7931
-
Filesize
1KB
MD59c447089330cb72c29a0a9a9fad6274e
SHA1e149bbce8d4bb46e808bfc531b5ed5494d7853c6
SHA256599bbea4d39c57f45e0fc1f1e1ef4d7c9e6577972e22d2dac40dc8fdecaa492e
SHA51234de210db207959f4d492b05bed1b2deeedf9592a6e172f00f82c622ebe47850366416f0a1694bdfa16c4ebe4ff0a2590db9831c6c168e13ffc124745a0a0e20
-
Filesize
538B
MD562f6b13c3ae7ea12c57ad50ba56e8d89
SHA1b9a8dc5078c9a2fd92aa79a5068fcf8a29621944
SHA2564d95538aac37a1ec6860316e738848c3a7e608edc6b5d48924dc881516aec983
SHA51299108be56a95896507679620f6392315b66d2d0e4850180b5a0d44fce27f6d578fae6caa97cbc0030be09943877210212439074b1bb934fc70f68190971cfbe9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5675b7aafdf7cf9609da75aec1d88044f
SHA11a391a592e48252a04067cab74e641b1968ed71a
SHA256b0ce2796d4094e01810dcce9c5013db6436d83144a58342e4e1321d497f78d41
SHA512ad4467d5c02e25fc19801964dd6749a073be98753d0491d9d799216b1d7492b2f7d8cbbfd31fb5e8a9aee37790160986090caad63936a487ef32fffad08735cd
-
Filesize
10KB
MD5072558515fa6d3a97b5e370828de8253
SHA1bed6abb2a1ec6b2cf5d4864ea599217ebbef79cf
SHA256ab22d564c4e4978034c60e7216ae598734ed0c8de4ab5f9b6f083f2f46ef0826
SHA5123de95380f1f268ce5190a6948025fdb6d344006926ec6b93203104600500825486a5fc02488d8e3796b67e517baebfaba11defc74fe51c90841c2459193a8fa9
-
Filesize
1.3MB
MD511eec88dbffa7ba1fc3d7f5796c2de76
SHA15248dde8554729b5394acf58034f2b61926c3dbc
SHA256d5795d9b213a8405a85182f9382194b4e0742861635316356ca4dc8fd93a355a
SHA51264cfb4417e276cbe24448784bb75f494b883875212431086eba18d2d3f5ed36f048354f38a43d9b651d9cd929f6d670ed640c4cdb459b13a3740e3a2265d9aeb
-
Filesize
9.4MB
MD5c42e50792b48c1f1601103be676bd936
SHA11b1fd1556c42613d866b89ab51af93bb5db86b37
SHA256188c1da51090a4625023982165ebc4cdbe34f317f13630726b9d6085e2fc415c
SHA51223c5b2362f0b96aa55303ac3d9655ef5631076ab3da7863a3f4abe3b5de655e8b4898613784c1804cf4005edacafb299bd43637b17f381e8aa503b21d5d94303
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
5.1MB
MD5b9086110e2962badf24196a0de6a0ff8
SHA1707f02bc9c0834720db4588e9a5ff612b9e83ac3
SHA2566aadcf84bda1fc81881dbd9bcd9371f60c0198e73b53c1e13b9c9dda32c02e63
SHA51292462bd513e6a3e7ba40a39176732e86aa1947c0fbde6bb333f6d462f3e3af3e0798b889e595dde0fecffece88f820b76bf16d8a32042588248ab4f652b3dea2
-
Filesize
2.1MB
MD5bb46e538c5ee51265e3c7dd21d996af6
SHA11f1d7739e238f631b0ce8892102e8f2224009b4b
SHA2561c54ed31c594fdb830f1da9dff6b4daac0100c5970f5401e0a5b60abbe64a446
SHA512ef3aa68097b811dfcac683377a345291e6e2535fb91c9944a7628ff941093c5701d0f6da5d7fdf4fc552aa5486d602f803497f44c5a57a6ac57919dfd2a05c4a
