Overview
overview
10Static
static
3readyfile.zip
windows10-ltsc 2021-x64
10✱SatUp/Setup.exe
windows10-ltsc 2021-x64
10✱SatUp/libvlc.dll
windows10-ltsc 2021-x64
1✱SatUp/l...re.dll
windows10-ltsc 2021-x64
1✱SatUp/pdfium.dll
windows10-ltsc 2021-x64
3✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1Analysis
-
max time kernel
348s -
max time network
359s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
07/11/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
readyfile.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
✱SatUp/Setup.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
✱SatUp/libvlc.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
✱SatUp/libvlccore.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
✱SatUp/pdfium.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral6
Sample
✱SatUp/plugins/access/libfilesystem_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral7
Sample
✱SatUp/plugins/access/libimem_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral8
Sample
✱SatUp/plugins/audio_output/libdirectsound_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral9
Sample
✱SatUp/plugins/audio_output/libwasapi_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral10
Sample
✱SatUp/plugins/codec/libavcodec_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral11
Sample
✱SatUp/plugins/codec/libd3d11va_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral12
Sample
✱SatUp/plugins/video_output/libdirect3d11_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral13
Sample
✱SatUp/plugins/video_output/libdirect3d9_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral14
Sample
✱SatUp/plugins/video_output/libdrawable_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral15
Sample
✱SatUp/plugins/video_output/libvmem_plugin.dll
Resource
win10ltsc2021-20241023-en
General
-
Target
readyfile.zip
-
Size
16.0MB
-
MD5
0abdfadb3b87d3f9eedcbcdbdb113316
-
SHA1
25d7f48841c4feed8a023203d6dcac829490730a
-
SHA256
88c091ba3072107a1c873c0bf5360e7fd7a4ae99c06af9bbc0f5676795cf1fd2
-
SHA512
8845a63e33a4662a7734fefa66bc2ba85669abd8faba43a01cf0bf635915e4d0a8d1f2f81e4286506c91c7616447cb31a8011aaec7a9b6260237492fd5eba3a6
-
SSDEEP
393216:NRXC7xZpAkB/7M8L0YJL+4MRYichQMKYbk/lSq3GYe:NRS7xHAkN75oX49hQNYIJGYe
Malware Config
Extracted
lumma
https://worddosofrm.shop/api
https://mutterissuen.shop/api
https://standartedby.shop/api
https://nightybinybz.shop/api
https://conceszustyb.shop/api
https://bakedstusteeb.shop/api
https://respectabosiz.shop/api
https://moutheventushz.shop/api
Signatures
-
Lumma family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\StubPath = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\6.0.1308.1016\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --wow-install-target-path=\"C:\\Program Files (x86)\\UCBrowser\"" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\Localized Name = "UC Browser" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\ = "UC Browser" setup.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 3048 netsh.exe 3036 netsh.exe 3372 netsh.exe 3788 netsh.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation UCBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation UCBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation UCBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation UCBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation UCBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation UCBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation UCBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation UCBrowser.exe -
Executes dropped EXE 48 IoCs
pid Process 548 Setup.exe 4512 uc-browser-6-12909-1603.exe 1752 stats_uploader.exe 1612 stats_uploader.exe 1944 stats_uploader.exe 1088 Setup.exe 4396 uc-browser-6-12909-1603.exe 3060 Setup.exe 2384 uc-browser-6-12909-1603.exe 3840 Setup.exe 3876 uc-browser-6-12909-1603.exe 1844 stats_uploader.exe 2116 stats_uploader.exe 1464 stats_uploader.exe 1668 Setup.exe 3884 uc-browser-6-12909-1603.exe 3484 stats_uploader.exe 1848 Setup.exe 1560 uc-browser-6-12909-1603.exe 856 installer.exe 2892 stats_uploader.exe 4624 setup.exe 3192 UCService.exe 924 UCService.exe 956 stats_uploader.exe 3020 UCService.exe 4204 UCBrowser.exe 3692 UCBrowser.exe 5116 UCBrowser.exe 4268 UCBrowser.exe 3100 UCBrowser.exe 4740 UCBrowser.exe 4144 UCBrowser.exe 3388 chrmstp.exe 5080 UCBrowser.exe 4392 UCBrowser.exe 948 UCBrowser.exe 2940 UCBrowser.exe 1664 UCBrowser.exe 4656 UCBrowser.exe 1512 stats_uploader.exe 396 UCBrowser.exe 4452 UCBrowser.exe 1260 UCBrowser.exe 4600 UCBrowser.exe 1500 UCBrowser.exe 1456 UCBrowser.exe 2456 UCBrowser.exe -
Loads dropped DLL 64 IoCs
pid Process 548 Setup.exe 1088 Setup.exe 3060 Setup.exe 3840 Setup.exe 1668 Setup.exe 1848 Setup.exe 4204 UCBrowser.exe 4204 UCBrowser.exe 3692 UCBrowser.exe 3692 UCBrowser.exe 5116 UCBrowser.exe 5116 UCBrowser.exe 5116 UCBrowser.exe 4268 UCBrowser.exe 4268 UCBrowser.exe 4268 UCBrowser.exe 4268 UCBrowser.exe 3100 UCBrowser.exe 3100 UCBrowser.exe 3100 UCBrowser.exe 4740 UCBrowser.exe 4740 UCBrowser.exe 4740 UCBrowser.exe 4144 UCBrowser.exe 4144 UCBrowser.exe 4144 UCBrowser.exe 5080 UCBrowser.exe 4392 UCBrowser.exe 5080 UCBrowser.exe 4392 UCBrowser.exe 4392 UCBrowser.exe 948 UCBrowser.exe 948 UCBrowser.exe 2940 UCBrowser.exe 2940 UCBrowser.exe 2940 UCBrowser.exe 2940 UCBrowser.exe 1664 UCBrowser.exe 1664 UCBrowser.exe 1664 UCBrowser.exe 1664 UCBrowser.exe 4656 UCBrowser.exe 4656 UCBrowser.exe 4656 UCBrowser.exe 4656 UCBrowser.exe 396 UCBrowser.exe 396 UCBrowser.exe 4452 UCBrowser.exe 4452 UCBrowser.exe 1260 UCBrowser.exe 1260 UCBrowser.exe 1260 UCBrowser.exe 1260 UCBrowser.exe 4600 UCBrowser.exe 4600 UCBrowser.exe 4600 UCBrowser.exe 4600 UCBrowser.exe 1500 UCBrowser.exe 1500 UCBrowser.exe 1500 UCBrowser.exe 1500 UCBrowser.exe 1456 UCBrowser.exe 1456 UCBrowser.exe 1456 UCBrowser.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UCService.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UCService.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UCBrowser.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: uc-browser-6-12909-1603.exe File opened (read-only) \??\F: UCBrowser.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies stats_uploader.exe File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 stats_uploader.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE stats_uploader.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 548 set thread context of 1672 548 Setup.exe 116 PID 3840 set thread context of 2400 3840 Setup.exe 134 PID 1668 set thread context of 4916 1668 Setup.exe 144 PID 1848 set thread context of 1048 1848 Setup.exe 150 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\searchbar\youku.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Application\Uninstall.exe setup.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\ucsvc.log UCService.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\Share\install_stats.log installer.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Configs\zh-cn\start.dat setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Languages\settings.xml setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\searchbar\bing.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Configs\en-in\share.dat setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Configs\id\share.dat setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Configs\pt-br\start.dat setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\new_tab_search\baidu.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\searchbar\google.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\chrome.7z setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\7z.dll setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\chrome_watcher.dll setup.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\Update\0\remote\0_beta_chk.xml1.size UCBrowser.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\RtlLib_xp.dll setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\searchbar\sogou.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\searchbar\taobao.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\UCService.exe setup.exe File created C:\Program Files (x86)\UCBrowser\Application\molt_tool.exe setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Extensions\zh-CN\external_extensions.json setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Locales\es-419.pak setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Locales\es.pak setup.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\Share\task.ini UCBrowser.