Resubmissions
14-11-2024 23:57
241114-3zzkpavhpf 1014-11-2024 23:44
241114-3rj52avgna 1014-11-2024 23:36
241114-3ln7ssvjfs 1014-11-2024 23:24
241114-3dnajayler 1014-11-2024 23:10
241114-25qpastqgt 10Analysis
-
max time kernel
139s -
max time network
204s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
14-11-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
redline
TG@CVV88888
185.218.125.157:21441
Extracted
phorphiex
http://185.215.113.66
http://185.215.113.84
-
mutex
Klipux
Extracted
stealc
QLL2
http://85.28.47.70
-
url_path
/744f169d372be841.php
Extracted
phorphiex
http://185.215.113.66/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9
AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z
LdgchXq1sKbAaAJ1EXAPSRBzLb8jnTZstT
MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3ESHude8zUHksQg1h6hHmzY79BS36L91Yn
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2
bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr
bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
-
mutex
753f85d83d
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Extracted
stealc
penis
http://185.196.9.140
-
url_path
/c3f845711fab35f8.php
Extracted
gurcu
https://api.telegram.org/bot7673498966:AAE8RwQQVWIce7zc1tvOHxg7_EravC7Vqis/sendDocument?chat_id=621271611
Signatures
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral3/memory/2044-488-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
Gurcu family
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysvplervcs.exe -
Phorphiex family
-
Phorphiex payload 2 IoCs
resource yara_rule behavioral3/files/0x00290000000450b9-70.dat family_phorphiex behavioral3/files/0x00290000000450e8-238.dat family_phorphiex -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral3/memory/572-95-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Redline family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs
description pid Process procid_target PID 4144 created 3716 4144 nxmr.exe 57 PID 4144 created 3716 4144 nxmr.exe 57 PID 2496 created 3716 2496 winupsecvmgr.exe 57 PID 2496 created 3716 2496 winupsecvmgr.exe 57 PID 2496 created 3716 2496 winupsecvmgr.exe 57 PID 2556 created 3716 2556 3154139472.exe 57 PID 2556 created 3716 2556 3154139472.exe 57 PID 4436 created 3716 4436 winupsecvmgr.exe 57 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysvplervcs.exe -
Xmrig family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lum250.exe -
XMRig Miner payload 16 IoCs
resource yara_rule behavioral3/memory/2496-64-0x00007FF7F71E0000-0x00007FF7F7777000-memory.dmp xmrig behavioral3/memory/1736-78-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-168-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-179-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-195-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-241-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-289-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/4436-321-0x00007FF6F3CF0000-0x00007FF6F4287000-memory.dmp xmrig behavioral3/memory/1736-377-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-442-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-483-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-486-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-500-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-551-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-2440-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig behavioral3/memory/1736-2442-0x00007FF784450000-0x00007FF784C3F000-memory.dmp xmrig -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 32 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8F5D9E08-71EC-370E-BA96-36E6EF916DF2} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703} reg.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2308 powershell.exe 4672 powershell.exe 1596 powershell.exe 3920 powershell.exe 3416 powershell.exe 1988 powershell.exe -
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{6078065b-8f22-4b13-bd9b-5b762776f386} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllLogMismatchPinRules reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{6078065b-8f22-4b13-bd9b-5b762776f386} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation\DEFAULT reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptsvcDllCtrl\DEFAULT reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} reg.exe -
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4976 chrome.exe 3892 chrome.exe 4020 chrome.exe 2496 chrome.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lum250.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lum250.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation sysvplervcs.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation 1186626615.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation 2357524481.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation DeliciousPart.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 28 IoCs
pid Process 4144 nxmr.exe 2012 svchost.exe 2496 winupsecvmgr.exe 228 s.exe 4560 surfex.exe 4840 sysvplervcs.exe 1380 3210330757.exe 2316 1186626615.exe 3044 1320819612.exe 2044 random.exe 1308 343dsxs.exe 4864 pei.exe 2548 3081912714.exe 2988 819525829.exe 3948 sysnldcvmr.exe 2556 3154139472.exe 4436 winupsecvmgr.exe 2544 337141775.exe 3636 softina.exe 4408 whiteheroin.exe 4928 2357524481.exe 1564 lum250.exe 1756 2696613756.exe 1548 DeliciousPart.exe 3900 crypted8888.exe 4860 hell9o.exe 2148 56612674.exe 4900 Faced.pif -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Wine lum250.exe -
Loads dropped DLL 1 IoCs
pid Process 4408 whiteheroin.exe -