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
32KB
MD5f27bd194d4aa758a07c49756b4c34905
SHA178bba20d0bb1830d5bacabf6bed4b3b95702684b
SHA2569cec6313a340ed6ea2d32f6a4a29bdd57fe35a4ff087d8811bbd4ad512b74451
SHA5124e73860d71404f37b37728af9324fe663924054319c1e369efa1b6d2a7aeaeb24b35ebc4ee89fb23118fe47e9c0b9f0ac76fd4eb1c4276c28717a9ec8d8c82ea
-
Filesize
116KB
MD5567e60454ed777fd39912ab26e689b80
SHA19cb5d0d87c1b092a0dc0256d5d8772487b834848
SHA25623fa6ef15f88d7e3a0d0eb04b2adfe755be809e4d1543aa2b8988cdf6c2276e0
SHA512989f0f9e231c23730c0c5f28ccbefdbc46ee5b032b2dcac7897c1e966b2d355a83248dd416508ecd562879bebfc9e61c325cf4657ff8a8ac8c8b3268c9ae1daf
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
217KB
MD5785a37d8d62771cc35c6f5cc145e1219
SHA10e35b6c575670d4e8cbe0f13e7a7db9aadc8819f
SHA256ffb0ca6890b94342d54d26250a6c6104b9e916858fb7242b58709f38c65b93b0
SHA512d1fa909e78ba7b9478ffd7f627873a1e0013231cb9436d9f8895b262c7e0ba3efc1225d7d9797cad774062f9781afbdefe72b0ff9b23ddf540869f7b2b11f1be
-
Filesize
4.4MB
MD5a79fa370fdeecbb187f96558a76534b5
SHA15ef78b7d2c21882cec551528c697f12abb1f8b23
SHA2568ed135aff12b760792f13be121120dcbedad95c2f927289bcb8ae73bc338bda1
SHA512e9388634726560299fc31b1e181c5308ac94b31c0656c9d49e5042ca7ff5996b7068b6faf5d09da8b4f4ff3d9d287f54fa3ff79589d6975a161d855c9d9d4846
-
Filesize
3.4MB
MD5c4d092354c3f964ee1d9671f2517a6c9
SHA1838f3a4d426ea72c2f5cf8164f8ff4fc9e694a1b
SHA2561814f8b1c1223b93e9b6ae699f7f8f25fb543ad511e349f39219a4ec222f4f05
SHA512c162ff7f53b3a095e779369fb00546dc62dcadb4e394593b40522369add2532274232bad920f5a65ab07636ed544bfce239a42d959dfea01c7c19e2bbfedd5ee
-
Filesize
1.7MB
MD51777e41c01138cfcd1b8e4b6082ae3b1
SHA1bf83c19106c0226d8e3e08fbbd5633ce96472bf0
SHA2567af1ac95d468a1b0d9dfb2dbe0dba8b3aca9a09e2620a0ec35dc087f829f9401
SHA512e44f8d2b9c5f33b48c64107b9a1c8fd0ac77bf88b465e6fcdbcc2b1b3253f71922b350048e55b6d97e938892084b0d7cc098cdd208ee1f15b9434426449fa88b
-
Filesize
8.3MB
MD5b5887a19fe50bfa32b524aaad0a453bc
SHA1cd1f3905959cd596c83730a5b03ceef4e9f2a877
SHA256fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
SHA5125b9914c94101b53314b14335e687552e5da0a4085afb826ae94f45769e9b1e66a35624b6e6b60257514f4adf2acc5c9e048bfa3a24aafb891d203e3011c02538
-
Filesize
400KB
MD5aa92bc82a2b3c733b305eef3ccb7ae6e
SHA1b52729db10f5c62ea03f4280e16cbd5304487bcb
SHA256ee9e9a1840ff7f83b91b8eb3fc1e03df51aee5a94ac9cb3c63c0a37a9f3fcdd5