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\chrome_elf.dll setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\UCWiFi\Locales\es.pak setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\new_tab_search\taobao.com.png setup.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\Update\UpdateState.xml UCBrowser.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Locales\id.pak setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\RtlIhvOid.dll setup.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\ucsvc.log UCService.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\Update\jobs\count.ini UCBrowser.exe File opened for modification C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\78BC.tmp setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\IpLib.dll setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\libeay32.dll setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\VisualElements\Logo.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\searchbar\baidu.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\searchbar\etao.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Configs\id\start.dat setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\natives_blob.bin setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\UCWiFi\Locales\pt-BR.pak setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\new_tab_search\etao.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\Installer\setup.exe setup.exe File opened for modification C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\6B6D.tmp setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Configs\id\config.dat setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\UCWiFi\Locales\ru.pak setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\searchbar\tmall.com.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\start.dat setup.exe File created C:\Program Files (x86)\UCBrowser\Application\UCService.exe setup.exe File created C:\Program Files (x86)\UCBrowser\Application\Share\install_stats.log installer.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\Configs\es-419\start.dat setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\UCWiFi\resources.pak setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\extension\taohuoyuan.png setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\VERSION setup.exe File created C:\Program Files (x86)\UCBrowser\Application\Share\target_locale setup.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\debug.log UCBrowser.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\config_updater.dll setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\UCAgent.exe setup.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\Share\icons\login_view\qq.png setup.exe File created C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe setup.exe File created C:\Program Files (x86)\UCBrowser\Application\Share\ConfigTemp\scoped_dir_948_31014\custom.dat UCBrowser.exe File opened for modification C:\Program Files (x86)\UCBrowser\Application\Share\ConfigTemp\config_updater.log UCBrowser.exe File created C:\Program Files (x86)\UCBrowser\Temp\source4624_6782\Chrome-bin\6.0.1308.1016\UCWiFi.exe setup.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_display.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File opened for modification C:\Windows\Tasks\UCBrowserUpdater.job UCBrowser.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\Tasks\UCBrowserUpdater.job UCBrowser.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\c_camera.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\c_smrvolume.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_media.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File opened for modification C:\Windows\Tasks\UCBrowserUpdaterCore.job UCBrowser.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\c_computeaccelerator.PNF mmc.exe File opened for modification C:\Windows\Tasks\UCBrowserUpdaterCore.job UCBrowser.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\Tasks\UCBrowserUpdaterCore.job UCBrowser.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\c_ucm.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\c_smrdisk.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\rdcameradriver.PNF mmc.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1792 sc.exe 4860 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc-browser-6-12909-1603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchIndexer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc-browser-6-12909-1603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chrmstp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc-browser-6-12909-1603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc-browser-6-12909-1603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc-browser-6-12909-1603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchIndexer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc-browser-6-12909-1603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchIndexer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchIndexer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCBrowser.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
System Time Discovery 1 TTPs 6 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 5116 UCBrowser.exe 3100 UCBrowser.exe 4740 UCBrowser.exe 4144 UCBrowser.exe 1456 UCBrowser.exe 2456 UCBrowser.exe -
Checks SCSI registry key(s) 3 TTPs 23 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom mmc.exe -
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ stats_uploader.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates UCService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" stats_uploader.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" stats_uploader.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ stats_uploader.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" stats_uploader.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs UCService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" stats_uploader.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs UCService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" stats_uploader.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" stats_uploader.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" stats_uploader.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" stats_uploader.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs UCService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My UCService.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML\Application\ApplicationName = "UC Browser" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.MHT\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.SHTM\shell\open\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.XHT\shell setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML.AssocFile.XHTML\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.MHT setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.crx\OpenWithProgids\UCHTML.AssocFile.CRX setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.SHTML setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.MHT\DefaultIcon setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.CRX\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML\Application\ApplicationDescription = "UC Browser is a fast, secure browser using dual rending engine (Trident and WebKit), optimized in speed and security, to provide superb browsing experience. " setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.XHT\DefaultIcon\ = "C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe,3" setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.XHT\shell\open setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.XHTML\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML.AssocFile.SHTML\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.SHTM setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML\shell\open setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.HTM\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.HTML\shell\open setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.SHTML\shell\open setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.MHT\shell setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML\Application\ApplicationCompany = "UCWeb Inc." setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.SHTML\shell setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.SHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML\Application\ApplicationIcon = "C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe,0" setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.HTM\shell\open\command setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.SHTM\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML.AssocFile.HTM\DefaultIcon\ = "C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe,3" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.HTML setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.XHTML\shell\open setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.CRX\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.xhtml setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.HTML\shell\open setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.SHTM\shell setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.XHTML\DefaultIcon\ = "C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe,3" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.HTM\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.HTML\shell\open\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.XHT\shell\open setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML\DefaultIcon setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML\DefaultIcon\ = "C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe,1" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.HTM\DefaultIcon\ = "C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe,3" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.HTML\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML.AssocFile.XHT\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.CRX\shell\open setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.CRX\shell\open\command setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.CRX\DefaultIcon setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML.AssocFile.SHTML\DefaultIcon\ = "C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe,3" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.SHTM\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.MHT setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.CRX\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML\DefaultIcon\ = "C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe,1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML\Application\AppUserModelId = "UCBrowser" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML.AssocFile.XHT\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML.AssocFile.WEBP\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.html setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.SHTML\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\UCHTML\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UCHTML.AssocFile.HTM\shell\open\command\ = "\"C:\\Program Files (x86)\\UCBrowser\\Application\\UCBrowser.exe\" -- \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.xht setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.crx setup.exe Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\UCHTML.AssocFile.SHTM\shell\open setup.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a UCBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 UCBrowser.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a UCBrowser.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 548 Setup.exe 548 Setup.exe 548 Setup.exe 4512 uc-browser-6-12909-1603.exe 4512 uc-browser-6-12909-1603.exe 4512 uc-browser-6-12909-1603.exe 4512 uc-browser-6-12909-1603.exe 1088 Setup.exe 1088 Setup.exe 1088 Setup.exe 3060 Setup.exe 3060 Setup.exe 3060 Setup.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 1672 choice.exe 1672 choice.exe 1672 choice.exe 1672 choice.exe 3012 taskmgr.exe 3012 taskmgr.exe 4512 uc-browser-6-12909-1603.exe 4512 uc-browser-6-12909-1603.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3840 Setup.exe 3840 Setup.exe 3840 Setup.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3012 mmc.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 548 Setup.exe 1672 choice.exe 3840 Setup.exe 2400 choice.exe 1668 Setup.exe 1848 Setup.exe 4916 choice.exe 1048 choice.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeRestorePrivilege 1584 7zFM.exe Token: 35 1584 7zFM.exe Token: SeSecurityPrivilege 1584 7zFM.exe Token: 33 3012 mmc.exe Token: SeIncBasePriorityPrivilege 3012 mmc.exe Token: 33 3012 mmc.exe Token: SeIncBasePriorityPrivilege 3012 mmc.exe Token: SeDebugPrivilege 3012 taskmgr.exe Token: SeSystemProfilePrivilege 3012 taskmgr.exe Token: SeCreateGlobalPrivilege 3012 taskmgr.exe Token: 33 3012 taskmgr.exe Token: SeIncBasePriorityPrivilege 3012 taskmgr.exe Token: 33 856 installer.exe Token: SeIncBasePriorityPrivilege 856 installer.exe Token: SeDebugPrivilege 4624 setup.exe Token: SeBackupPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe Token: SeSecurityPrivilege 924 UCService.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1584 7zFM.exe 1584 7zFM.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3876 uc-browser-6-12909-1603.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3876 uc-browser-6-12909-1603.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe 3012 taskmgr.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3012 mmc.exe 3012 mmc.exe 548 Setup.exe 1088 Setup.exe 3060 Setup.exe 3840 Setup.exe 1668 Setup.exe 1848 Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 548 wrote to memory of 4512 548 Setup.exe 106 PID 548 wrote to memory of 4512 548 Setup.exe 106 PID 548 wrote to memory of 4512 548 Setup.exe 106 PID 4512 wrote to memory of 1752 4512 uc-browser-6-12909-1603.exe 107 PID 4512 wrote to memory of 1752 4512 uc-browser-6-12909-1603.exe 107 PID 4512 wrote to memory of 1752 4512 uc-browser-6-12909-1603.exe 107 PID 4512 wrote to memory of 1612 4512 uc-browser-6-12909-1603.exe 109 PID 4512 wrote to memory of 1612 4512 uc-browser-6-12909-1603.exe 109 PID 4512 wrote to memory of 1612 4512 uc-browser-6-12909-1603.exe 109 PID 4512 wrote to memory of 1944 4512 uc-browser-6-12909-1603.exe 111 PID 4512 wrote to memory of 1944 4512 uc-browser-6-12909-1603.exe 111 PID 4512 wrote to memory of 1944 4512 uc-browser-6-12909-1603.exe 111 PID 1088 wrote to memory of 4396 1088 Setup.exe 115 PID 1088 wrote to memory of 4396 1088 Setup.exe 115 PID 1088 wrote to memory of 4396 1088 Setup.exe 115 PID 548 wrote to memory of 1672 548 Setup.exe 116 PID 548 wrote to memory of 1672 548 Setup.exe 116 PID 548 wrote to memory of 1672 548 Setup.exe 116 PID 3060 wrote to memory of 2384 3060 Setup.exe 120 PID 3060 wrote to memory of 2384 3060 Setup.exe 120 PID 3060 wrote to memory of 2384 3060 Setup.exe 120 PID 1088 wrote to memory of 3320 1088 Setup.exe 121 PID 1088 wrote to memory of 3320 1088 Setup.exe 121 PID 1088 wrote to memory of 3320 1088 Setup.exe 121 PID 548 wrote to memory of 1672 548 Setup.exe 116 PID 3060 wrote to memory of 3880 3060 Setup.exe 124 PID 3060 wrote to memory of 3880 3060 Setup.exe 124 PID 3060 wrote to memory of 3880 3060 Setup.exe 124 PID 1672 wrote to memory of 3516 1672 choice.exe 126 PID 1672 wrote to memory of 3516 1672 choice.exe 126 PID 1672 wrote to memory of 3516 1672 choice.exe 126 PID 1672 wrote to memory of 3516 1672 choice.exe 126 PID 3840 wrote to memory of 3876 3840 Setup.exe 129 PID 3840 wrote to memory of 3876 3840 Setup.exe 129 PID 3840 wrote to memory of 3876 3840 Setup.exe 129 PID 3876 wrote to memory of 1844 3876 uc-browser-6-12909-1603.exe 130 PID 3876 wrote to memory of 1844 3876 uc-browser-6-12909-1603.exe 130 PID 3876 wrote to memory of 1844 3876 uc-browser-6-12909-1603.exe 130 PID 3876 wrote to memory of 2116 3876 uc-browser-6-12909-1603.exe 132 PID 3876 wrote to memory of 2116 3876 uc-browser-6-12909-1603.exe 132 PID 3876 wrote to memory of 2116 3876 uc-browser-6-12909-1603.exe 132 PID 3840 wrote to memory of 2400 3840 Setup.exe 134 PID 3840 wrote to memory of 2400 3840 Setup.exe 134 PID 3840 wrote to memory of 2400 3840 Setup.exe 134 PID 3876 wrote to memory of 1464 3876 uc-browser-6-12909-1603.exe 136 PID 3876 wrote to memory of 1464 3876 uc-browser-6-12909-1603.exe 136 PID 3876 wrote to memory of 1464 3876 uc-browser-6-12909-1603.exe 136 PID 1672 wrote to memory of 3516 1672 choice.exe 126 PID 1668 wrote to memory of 3884 1668 Setup.exe 140 PID 1668 wrote to memory of 3884 1668 Setup.exe 140 PID 1668 wrote to memory of 3884 1668 Setup.exe 140 PID 3840 wrote to memory of 2400 3840 Setup.exe 134 PID 3876 wrote to memory of 3484 3876 uc-browser-6-12909-1603.exe 142 PID 3876 wrote to memory of 3484 3876 uc-browser-6-12909-1603.exe 142 PID 3876 wrote to memory of 3484 3876 uc-browser-6-12909-1603.exe 142 PID 1668 wrote to memory of 4916 1668 Setup.exe 144 PID 1668 wrote to memory of 4916 1668 Setup.exe 144 PID 1668 wrote to memory of 4916 1668 Setup.exe 144 PID 1848 wrote to memory of 1560 1848 Setup.exe 148 PID 1848 wrote to memory of 1560 1848 Setup.exe 148 PID 1848 wrote to memory of 1560 1848 Setup.exe 148 PID 2400 wrote to memory of 2096 2400 choice.exe 149 PID 2400 wrote to memory of 2096 2400 choice.exe 149 PID 2400 wrote to memory of 2096 2400 choice.exe 149