Modifies system executable filetype association 2 TTPs 49 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\lnkfile\shellex reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\lnkfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysvplervcs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvplervcs.exe" s.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" 819525829.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" hell9o.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 30 raw.githubusercontent.com 31 raw.githubusercontent.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4092 tasklist.exe 1988 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2044 random.exe 1564 lum250.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2496 set thread context of 1104 2496 winupsecvmgr.exe 102 PID 2496 set thread context of 1736 2496 winupsecvmgr.exe 103 PID 4560 set thread context of 572 4560 surfex.exe 107 PID 1308 set thread context of 2624 1308 343dsxs.exe 137 PID 4408 set thread context of 4524 4408 whiteheroin.exe 155 PID 3900 set thread context of 3676 3900 crypted8888.exe 169 -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\ChapelSpoken DeliciousPart.exe File opened for modification C:\Windows\TypesCroatia DeliciousPart.exe File created C:\Windows\sysnldcvmr.exe 819525829.exe File opened for modification C:\Windows\sysnldcvmr.exe 819525829.exe File opened for modification C:\Windows\BasedBrakes DeliciousPart.exe File opened for modification C:\Windows\CiscoHarder DeliciousPart.exe File created C:\Windows\sysvplervcs.exe s.exe File opened for modification C:\Windows\sysvplervcs.exe s.exe File opened for modification C:\Windows\MotherboardLooking DeliciousPart.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2044 sc.exe 2552 sc.exe 1972 sc.exe 2944 sc.exe 1304 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh reg.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh reg.exe -
Program crash 4 IoCs
pid pid_target Process procid_target 4252 2044 WerFault.exe 130 4052 2044 WerFault.exe 130 3940 1380 WerFault.exe 121 1304 1380 WerFault.exe 121 -
System Location Discovery: System Language Discovery 1 TTPs 42 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3081912714.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysnldcvmr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language softina.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whiteheroin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysvplervcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lum250.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeliciousPart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1320819612.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 337141775.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2696613756.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language surfex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted8888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 819525829.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3210330757.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 343dsxs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56612674.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor reg.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses reg.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral reg.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 reg.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor reg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 reg.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\HIDEOPENWITHEDGE_CONTEXTMENU reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7aaae723-5fb5-4b2d-9327-75519f336825} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\SQM reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{33d9a761-90c8-11d0-bd43-00a0c911ce86} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BF0-3C52-11D0-9200-848C1D000000} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D76334CA-D89E-4BAF-86AB-DDB59372AFC2} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0975AFE-5C7F-11D2-8B74-00104B2AFB41} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6s.dll reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03405265-b4e2-11d0-8a77-00aa00a4fbc5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{EDC0F17F-F4B7-47E4-B73E-887FAEB376FA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{aff735eb-cdf9-4894-aa69-3e3131128618} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\TrustedSites reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BC1-3C52-11D0-9200-848C1D000000} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\IntranetCompatibilityMode reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5k.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5DFB2651-9668-11D0-B17B-00C04FC2A0CA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{791fa017-2de3-492e-acc5-53c67a2b94d0} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2BD0D2F2-52EC-11D1-8C69-0E16BC000000} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2EFF8C97-F2A8-4395-9F47-9A06F998BF88} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{76EE578D-314B-4755-8365-6E1722C001A2} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f20-c551-11d3-89b9-0000f81fe221} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{EF99BD32-C1FB-11D2-892F-0090271D4F88} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\MSN reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F8-45CA-11D2-831F-00A0244D2298} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Home_Page reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3050F67D-98B5-11CF-BB82-00AA00BDCE0B} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-excel reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6981B978-70D9-40B9-B00E-903B6FC8CA8A} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{49E561B1-1091-4E65-98A0-AFCA4996CD1D} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6m.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7e.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7o.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{910E7ADE-7F75-402D-A4A6-BB1A82362FCA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FEF10FA2-355E-4E06-9381-9B24D7F7CC88} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F5B7F63-F06F-4331-8A26-339E03C0AE3D} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{928626A3-6B98-11CF-90B4-00AA00A4011F} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{96B9602E-BD20-11D2-AC89-00C04F7989D6} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D249A1AD-C6F6-4286-A17C-693CBA0AE492} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\HTTP\GENABLE reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{14C1B87C-3342-445F-9B5E-365FF330A3AC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4a.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm72.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4EDCB26C-D24C-4e72-AF07-B576699AC0DE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BF931895-AF82-467A-8819-917C6EE2D1F3} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FLIP_AHEAD reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio reg.