SHA512de5d0741196ae12200d35736dc37f7d7fb809e63378ba5b0b8f0da962c608037f2e9ff6b35a371fd0a0d7182da86f3338697c47fbd246a0c1831a14edbead8b3
-
Filesize
294KB
MD55f7bdc962aa76f272673ffb86ae8d634
SHA10d78738b625c66f105c24484920a78ac02bd1533
SHA2569482245f504dc281027c12eed58c987147b2d982c3669e1c7dca3bc0911e7b97
SHA51262b6be5a24108c685a0824399dc78b33b5b52149d0e1b7792ac90a30d6fbd7bb2b0650563861e493c79f2313c33a2112f0bd9366e0947d24bee9b1206b4c0141
-
Filesize
3.5MB
MD5c883436a51137626711481fed4be79c8
SHA157c7e6907219e8aae747f64343066963b57508b0
SHA2567e33a3b6de352650c44163c2ff989cad764017c508e13b240f783c08c736f2c5
SHA5128b6c00183876d0bd712e616fcb6db3f7d5ffae4eeeb25fbf6c0a17b725b44f82cf7e2e810404560ab2373cbaf053d7baa89aa999e6c0c59161cf1bf9ab1098b9
-
Filesize
6.2MB
MD50de88c2f978a57026e58e6ca90ae5d69
SHA1e066a32f87292b1c50bcec3064e76f4fc0781d1a
SHA256fab479cc1e503225be39c710a3555db1ae1f6d6acfb0504b715d2284f75e3527
SHA51247fd6cdd95e6d08c59340b4e00fe97c4bb987cd2c11628deda02cd59c5739e990f9c94fadca37e4b7c8adb9cafbae12b69f20b569457078c159bbcb180f9163f
-
Filesize
501KB
MD5f10161c3acde4b7dadcd1eeddcf937f1
SHA1ebf47c2e0916fbc430ddc8a90cdd1fe98112f979
SHA256445a933766bf381ebe8530e0795e22ab2bccace28291388aba99808e101e8230
SHA5125024f57f0bff356120598e7faa472c956d843d36a6d83d953c9a7345aee36a14d216f1bde61524a62a0dba4cb4fae4a67dcefaa0b2e8fa5526dfc9a218e985d9
-
Filesize
10.4MB
MD5025ebe0a476fe1a27749e6da0eea724f
SHA1fe844380280463b927b9368f9eace55eb97baab7
SHA2562a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2
SHA5125f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799
-
Filesize
324KB
MD5e600b6015b0312b52214f459fcc6f3c2
SHA10e763e33524e467b46d27e5f0603cd2165c47fed
SHA25665bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad
SHA512b1c1a68128c2cd75df9cb1d890358fd6bb85d9a62288468a19db3295cc25e6cb97c05fa0b5bc3b1dd2b88bd39b343ce5cd1494ca8ab56352c1e375e88fe7e464
-
Filesize
2.1MB
MD56a94b94ba557d5d85a1da20213d48974
SHA1a311aa3a9243849b883867fa3d772e4c4e95d080
SHA256e4a125aa374a939c07ee3172dd5cdb23990096efe7059e9d647f1eaadc32e3dd
SHA512a246f8f4341a144f4946179c518fea833dbec7e40c69023e10687f85d97c28e1851334f20260069c0d6500ecb859c2e2553b4492cda22c6145966bc893a54c74
-
Filesize
9.4MB
MD51ed0c1859d698038e0925824f139343f
SHA1265326a70e8c18ac204f5c06e8071cddb0322d70
SHA2564ed3eef9073cc7922fe6f77fcdf8e9c1d8a09da5f2b7d8218a6f87e7075e7cd5
SHA51238186a14336f17ed00c42026b9805de53e311c155765f0f3b4128e9400df565fc19263cd4d4fbe56c3244d6e40d6faaf0c50c73c96c3f36edc1e055ff12ceae9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e