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\readyfile.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1584
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4084
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012
-
C:\Users\Admin\Desktop\✱SatUp\Setup.exe"C:\Users\Admin\Desktop\✱SatUp\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exeC:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAj7dQNK6LtoLWDco0X9hF1kXqV2z9WP44X7a4gYIXSG/I+iQ6IhGt6IpY9xKAOifpjlS7Xap9BCcY23D1Sep0Z7OvDsyup091JeHH47GgLDdyrQnsEWge/zTMmcSj7X1texUH/BU7QLr5wajUO+Py9G1utI9OsgT3PmG+5H2PP3B+4XQJx50ZozIeHG2yiKxMo0COh9NSMYjmFMCKrxPFGubu3yIPnXVFquWXGe2Y3tC9pD8lJAMo131M5elQlxvUetX2QyNFJIT0N5M3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAgTdTOH8Ls4YgjckIOthD7uDqbWVJ2mAzg7Rww1vW3X1GOjnJ7ZG8+3dLpKj96Uul5ECQVplpaNuUzx0LCSofR0ZvVv8HZj8X4vQpkDbj3owyvnXQMv1q11TPNvoC7Q1sUIHaxhX6uCo1FBXHJ3SMdOW7mm13o7n/VOGT7QQMWCBFtjCBzg0vZSTf7mu83tgIZUOwa20RbsQbFcqDSMfFyBssHTLf2jQb+mMR6O6Y1VT+pH/UvtRwewtfsWDZhgK0WkEifBQHoTKqk9BIxziA7H9/Qqf1/qI0DLUfvWhl8Q=3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAkzi1m+EKzBuSgqeslt3Y59zv6n53VQ+NiSpLC9ASVnLeMPMdcC/RZNzSsq1XMrjdG0waaDL1+7XAbI9mLfxoaZehItaNODHWRXSWRWy3tSDXnpDkj+fjbNJeenT92n9SbQQ5xwiLODivccFV6NVh0vx4IajaHPdL6sxpeSWbJ3xm1VwdwABbBnaFYclzkQlJImkjuVH7yCEgvBs85TrTC+DxyTMGJwHN/EPigiK8WfAoiIYElK/PSa3vCmY8tR/mbvfqdQjmUjOsnXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944
-
-
-
C:\Windows\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3516
-
-
-
C:\Users\Admin\Desktop\✱SatUp\Setup.exe"C:\Users\Admin\Desktop\✱SatUp\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exeC:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4396
-
-
C:\Windows\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe2⤵
- System Location Discovery: System Language Discovery
PID:3320
-
-
C:\Users\Admin\Desktop\✱SatUp\Setup.exe"C:\Users\Admin\Desktop\✱SatUp\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exeC:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384
-
-
C:\Windows\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe2⤵
- System Location Discovery: System Language Discovery
PID:3880
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012
-
C:\Users\Admin\Desktop\✱SatUp\Setup.exe"C:\Users\Admin\Desktop\✱SatUp\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exeC:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAkP9KIK/DuJ7QxdAgWmhx/kd6Q3T4oMw8U96WnZ83YF/E2p6oPkmPzIOwyTaYigPhheSfVaKFKhMRg175Q+pER4WvHuyh/3lhETnZ34IwID9OHQ3UJpAc2wqUm+CQzWVdSjUPzCVTcr7KGZrYCXPO7FzegKd4eiLDCSmU8EmPH3BK4VQJ6tUHtxjWBnmbGLhUjdCSr/q6A4TOfNaGtjP9Ks3O1xIV9Xdpjx2RPfEI2siaNAMdAMs221g009V2lwv0WNXGYwA9EojU1eo3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAnb9OoByDtx5EBcyg4+hK/2n6VHXXYm26aRxHSAn281xwGS9qPAlWcgXjvS8S2WyzWXC1RxHRS0FsVz6RbSojSWJvev04/getomwwDtPz67ufjljOuEVbXJ5XCWdszQdzRqHU5QBStqFnjAhC9GSPQHSLm3rrK75LiGmQeVwMQCxdtjiF5YUz+UBX+8d9zskd5FOhZ8u5e3H5vf0MMufj9R0MOx/mchaWgNswaxmI+k5DtFrhDlxb7fvnmta1hja+bkEeegO/kYziK8HqGii959JvX513Zpujzh0QDA5CUI=3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116
-
-
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAn4Jz3x6Akt9GOOZh/+JceWX8bvftt8rH75eUQQILX0GJ7nmscViYtRpj+n0gOA1qrlaB3JpoD9yo6HsPyfJWc7O3LPC+gEE0ldzBohGWA4BSvy5DAXMQCKT1rxAj4VBrewkS/iUKU9NJ/ruPm83GR01wuBpery00rl6HKv2/O2h+8Xgh16Y5zqIjPBASgqnzg16DBONFKWdWJfhiLzf+BOby1AwftGQIOt6GXk2K4Gudtim8NA43BM1P0jvQryXQes3QRxNqJu1kB/x3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAkYSoYGCG2V4QPrLgG+X1fsH3x/V6sTd7FY5z3VoCaVyBIcQpepPXM0ResPfcKohiAkQK0zhZ3lVW+KqGmdxyRYOBCOq4rCqv1+ipHd2/vr3GpptXv1vRnkLabKJLyl5YQzQY8T8vBGMD3e0fX+1nUclQJyvsiPiHXHhStZ2bM3Re1XAV+bx6e8w5QIXWuRjYH3EyKnVfxM+cGBfKRwrYLd7h8hUlqzuSXM/U4IG0ZVcJgKqnthP+oQt7G56AlRHwyNds8bE3kg4dqN0g1ybYGcTkqFXyRbS/Xl3OelQCNnqOd+qosnL8VlyIWwqFtcChjEEygiZA2TOJKNW60EafQBvA4QnzNaeem70XGNLquGnIIje/qFI5/4wJ0+GbkYh3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3484
-
-
-
C:\Windows\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
C:\Users\Admin\Desktop\✱SatUp\Setup.exe"C:\Users\Admin\Desktop\✱SatUp\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exeC:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3884
-
-
C:\Windows\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:4916 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3288
-
C:\Users\Admin\Desktop\✱SatUp\Setup.exe"C:\Users\Admin\Desktop\✱SatUp\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exeC:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\installer.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\installer.exe" --d="C:\Program Files (x86)\UCBrowser" --wow-as-default-browser=false --wow-join-user-expericence-plan=false --enable-logging --verbose-logging --v=2 --log-file="C:\Users\Admin\AppData\Local\Temp\inst.log" /s3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Users\Admin\AppData\Local\Temp\scoped_dir856_1251\stats_uploader.exe"C:\Users\Admin\AppData\Local\Temp\scoped_dir856_1251\stats_uploader.exe" --sync=http://www.uc123.com/guide/install_blacklist.php?ver=6.0.1308.1016&bid=35151&pid=4601&mid=1a5c5dc8b30f5483455c27bbd36a87eb&midex=1d046889ed4d2ae943510f679df2e1b8v000000249d49d6f4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\CR_13E03.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\CR_13E03.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_13E03.tmp\CHROME.PACKED.7Z" --d="C:\Program Files (x86)\UCBrowser" --wow-as-default-browser=false --wow-join-user-expericence-plan=false --enable-logging --verbose-logging --v=2 --log-file="C:\Users\Admin\AppData\Local\Temp\inst.log" /s --system-level --wow-bid=35151 --wow-pid=4601 --wow-auth-url=http://www.uc123.com/guide/install_blacklist.php?ver=6.0.1308.1016&bid=35151&pid=4601 --wow-customized-theme="Share\customized_theme.crx" --install --wow-install-target-path="C:\Program Files (x86)\UCBrowser" --wow-make-chrome-default=false --wow-participate-eip=false --installerdata="C:\Users\Admin\AppData\Local\Temp\scoped_dir856_1124\wow_installer.prefs"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4624 -
C:\Windows\SysWOW64\sc.exesc.exe stop UCBrowserSvc5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1792
-
-
C:\Windows\SysWOW64\sc.exesc.exe delete UCBrowserSvc5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4860
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="UCæµè§ˆå™¨" dir=in program="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3036
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="è¿…é›·äº‘åŠ é€Ÿå¼€æ”¾å¹³å°" dir=in program="C:\Program Files (x86)\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3372
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="UCæµè§ˆå™¨" description="UCæµè§ˆå™¨" dir=in program="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" action=allow5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3788
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="è¿…é›·äº‘åŠ é€Ÿå¼€æ”¾å¹³å°" description="è¿…é›·äº‘åŠ é€Ÿå¼€æ”¾å¹³å°" dir=in program="C:\Program Files (x86)\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe" action=allow5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Program Files (x86)\UCBrowser\Application\UCService.exe"C:\Program Files (x86)\UCBrowser\Application\UCService.exe" --install --start5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3192
-
-
C:\Program Files (x86)\UCBrowser\Application\UCService.exe"C:\Program Files (x86)\UCBrowser\Application\UCService.exe" --as-current-user --run="\"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe\" --wow-enable-user-experience=false --wow-make-chrome-default=false"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=wow-updater /AddTask5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" /addtask --type=wow-config-updater6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:948
-
-
-
-
-
-
C:\Windows\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:1048 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3756
-
-
-
C:\Program Files (x86)\UCBrowser\Application\UCService.exe"C:\Program Files (x86)\UCBrowser\Application\UCService.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\stats_uploader.exe"C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAn5R/B962h7eGLt0YvoZrD+QQdUZsoesBr5m3h8IDTGFJ5yhOcOKAyNpJwjFgFAHVLmKdYBp2PSHo7knqCcJ8SbOHNva+omZCVf788VGCEijSgz/sgWkbyOTPktDjyWlCezEL1yU8fbyJyIXZ28nkys10poDevQXX7my/xT2fD3x+0WQd16g4mmItA2VSnqJRA1qcoWNrNL0WM8e47w/RG+bqyyNfvtgQ+cS6Jg3faOteaLDrozq2GxsS7dQQmPYTLotakFbvivl85ETOL8hKhyZOSFqx/YNA0yGhhc5KMKoGPDUYRAL2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:956
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --wow-enable-user-experience=false --wow-make-chrome-default=false2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:4204 -
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=renderer --disable-direct-write --enable-features=use-new-media-cache<use-new-media-cache --lang=en-US --force-fieldtrials=AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/AutomaticTabDiscarding/Enabled_Once_5/BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/*ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/*IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/LocalNTPSuggestionsService/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/OfferUploadCreditCards/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/RenderingPipelineThrottling/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFrequency/UpdateTime15m/SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/SpdyEnableDependencies/Enable/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --wow-extension-center-url=https://chrome.google.com/webstore/category/extensions --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --wow-user-agent=UBrowser/6.0.1308.1016 --channel="4204.0.369893011\447528975" /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:5116
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=utility --channel="4204.1.1793040896\577445914" --lang=en-US --no-sandbox /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:4268
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=renderer --disable-direct-write --enable-features=use-new-media-cache<use-new-media-cache --lang=en-US --force-fieldtrials=AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/AutomaticTabDiscarding/Enabled_Once_5/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/*ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/*IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/LocalNTPSuggestionsService/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/OfferUploadCreditCards/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/RenderingPipelineThrottling/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFrequency/UpdateTime15m/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/SpdyEnableDependencies/Enable/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --extension-process --enable-webrtc-hw-h264-encoding --wow-extension-center-url=https://chrome.google.com/webstore/category/extensions --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --wow-user-agent=UBrowser/6.0.1308.1016 --channel="4204.2.2145424282\477535159" /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:3100
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=renderer --disable-direct-write --enable-features=use-new-media-cache<use-new-media-cache --lang=en-US --force-fieldtrials=AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/AutomaticTabDiscarding/Enabled_Once_5/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/*ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/*IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/LocalNTPSuggestionsService/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/OfferUploadCreditCards/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/RenderingPipelineThrottling/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFrequency/UpdateTime15m/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/*SpdyEnableDependencies/Enable/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --wow-extension-center-url=https://chrome.google.com/webstore/category/extensions --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --wow-user-agent=UBrowser/6.0.1308.1016 --channel="4204.3.1570626021\1327413791" /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:4740
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=renderer --disable-direct-write --enable-features=use-new-media-cache<use-new-media-cache --lang=en-US --force-fieldtrials=AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/AutomaticTabDiscarding/Enabled_Once_5/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/*ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/*IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/LocalNTPSuggestionsService/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/OfferUploadCreditCards/Enabled/*PageRevisitInstrumentation/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/RenderingPipelineThrottling/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFrequency/UpdateTime15m/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/*SpdyEnableDependencies/Enable/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --wow-extension-center-url=https://chrome.google.com/webstore/category/extensions --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --wow-user-agent=UBrowser/6.0.1308.1016 --channel="4204.4.933816584\1791673414" /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:4144
-
-
C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\Installer\chrmstp.exe"C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --wow-install-target-path="C:\Program Files (x86)\UCBrowser" --force-configure-user-settings3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3388
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=utility --channel="4204.5.537052634\1302400405" --lang=en-US --ignored=" --type=renderer " /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=utility --channel="4204.6.1583695217\1606980859" --lang=en-US --ignored=" --type=renderer " /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1664
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=utility --channel="4204.7.1205344473\663375871" --lang=en-US --utility-allowed-dir="C:\Users\Admin\AppData\Local\Temp\scoped_dir_4204_20805" --ignored=" --type=renderer " /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=wow-updater -CEnumUpdateMode:UpdateMode_AliImTimer3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:396 -
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -cenumupdatemode:updatemode_aliimtimer --type=wow-config-updater4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4452
-
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=utility --channel="4204.8.1351239208\1749826390" --lang=en-US --ignored=" --type=renderer " /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1260
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=utility --channel="4204.9.491867213\1626980658" --lang=en-US --ignored=" --type=renderer " /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4600
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=ppapi-broker --channel="4204.10.1769792489\196744152" --lang=en-US --device-scale-factor=1 /prefetch:43⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=renderer --disable-direct-write --enable-features=use-new-media-cache<use-new-media-cache --lang=en-US --force-fieldtrials=AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/AutomaticTabDiscarding/Enabled_Once_5/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/*ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/*IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/LocalNTPSuggestionsService/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/OfferUploadCreditCards/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/RenderingPipelineThrottling/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFrequency/UpdateTime15m/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/*SpdyEnableDependencies/Enable/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --wow-extension-center-url=https://chrome.google.com/webstore/category/extensions --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --wow-user-agent=UBrowser/6.0.1308.1016 --channel="4204.11.104166010\1333932649" /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:1456
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=renderer --disable-direct-write --enable-features=use-new-media-cache<use-new-media-cache --lang=en-US --force-fieldtrials=AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/AutomaticTabDiscarding/Enabled_Once_5/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/*ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/*IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/LocalNTPSuggestionsService/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/OfferUploadCreditCards/Enabled/*PageRevisitInstrumentation/Enabled/*PasswordBranding/SmartLockBrandingSavePromptOnly/*PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/RenderingPipelineThrottling/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterMostSbTypes2/SafeBrowsingUpdateFrequency/UpdateTime15m/*SchedulerExpensiveTaskBlocking/Enabled/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/*SpdyEnableDependencies/Enable/*StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/use-new-media-cache/Enabled/ --wow-extension-center-url=https://chrome.google.com/webstore/category/extensions --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --wow-user-agent=UBrowser/6.0.1308.1016 --channel="4204.12.18004746\1915555139" /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:2456
-
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --wow-warm-up --silent-launch --wow-auto-close2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5080
-
-
C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --type=renderer --lang=en-US --wow-warm-up --wow-silent-launch-child-process2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4392
-
-
C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\stats_uploader.exe"C:\Program Files (x86)\UCBrowser\Application\6.0.1308.1016\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAjZ+3p+yjzheUJaW4gq/UD8g55kZlQAWhmb9BJ8o2bmFwVApNb2rraPBRrJF0CLTVOmYuYBRk6YHq/Z1KOeR4SaOpMvacmSPic9ugUWWNmSjukITsi3LJaO7zRHD7zkdCUygh1zMOAhyX+ut51/dNysFaDYDoldV32EVPZR2LB3xe5Xwd5al5OlAyQ8VekyVRB28HoXle4h0IGTEY9y7rG87F4SNRkruw8/DUhjnH9etms9o4Hn6N7m66qCQxrgpU6gk6QpPV0h2iS9x8uOIL0jInG1Pwb9zmO6IiJpEDUf8t7FGIfCYDZNRfQKmKvj/Hk18isbhFIM9FZztMx+GwFY3xzOv5LKB2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1512
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5ee387ebe6a87ba7e7681d22214d1c4d6
SHA13d998a1cf0fcc230b4cab7f052e875b6da2b5742
SHA2561f61cbd1d1cea6453a9b77d81995a9f2fdd529ba640dacf41dde308b2162657e
SHA512ed13be1778944b5f7ec5d1f71cf0b46e5f6a98f4dc154007cda3c04f12e4a2f38cee8f7e946be7ee5bde58ca3491bdd852ec02096cd3ec7a62666a314f83d3a8
-
Filesize
66B
MD5e373911dbf6d089af21a759b35e30505
SHA1eaee63f64e55565f0c7ad528184849d01d5b90d7
SHA256e04fbfd74992c29d27018543961c0d0568e5ea1cff8aa3bdbae6bf489814dce8
SHA512ca623a9aaadf05be4852d91fb87ce1d57410629e9cc67f0f40a649f91075b25dec9900d8fbe7223b753af7bf0343c55ae95f24823a471aa1c3a9158458806770
-
Filesize
8KB
MD5dda2e6b34e62461aacab3317b8f8751d
SHA128892a09922fe011e95fd8450a1dd9d56da5df7c
SHA2568e8026bff3c3cf40c63529860174e04e9a0cd66e7fae658d56d254b3820bd03d
SHA5120deabd7acf8cce8dc8c353b4824dad263795b38f0862ab2f8564836a00870e6f31407304038bcb816e5316c83ef126a7f8faafca5b18ec08c778febd8dea6bce
-
Filesize
297KB
MD543b42c720ca4ae32b5cf7f6effa35ae1
SHA162a38eca99a75f8e8f4b92533475af04c5a2b9f0
SHA256f5bfa49feb01e326c2110b60cbe9c798d83cbb627928dd86c3d971daabe6aa3d
SHA5125a79177d367f5796caddc16cbe6aab52ccf248ba4e10de54b9852dba26c2edfd02aab4d2cebd0b0c1d91cbf889912222e8303aa916475b49d6513110cbb8fcb8
-
Filesize
915B
MD56ef3f6e140431c5bdb55ed2ea2f6ec5c
SHA17d1e19d98bfeeac07990ccf5759d8aff7b7a724e
SHA256f011e03aea934adeab09bb24d0d1a2f9cfb4d1cf2a51a04e94180f179a219e8a
SHA512f94e424f29a919371882ad35bb7b28717ad506aa705d3ae55db14987fdb542b8eaf4d01b37481fd4af0a6b08edd69813fef9f09ef8d25f4c9d38a43d57f17bf3
-
Filesize
507B
MD59fa7deb1ec538c30eff038daed4814dd
SHA171a3bc8a736c93812b06f66fb7b2e522d18d6b1f
SHA2566e8bfc1ba4adabafb14c021a16d865253110dea7933658aabda0403d1f729cbb
SHA512669c115ca531a94e522aa9f8f81422f6b5c16d51fad41d073c38f50ca6a50d0d5e6c2f1d9115aa06c68f4345bc3c273f558cf665681c10f113374e5a34dcd0c7
-
Filesize
1KB
MD5d390c92daf6ec52215544827f405a79f
SHA1077cca8c1d73bf05c1f4001893642f4ea28ed454
SHA256611e5b35b3f35e6e8084ca7f71f9d22f141ee8a60f62e00ab15be721a3852cf7
SHA5120af5aa486487510ee280cc99b9547214df43e32bbacb6c933bf9d10fef72afc5c4a23fcb2e3db83231ba934a174fc535529ee88cd6ad3474691a2b779211f3ad
-
Filesize
1KB
MD54cc9b59697f7564731e8c506264f3bde
SHA1cb9d1f897620da72c4cd3cf3a5f4712f509ab5ee
SHA256feaa5ce8f86ee0cd34821b48cf76e330a620bb4045290891a0c8edb42054db8a
SHA5125480d0c7c815e95500790d6a33a32058a75f3369d2ab80be0fafad78d7767ea6d41ded7d405e5ff6473c5d84bf24beabc81f5b3e59b644adb04fdc95ee48bae3
-
Filesize
389B
MD50870184d9d62fc6ea09f661ce759a680
SHA17a3be4d085398b2fea068a55892518f5092b84dd
SHA256ef63a5515e3b3d09a9977b78304d0e45d76da3614f230c233441b34c62f00a05
SHA512124a9157c8b447794f4745edb752091ac809e4d39fdb34b65c06c72c08c4be3a157c0741785881c93a139368b92990f7a445e3ad75c80d84ffcf5843a35481fa
-
Filesize
1KB
MD5b3d961de8896d4d6e8159d6b6a6e7729
SHA1f8d468a11da8e9f136fa54c043f5de5ebcdd62ff
SHA256b864bd7ceddfa3c715c4befd29631bf2f6c55eed4fd5d3428eb27404af4b5129
SHA512b441debbfe22afdc63e2ab2c0c9066c9ac5013381337d0c6c396da36be07eac906551157297965557484ef23460929c1033ea338ec06b3cadf929f0ec61bcd43
-
Filesize
128KB
MD529caceeded110cf5cdc6b2837f34f703
SHA1c5d0fe9def646afd04a4b0f4c5a39a881e4c3624
SHA256c735760b739f5ff8e29c023856d03c78def35ac47914e480c885acf7b18aa973
SHA512191cfc8dce601577cb4a574693b7709912bf2ed6cd891b31981f27ec2aacef0ce72459d213d132ee53a46c5d76510639260365b001fdfe1186719e99873a857d
-
Filesize
141KB
MD5f980ee0aee951b86db85137ec027e491
SHA15ce8ca7db87622ec9bf14adb8e55a31f098fbe37
SHA2561a430c23e1f9f79cb88ef4d532a70dde6aff7dfd03adeae9461b559a7641b8e9
SHA5125b275e299c9bf250a5c3479fb1cf370a648e81dce74833256cfd0bc3c30db557edb363caafb1ff3d3a56995a78c920e2be6c1587177677908c1557e271784f52
-
Filesize
3KB
MD5d8168d458a998ba7ff997e5ba43c76db
SHA1930f783e525a44cf695ed2fdc0c56e331d6862b8
SHA256a35575fd03c30814af7bc6b259f7f51dd75a2c780c6f0ed6602abc55afd2130e
SHA512f74387986dc60a40961420129fb051d37ce7d75a8ec4f02159e53bf2828f25aeab562ee72537abdd32ab19fd25e3df26f9f89a2334c62d23815e44af31c3ccb3
-
Filesize
4KB
MD5d542cd4d121465265415876a13c8e6e5
SHA1e049a1e6202a7e174ff742bfb2a25f0f729edf8f
SHA2560fc53be0beff5dbc4a762c19f983ebd0a0bba8239cd052c3990793de457ccb24
SHA512fcfe6b77aba31a8ea729383653081ff5f8285ad644079e908f4e137db57bc635989332b682f26ddfaa04dcb9d95694a2e40cc4ac47ccad4aafb0f14a42fd329e
-
Filesize
19KB
MD5b86e13d5cc74c8a352e288b3afce040b
SHA1e1a7fdeaa600d019600822906944aa41b8fd60c9
SHA256bba66079d2e41c1494887ae112487719af586f445e8997a6157126b2242111e2
SHA51297d3452c1fd7fff2d23324ab328171026954fe37bdf5d53b6e6acbe0982308f290e5300c393b39b9f22658ed51e982933844a7504b85d75a522b06b5ec4932e9
-
Filesize
2KB
MD5de2786e2dc5852dccde9cc1eee3b7d00
SHA11fecc23e53be721e3e2bd2d6e8d60936102ecbbb
SHA256b2693209b430c72a74e34c732a14ddd99a5efae9c70ab7b367d72a39ca44e9f4
SHA512268e764e457bcd97bc0ea8283394cfabc5ce28792a0ca13ae4d882bbf5893be5d2d3468e17d36d453bcc3d17b0260fa39635a16168698011170340c7805f91a2
-
Filesize
2KB
MD5c6c6cdf8179fd3360e2dd60dc8b3b0ec
SHA1850caf5e4114fcfe18f57e5d82cb83f9ed6485b1
SHA2564e5358357544531a5deb98b8170ce86dddc62d820632fd6341fdc5e2fa7a4176
SHA51208d5ae337ca47e44a8126aff0bc47f3382e131fa34261619097afe5adbda92a7e8d4f77b324b8aa20fd91fed323d2ffeed3be80212bd1912f2e5d7e91439bfdd
-
Filesize
5B
MD5cce16c45e622d9ceae4b626c9353ecec
SHA15a7bd4149d0d34d3ec86181cdab1cb8dd3f441d7
SHA2565c49f88dafe66e0ecdca8f682ae0b38c38ccd3ad464e3358e899beca88c18560
SHA51249bece6ba2cf39624a2947d9660b44c0c0f3f6970e6671b02f2050fb954cef700b3bad782c00b7e3fd196ae541f0d6c684fd0f77704bd9c9d68d35b94e89a755
-
Filesize
42B
MD553e0c922ce631022c07db5045bdf8a63
SHA1baab41405d97bb1081c60e6a65cadd222713f11a
SHA25601c2c1331fa4d99f47f1a03406d2cb4ee5708c9b726f8d01de0474f6aaba60f1
SHA5128558f532fe84798ff824865a8f7b3501b36d92bf6486fec381d9439905bef45ff31e70715f1d4496553a107dfad551555244776616811c70d9364d6383978798
-
Filesize
134B
MD531c6c2ed57a8e0dbe04b0ca40d58cc2a
SHA1d7e087431a0a129ccec8a4ca2d501a8dc2c8314e
SHA256d2716bc430c6eb73e0a4cd3df48de19d4980823ff7ed6b1b3e85969eb26bb67a
SHA512d24d831b4e89130510dd67970f8b3af9127d68ef363b2440c0641347dac8e0290436b8e521c041a06dc421587b0b00a004b54b5153fe3edb65785300ab9d909e
-
Filesize
614KB
MD576df26d9c21bae4902c3a63c85a64888
SHA17684cfa29ce48d13d86e9107ec09acf47584cb3f
SHA2567d97175cfc19ea346d13103fd49a16d3d180f12e669ec8c51ff2bb5bfd60ed0b
SHA51254fafc770d8c69527d84dde3f690900dfdd3eba53362a3d9c2e08ed05e8fd6962edee14fed0dcbeb1a0637900b4f2da544a763c92dd1689d21255c304882ed79
-
Filesize
625B
MD5685a6aff96476d64aee438f547b9dcf5
SHA19e460e1e77fac6db3902415984cd959e466374a7
SHA2561ea4d62e2e85064a7c90f13d16bf941dad81a41a5a4c2758443d2ab2757531d0
SHA5120f7d5e8d7d1b005b23f8bc52896cdea1e946f40d66a1c6d925808da1f95f8b5c3055424a183914a8daa3b7d3a08daba6d5048020f177c3b4db8d76f0b5613446
-
Filesize
2.3MB
MD567434cac886d37cda4ca9940d2bfdad3
SHA159bb1570f257c265c1aef57921a3752b87076371
SHA256e33a1dd217d1d5e9aa852c6b93b2780b5e0201e094839a3233d00e44473d7b45
SHA51270f6e8dbfc9d6ac3c3d7fc2c6eec93e278c5fbeb86545678434a5f650b135725e29e51abcf6b803317a7767d0ed6a52e156a99c766ff2e28a350b80449cfc0ba
-
Filesize
46.1MB
MD51feca07c05340ec8d52a1f6a0ec69cef
SHA1f97809278d61b0c506c3961f26323e3c7ac5121f
SHA256e92992043669325b3607c8a3ec685b1a6c40c91e1c6416cc1d2e0101d236b977
SHA5122cd1ec470f23068ef154cde993c3aaa12034ce666cddf5c40bdf9456835b10ff1eb1661a796107a6117723c6344a13cac59de36aec4d4493f1aacad959756416
-
Filesize
1.1MB
MD5ab1284ff7cf39cb1763d75d895b99c96
SHA1c633d323cb72d262adafb7ea8a947ae421f985eb
SHA25618198db8b533a4f4df8f1a8aa5360c40c7a7b31bc1ecde743e0e797786e55b11
SHA51232a75e4d313fceff9c83896972d5c4deb1a0ad6bddc9db0ccb9bcc8b3b173aeae14820e242a89600eb0c45ecc84909aaf3e85420062ceb15a1ca7af94641505e
-
Filesize
13.8MB
MD5aa9d2979b6ba1783650fe5685ff6554f
SHA1998bd488eeb1c5a662da2cd9e249f57714143b57
SHA256f8b2333fe6b7af853ac9692ecc18c054ab2d299d579812bd259c14acfedc910a
SHA512eb00fecaa6d35de31af30a184a2c3baaa754c8bbf8034e32e0d81b013e46ef23aad4773e5248bc46920cd0bd6945519ccdd9c940327f92d725515974cb4fdb2e
-
Filesize
2.3MB
MD5694227b44a89f01f7cae622235589da5
SHA1d306aba72d68def5b3f57b2cf2851147b7b5b1af
SHA2564a1479b9bb02ec1d756d8bd5913a96f36936ddd6b660a095a212a3da0502d8a5
SHA5126037ad5e82f7ff2ff626e8ae5a451972d904a7f76997f7ec9ccf638eb97b232213c844e8d0a2f7c6ba91b2cad50eb5bd0d84cf2c0449383219fe554849d818f8
-
Filesize
2.3MB
MD5f9be84174b1f71a12a44d320b964dbe9
SHA1cdfdad4941b7c1e85e5c802b32ed3e9528583260
SHA2562ae58a81d684d33e56a90389e77eeade37c2a8c456e9b7236005bd07691a2278
SHA5121478c6e534798ca6d60353706f126a3744768f359c49245c6b2536d35db029b742e266f5745000a7eef1c8f6607b892339cbe287fb828380623fbb8f99dd5160
-
Filesize
2.3MB
MD54e8e6e2af7f5c70bf6ff0cd82784fbca
SHA1632a5a4d307e91a72b77bbb77b2e58717cc51775
SHA256a96b785d905ef12bc03967475ad3491b31057650f2e7548f45c8821127ceb323
SHA5125ab3da6e5c45aa629b4cda69c16ba649395dea2a3163a47db409348ad21db3986e4dc85178929456c43e4833943e2c0d84fd04f54e88ef037294d5d6e4afb9c8
-
Filesize
8KB
MD58caa7a63d5bc62d0bf59d13979dccdf0
SHA1620d889e587f94c3d2a0a85be65a5a6949ae9e44
SHA256b336b52d09eb1820a9e292b26d51514cee5f64450785266b2a1b200501227a08
SHA512f0274abf50814d8626348aaf61b0c8a61d63f794dc528e44d62d7634cb02919c9e1f8555a354e39a57ce9693c1783292dfb5925a0e5d74b2e24d200f3bea83b7
-
Filesize
3KB
MD581738dd3fd05b54caf84d3a93ab3a15d
SHA16dbcbf5e7d89b9555084be6dd39ec8d99289184b
SHA256319828faac8773cf7416c40f27dce079dc2c0dcb39f5c5d89db405c82d62e014
SHA5127c9824b1665f0ab0137b7435c2a3316d229578943d60429e17ecfebec53a57f4bead57e4dbcd64b6cc670fe0cf406fc3f7f738172fc082e64b8777f1564065ff
-
Filesize
237B
MD5f1732baa1efdab3eefb3d95554ce38a7
SHA16744f85ebfb4730fea1e503e6145fc4fc16546bc
SHA25678ecf2c9c0bf1c64ea6eecc655a4e5cf8921f5bf9464b062a6da73905d6e4550
SHA512c710201b5b833e6976a0931aa00a620c519875a3ac58a690d9904479a074a096fd72481ea654fbe1229f098a88a6717c59db4ac8cfb00c7454bdd35bd2a0ecbd
-
Filesize
297KB
MD5432c1d62f0ca83d9905b797aa6ef044b
SHA1287dd42f0d85d30286b7b59584d27a0f1d4103de
SHA25622611504b994873d238e11a93c5bbdbf186eda64f67182dc721100896913d958
SHA512a0f8258f867089bb5a2e913c2d809a078a3ece11d15fbf5c17b52b9470eb0b11250421280cc7178848fbc5a72ef925a5a24fdae98ac6f3cf7b045cad8eec745d
-
Filesize
6KB
MD5665e0ddff92e16e35bcca24fe48149ce
SHA1bfe508c7a7d226caca9a095b00a029a5fa8d58ce
SHA25639dba0c62ca7f75df600b4fa7528d3e2ef7938b8bda7ecb5a42e25fa2fc4a520
SHA512d7f0e381700c98511fa9114ddcb33ef630ef7009a8fd87fb8dcceb85f641a510d1f4511abcf52738faed7bb24b5a2ee637b368311dfdc2114c5602c932d3f51a
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir_4204_20805\CRX_INSTALL\injection\i18n-ebusiness-amazon.js
Filesize12KB
MD5c63906cd61bca7f06b805d6efe7034d8
SHA18f9923f28cf2871fbc7739df3a797be66292fb46
SHA256735bc0c83289bdea77b614c9cd4093df3fce850402f4597c60e068da27df1841
SHA51280120bd9965795c00dbb8a333c517d1d9243ac8d83fe5f3cf87d09f4b0cfb1bf2d261500675151fa662ad544376786aee83e9c1f2ba7395142182e4e73423f31
-
Filesize
44KB
MD5ec202908fc0babdd067cfddc766a557b
SHA13e6916303508d79539693a166e1fcfbb7f1252d6
SHA2564642602ea0dde84c108a91fc09e0ec6fd01fa3b27ea904b1426744ea955124e2
SHA512420c6556e5037e3672f94e75abdac417c6fe36339b989f055d1b5b67b17fbca84f8c3a8ed57d87ab44ddc29eb8bd380f74bfa80505ae54af675a4d7a1cef0e38
-
Filesize
34KB
MD5293c065d74f23d63a2cf569c18156444
SHA17000cfdf2c45497f6f1977fd4bb3fa5d226672dd
SHA256b268e2e13128f26e2a74c14d68e42ba2fd21a49add71ae42d9c79787963ac37b
SHA512abaacbf848fc69b9d99afa093b5f4a1ebdcbb76b27e97cc756384f6ddf564247d42a977ca4fe426597b3996b3dcbef8e373a2b72d3195797e21624805dec3a20
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir_4204_20805\CRX_INSTALL\injection\retailer-auto-complete.js
Filesize33KB
MD5192b060dec4f383455b9c95a495f1a1a
SHA1625b991953ff6ed2ea5192659760f7d4b858f54c
SHA2561807b4c272e88590d272e52903d902f518d1b3f2af0342ef43cec3b9f45ec565
SHA51299e5e0e3a2d2fdc26674108ab4b24abdb66f4838bc40a3a4e3efb22442ebacc5182e392c478c2bee6526dd13af3e64484879578f9b88885b8498f46823cbe8b4
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir_4204_20805\CRX_INSTALL\injection\retailer-install-QN.js
Filesize7KB
MD5560f427408659375b96a8a177ddba729
SHA1806052ea6c6a54937255e1d038482d1068faa33b
SHA2562edf427c524679a45dcd1f9fc9de71a5406c438029a7b5590fc076eb0c8dbc5d
SHA51233a9b5d3f1e40ba2d799abba221aaecbeab628723e47dc4598e35c7481db17ed8f3fe988348a567235e686c4bb17128657d78c1015ac82f00893d4015560445c
-
Filesize
7KB
MD5211646f8d3ad85a9132d9f8bf0fa02a5
SHA1eba961da53df32d86fc46cc65964767cf85bcf5a
SHA256b3f14984de69d19775c6fc94d1b8398ff681b77658fc044837a859ee6095de04
SHA5124fc456a55292bf54f2b5471c0add63086d0fd998142e96dd5d46f6eaa795d4ba45a1e412da1eead904e46dbea3cede92c8f4ddbf241d68f23305650dece7720d
-
Filesize
4KB
MD516394d1858a118e0096115f278ecc034
SHA191bad49932bab5b948cc91a703771350df7da65e
SHA25638d8eb1f1bd1c3bfc85a9df9a6405e93485dd6a1b3b341980f0e3770fe8bb826
SHA512352c4f60862f0c3737ff29dbee85d51f65867824658716705444e7c086ad2a1eeed69ae5e81522d64070d0b88c3a1ac6dbfafc6c31a76fb2911da90d67ee0aba
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir_4204_20805\CRX_INSTALL\injection\video-download-youtube.js
Filesize7KB
MD54a7e8c7784f1442f6b18f14d2688af9b
SHA12e951a0bff80f43a2f1b4c78abb79a2c560df239
SHA256b56a5036d12e6a3743ef70151f68262d11e936ea667f528f6e45d2829c8642db
SHA51247499d780127265280b47efca0b3a23c846640c8b78bcf90a1ac95a2f7acc94d87cbdf2ac2a94013208a866beea26212056d97523b7811910cb764cbe9c5de15
-
Filesize
7KB
MD5a87a7af79016978654e25f3555ebf8f7
SHA157e5c3b45344f7c3f887043c031d1c675a76dede
SHA256cc81c94617c61044ad114bca63db0054165159ac992979907a73583a57487ce9
SHA51251ea0fee40c41c2294c05b59efadc8f8ab91444f7544c4583de1943fd161860a731c23a8c7c38d9b0d263b288de66739fa50c11f871f4b6da0f7fef2ae154e43
-
Filesize
79KB
MD5bcedeab88530d3d01d05c987287e3594
SHA1430f75d9272cf0334f89e21a92c1a2ded43afa07
SHA256a33baec85cb90db0432074d4a014f939e08c26d9f6ddf883fd8cbaa54369bbfe
SHA51217f4f4b04bb7b2d5a84cc3078d28eb3e1ba78773dc33dc08f567c7fca5c35f53327143ea1f6a69e0f4c19ab1e89f5e070a316f81a7e7572be77c12bbe1fa5b69
-
Filesize
25KB
MD58c486b651fe04ce3d00e4765103d4c94
SHA101e7bdb67c1d4eb6cac81178735ce84f9586878d
SHA2567ac9c402a2b2d61354050055cf67f8122e418fb0c29abd1e7c0f6727e0b54f9c
SHA512c90edfe6b4ff6bc2c2ef5218b68ee14c17dc48c586e2b3204ee44384ea4327046c1b5f0bb6d1f7d378bd1b9d48551c5e687362375195f6c35b8317b8f3ba97b2
-
Filesize
7KB
MD528581f5cc2e94f968e9cce043d488ace
SHA10534efe8e56ce57c4b14240140269a307747995a
SHA256044db6a5a520a93afb18491fe59db78dcf9cae2f6e22cf5f5088d83fb4b3f097
SHA51232a3aa867a2b83440b77712b883f8c46d6b4d3ad2b909372104781203f48cce178d58fe785893fb0932baa78eed806866c832c3d053d0b1dc65ec51deb4f628c
-
Filesize
45B
MD59097da8bbbe336e6ce2d3a7ef27dc691
SHA1d9d5e7facb1f5e4def47bb1c894d9a8658a36661
SHA2560431cb9d385971fe33aa99cde1b609ec516a439b6f71d1302122b07c4b0d5ca3
SHA5122944c74b0aed554ae1818262dc551e5a88b980b5b32fe861564e5065a6c972adddc914d47237983bf14419cbacacf582bbff5c6a77b2728d00f122b9ba8abc09
-
Filesize
467B
MD56604d1a60773dbf1afcdd641ef182ef9
SHA122e8cbdb116ee8afd9631b861be13d182307f75f
SHA25690a0923c7bc28b3af718a4b688cb41cf694b7c72e2d1df7105c693beaf1f8fbe
SHA512138ddf85a8e54496c6d633826f70a597d2e685bd6e08423bfc444fb34d8ff790d92607cdad2477197bb8038999fb35bf771972217aa082fd5f52ed67807bb9d1
-
Filesize
3KB
MD5eecd027dd4b571dab0df03d7153bb206
SHA1aa44781e6e82175fe303c2a23add73e5e3eb0b9b
SHA25601bd3b2a364e4dde0caa57a6d2137ad27b41547e243159652064a07b12565ce2
SHA512712d3b0678c25a3c13b6b657534e2671e9ae21b7bb391f734375502f76693a92eb90f5504776769ea647e4e2a592368a456537bdd100d4ba43bec3d8f622272b
-
Filesize
9KB
MD5a309c463a580bdd670ea6789d0939713
SHA1472c5ddb448d0c2d093c2606eb10dc0ebdf0a5bd
SHA2563b5aa92ecf98d4fd3769abfbf5ebba8e849029c1b53fc791f2d70eeb1ac38fcd
SHA51229de18c99e86dd8264fe636cb0d45857b1c5b83402b1344c3bad88edbc3783cfd99019562a200ff99f90d6f835d246eb8ec7a5257587039df97f40d412e49cc4
-
Filesize
8KB
MD50881a8916609980018797697238e8a56
SHA18f2bf6ab2a066045f19826e503c9923c14787c12
SHA25676043af9b7b432e40cd38de23ddfe72c7795273b5fb2701b9bfe70fd9992783f
SHA512f834fcab638cf529c211a1aed6278a851a3c130d84de6574568612870d51f939bfa9588fa535d0ffb36cf6ee29ab2a1306f6c396266b2297d34ba901f21b753c
-
Filesize
5KB
MD53fd9ef588b8be66f28cad0e29ce9ea35
SHA1a2b2aad6b18ca8bf421a71c30191be12fe297cd2
SHA2562b14d0a82d373dfce90322deb0723aaac227e391ae3dccfac64ea38fc30fb096
SHA51232ce644254106cc306b1248666e57350dcca5db040d9ff9c4a735f626b7e69db655b541dc3ead3e22d7990c69aeb8886134162fc30d56320b696ae1bc656269d
-
Filesize
48.6MB
MD5fbec985463163b7b33229f524758c6ef
SHA1ad93610ce37ed0eb56d1c8411a154dcecec4b459
SHA256d540a4aaee8eb9dbdaf9dd7c613b8a2ab1b0f3de8f44392d3db5d1095bc427dc
SHA5126bf604a11952c834a70b07977e28ff5563808b807ba1177c766e287d80dd3a586769134e0247ec9dc16d3f7ef0379f37a70c366b2848d00173eeccc0e6a3489a
-
Filesize
654B
MD5632fbb87464786d29f33b9246d675f06
SHA12309a93ab04ce1f0e07c1db09ad5dbdf6281a349
SHA25632e01091480eddd9e3f235ed407547c9f2c5883aeaa2b05b4b59e23526d4633e
SHA512a91c5723b0d00545da93d3c7e8ecc1ba8713dffee96edc653ae24256b947383c5e2574034bd611d544370b40c90e25b7cf61c362e77daa199f3b87379fba523b
-
Filesize
338KB
MD5efdbe75dfe959d5eaa84334d4825adc2
SHA19c7655a1052c2ce0d2e0b9571885e9c898dcb5cf
SHA2565ef424188b952c5aef34f508b13cf422d4c22e1476c3330ee3b729082f7116ee
SHA5124b6ce786ba90635d51e82c4dd7dede3394b5c0f19c394ebc835e182f0d8fd8c898a581b388bb23e348cc0744925b8352bfa3e683d193c5355849c89db9eaea35
-
Filesize
28KB
MD54de14f78f1d5ff3f3cc36370b26dc17e
SHA1ceb6323da4f11efccfbe59a8d504856bdc13c8db
SHA256c86ae547d592ee699189c9571f1d87427a2df2d48ba01fc2367bbc0eaa79aaa2
SHA512946aa2feb65dcaa9d0e391c220cd893e08dd90ae1e0a9ea2877a073434809929b9e9fde4b10f8711545ff6f0df274741168cb9dfd8630d7356fb9c192bb4371c
-
Filesize
10KB
MD51eda594f620319abe6b2abb14fbd1879
SHA1075caee8f910386c5d97033ce493fd5ff033382a
SHA2568135a068e646221b9b6611171f7b28348aa3e2277b49d7682c10d7958306504f
SHA512245f9d5026bf6054a225804dd036c3f68bdd8b819b9ac5d07abc358f37721a032573490f8e930e23e97c8f1e94bd605bd9a221570828a1d3752a844a9e11bf78
-
Filesize
641B
MD5aafc31bdfeedf1fb002daeaf9062ba94
SHA187e820d7805d1a9c9960039593bd7495d5e6bb9a
SHA256d53bbf92b346c10a76d6f6739f4d4c04882ac34a83c1bb2a6e59ec6f1c42f2a0
SHA5126ac6d83c801f3756ebfdff11e2f7aab7e29b6b84115a14aa4f3b148e97c25e1f55fee172f65a25fcfc49aa96bfeb0423715a4fcb536e80d74becf904caf11acf
-
Filesize
6KB
MD523ab63724a7a42a77b67c74a2ee4602d
SHA1be03b0c4832d6bab93b0655998c2af8a14bc497f
SHA2562906ccea44b4e713656304c837f92fc708fba4bafb5a79780987cb9b8e83688f
SHA5122f9a287f76c6b1bcd794e8e59a4bd1e50b562011edc0d2734605551f0b371c8667415bc716825584843955e27eb2e0f0af62ff1e84196e0dbdbac5d336be84a4
-
Filesize
959B
MD5cc5f2f0f099f656586332f32ab8df38b
SHA16356617ddbdb4e6d6071b92436f948e393d47b3e
SHA256531c4f1d3f79f7bfc0140681301c12a69d43e7568c9d6bea0de673e4d460acf4
SHA512f1269a512a7db4f2a4c08dae5b9bbba9504c3f795fae3c96330a908aff157628871404de15a868f543d009656325607be1b6bc62ef14ac5b153a978922f437f0
-
Filesize
6KB
MD5928d5307cf725c33b23ce48ad87b1a49
SHA11b4952495c8590a682d3277d1b141066d1d09e01
SHA2566a7ff2c8987a47745910b9e4429ed9fe5a036aaf0fdf0ed7869bd8570afabd6e
SHA512b5fb5b378c86f1cd191517221a0e65d51c017d90c2feed9701eb8b1e2d4dac2353062dcbc7298d1d9224005f99ce58c7171d5d17e03163bf8bc16753be780b91
-
Filesize
7KB
MD5ea9530fa97fe6651894ea343022c6586
SHA1a91832be098649f707eb8f5ce6c31beaa05f743e
SHA25614e0178cf703fa3dbd016019ae7a6f6718f6debb96c348591591260c9ad7b56b
SHA512adcea8146db2ad2f05cd69aa334f56f987b8b96e2af3467201517278f57ca763d91c76b2c0931c293dd57dae998b7a37e97f51c87ff0cf90f3aa3121e8b83e94
-
Filesize
959B
MD583f91395b3fff51f12d44add5132f189
SHA1f3353817c2e6fe6ec334840c5358c98db880f148
SHA256a7dbc8421ddba717f609d4c5dfd5e8c9b40dc87ef6b1a25c8a5a50187f22e872
SHA51230c61b69aa043f7fee2599df1af7c134d0bbaaadce7d3a05f1bad5b00a23239437f36da301a39558bdea658eae05c2e707b3450fc61bc36092b301917a17524c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
6KB
MD555e15ac07dfacd7b56f04bdd0e42d300
SHA1336ebca758cb05ff72fd767d4b93078193f25cae
SHA25661a92fb885dd07227afb5c907b073092793c630e51891744e7e6936946cce00d
SHA512720383c0e379ba701af194e1fef759ef59619b1a8e956dfe66f0e3ec67a2b2ca4433488ef3abaeb3c2ed47e061e7c0732fbcfc946cc7e694bab8b82afa4f5b7d
-
Filesize
2KB
MD533ed14f93928d35a97d57226fc1e081b
SHA145ee9ab56a526c0ae450fe1e657333afb72c5553
SHA25659bf13a635169f5048faab3c6b5373a702ade59bd3b0ef27c06c441b0ec18907
SHA512b4310fa59135a423291ea355b7a187b4e5d6c5f8ccc3bb55f23314d311b5c0e0f65c6bdfc8acee17fbb9075514dd4e20696a8b842dd21efd91f356a87ab97c51
-
Filesize
323B
MD50d285bb29df4b88a944573b649c98e6c
SHA1e323ebe13a06bfee1e3880ab798639a8fac70db7
SHA256dda757a43e8f0e7de2a3cd29932e2e47af1108c8fb56e1eae8705449b38f19cf
SHA51261f0815a07467f977d470976af02f5e4f037f71bedf3b9c9d19f9f012a66dd3b363c454746d2b91db80a4839edc0e358e7999c37387cdaeeaefb64f240b5d2bd
-
Filesize
10KB
MD5646f018f0b22ca48bb885e0f4d6cfe6f
SHA1ea7f80241f6ebe00e7cef6aaacaa172e9123b895
SHA256a93093f2670b1b0452647af9a65e751b7eeaf79681f4ad5558358c8f28673c06
SHA51230f8df76bd4bf443c08c071126f287a6b6c66579c4d9619aba26a46050e2caeb4372cc7a7235b9b6bec8212557a72170a85e419c47f0866332ede712f887510c
-
Filesize
45KB
MD5989cab5415e22e78cabf01730b41b211
SHA1d8cf7e68568250714632ba03fb7c9a2b93b8a5d5
SHA256c26a95db49b8202d48b495d29f6e07a462cacb6422e4d7aa2a02be3be6a657e8
SHA5121925f961d30b9e6da9e0c653b79e878e61009a2aa44573286ecee5b3c56ca8558995db8abca4e7b58d7542b21f856479c71f65e9726367faee08bb6f98a4a224
-
Filesize
1.3MB
MD5649215a7c140fa697740693cf915d088
SHA1035ccb917c7be1ba40ccdad606ca3c67d127251e
SHA256297bcec264323cd1d6de6286cfa69a572e92552df5a3347856f8bcce8d3e9eb1
SHA512ec123a7f9af0926956d41bc002546a18b7b8b776fd11332f351eac828ac7ec02497f76351f2f5c026075746156583100287e09010269257dcd00cf70fa5a003c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a02f79565c3d1e58.customDestinations-ms
Filesize3KB
MD531da309d76b45965430b32fba1416dd6
SHA13f979d7517e12f46ef7ef768932cdbfe67a1145f
SHA25686055f05319488ec16f6b45fd78ced1475ea89e342bb8461ca258ba470956de9
SHA512ea32115bdab4eb6d1af4ecc5265f6982f4f23a2d6d949a4bdd7360cdd4a6cb3615273e0786d7380bac243253974c2c327fc2dc0af16df4ab4391ade8b73dae1d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a02f79565c3d1e58.customDestinations-ms
Filesize3KB
MD5136b3d76d6235c4e966eb2d6209af2d5
SHA1f77294d6ca3759679938e94a80f002cbcc07a47b
SHA2566c717ed8c688193d13f381247cb485eebaff7a441f1b717c5039abca3c6d2b3e
SHA5125c2d3395575764b8dde9cdb2b63c4134ae2792d7c81787cd6671f4a35debb4d75b06cfb025b58fcb703268c346349f6ca7335a52c13c57e552d345c37bdc4542
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a02f79565c3d1e58.customDestinations-ms
Filesize3KB
MD577c62ad22ca3e4b619cd43a2daa8e46c
SHA1f24a22eed3b8eda9206ce81c4d27c2a6661f29d1
SHA25656347ea1f956e33d65cdb8ce487f99355eb77bed32852667c33d3fcb0d7e891c
SHA5128993df312c2bf24d63e43fd15c850548c63378317c3efeba3609257820170eb73c53d00fa90a45250dd407eb970dda655023afae94dae27a1b747baf7d63244b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a02f79565c3d1e58.customDestinations-ms
Filesize3KB
MD56277885d3afbff9478b5ac4507ed8c44
SHA1a113dd03aea3ddbd2ceff0c220152dbd137ce0fb
SHA2567eb1e744dd1b09283a3643b2f601c8c16fb7f392747c61757410bb07a73b522a
SHA5129db215d255e1cfd92582237ac7838cf03e72beb9711cdbaa395b1c6136421485c5995b5108f21a48de11f11e372c014de2a7a4838b4507d174a96eecd09bd949
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a02f79565c3d1e58.customDestinations-ms
Filesize3KB
MD55c4cc292f58f746bed3e0adeae8ee64a
SHA1bf0581c5a180fba96dd1c26adfd51170f38517ad
SHA256e5cce7f38fcf60173712a6d44258422d1a2f8c79c8b34759b2d7af76d276a7c5
SHA512509199fb0090b75520fb595eef54e59360062a09fa6bb5437f981f1ff13d94835888f28f55d50a97670b71885fd8a0795d1d40f7931e4e017d2fb54448299471
-
Filesize
8.3MB
MD5b43b96e4483dce09976dc250f87ecf1a
SHA14290076db1e87a46b73e8391186025f1f5b492bb
SHA2565eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12
SHA512383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438
-
Filesize
4.3MB
MD58057f67de20331fb5dad3fd9486b01c3
SHA1067e470192707b8f5eaa757bf4b121c94d505795
SHA256fcbc591306dc6e4840de82372886428dd2260af4f9b7fe8494510aa1a80761eb
SHA51268dedc7e5ba8fa16f18ded8ef811a41ecd9441639181b0a6e0854db96c7c0e35abe088c8409f226a42f3beb85139fbf67cd9de1c02325701a7482ac7fb6bd372
-
Filesize
9KB
MD51dcb5f7d98dfde582cc231c480eba329
SHA1dc41a04034450908423f4ac8f73cf6389f6dd084
SHA256c89abb0b00fd5a442b8a147027d3881b348974bf38298f05f0debaebca7fc16e
SHA512f2482f55ea6601bfe5fa0530fd3bbf2231c1d8e3355fada10bb57cba1ffd1bc8b43618e491d55bd317b6b0a74377b96da411961f53f7f4b28a35cbbca9c193fe
-
Filesize
1.7MB
MD552a7086c19ce28806ac2d68e63f87398
SHA181a522f4cc6bfd65a4501f5616727393d8ad9962
SHA2566ed145c01f07a8aff4f6c293e899e5ff7a140648dd8a9e5f24a08710c7b0bad8
SHA5121c4976dabd1a1582a35765d9f447ef2b51d9800469bdde1bdc4441d451e3f4a1dcbbaf4099b04078c4d9a682a92b61fe9f5f99c6509fb32069d125cc6a59f348