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0251-ABCDEFFEDCBA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\Implemented Categories reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D719729-5333-406C-BF12-8DE787FD65E3}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\AuxUserType\2 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.Search_1.14.15.19041_neutral_neutral_cw5n1h2txyewy\ActivatableClassId reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0411-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6306E526-9E02-4696-BFF9-48338A27F8AF}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7372DCE0-F816-4E35-8B42-64B7F50E6395}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244E0-0000-0000-C000-000000000046}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0347-ABCDEFFEDCBA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0207-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0240-ABCDEFFEDCBB} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0352-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000081-0000-0010-8000-00AA006D2EA4}\TypeLib reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0354-ABCDEFFEDCBA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\shell\ViewProtected\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96CD11EE-ECD4-4E89-957E-B5D496FC4139} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\protocolhandler.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditional_amd64,v11 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rmvb\shell\AddToPlaylistVLC\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\AuxUserType\2 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4586725-EA85-5AC6-846E-A847E0E45A0B} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E39B69A3F3677E14587CF1C3CC73FE72\SourceList\Media reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2F73449-98EA-4866-90A0-425837FC5E23}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\Children reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3gpp\shell\AddToPlaylistVLC\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\Conversion\ReadWritable reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BC47690-E69A-5A35-BF59-B57297AE6665} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{744930EB-8157-4A41-8494-6BF54C9B1D2B} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MP4\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71985F4B-1CA1-11D3-9CC8-00C04F7971E0} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Directory reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0204-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D0356912-E9F9-4F67-A03D-43189A316BF1}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.8\shell\Open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002E166-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70dba485-cd56-4f15-9f82-86b1460e09a8} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0258-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002443F-0000-0000-C000-000000000046}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SharePoint.DragDownloadCtl.1 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0234-ABCDEFFEDCBB}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.hxa\OpenWithProgIDs reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A71-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3051074E-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC97469F-CB11-4037-8DCE-5FC9F5F85307}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0251-ABCDEFFEDCBC}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0157-ABCDEFFEDCBB}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E119-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.12\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0264-ABCDEFFEDCBB} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FBFE6C9-3B4C-4D47-A5B7-159B55534D66} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBC}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A5A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.MsoASB.RemoterTrusted\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628} reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3328 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4144 nxmr.exe 4144 nxmr.exe 1596 powershell.exe 1596 powershell.exe 4144 nxmr.exe 4144 nxmr.exe 2496 winupsecvmgr.exe 2496 winupsecvmgr.exe 3920 powershell.exe 3920 powershell.exe 2496 winupsecvmgr.exe 2496 winupsecvmgr.exe 2496 winupsecvmgr.exe 2496 winupsecvmgr.exe 4672 powershell.exe 4672 powershell.exe 4672 powershell.exe 2316 1186626615.exe 2316 1186626615.exe 2044 random.exe 2044 random.exe 2556 3154139472.exe 2556 3154139472.exe 3416 powershell.exe 3416 powershell.exe 2556 3154139472.exe 2556 3154139472.exe 4436 winupsecvmgr.exe 4436 winupsecvmgr.exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 4928 2357524481.exe 4928 2357524481.exe 1564 lum250.exe 1564 lum250.exe 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif 4900 Faced.pif -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 3948 sysnldcvmr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4848 4363463463464363463463463.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeIncreaseQuotaPrivilege 1596 powershell.exe Token: SeSecurityPrivilege 1596 powershell.exe Token: SeTakeOwnershipPrivilege 1596 powershell.exe Token: SeLoadDriverPrivilege 1596 powershell.exe Token: SeSystemProfilePrivilege 1596 powershell.exe Token: SeSystemtimePrivilege 1596 powershell.exe Token: SeProfSingleProcessPrivilege 1596 powershell.exe Token: SeIncBasePriorityPrivilege 1596 powershell.exe Token: SeCreatePagefilePrivilege 1596 powershell.exe Token: SeBackupPrivilege 1596 powershell.exe Token: SeRestorePrivilege 1596 powershell.exe Token: SeShutdownPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeSystemEnvironmentPrivilege 1596 powershell.exe Token: SeRemoteShutdownPrivilege 1596 powershell.exe Token: SeUndockPrivilege 1596 powershell.exe Token: SeManageVolumePrivilege 1596 powershell.exe Token: 33 1596 powershell.exe Token: 34 1596 powershell.exe Token: 35 1596 powershell.exe Token: 36 1596 powershell.exe Token: SeIncreaseQuotaPrivilege 1596 powershell.exe Token: SeSecurityPrivilege 1596 powershell.exe Token: SeTakeOwnershipPrivilege 1596 powershell.exe Token: SeLoadDriverPrivilege 1596 powershell.exe Token: SeSystemProfilePrivilege 1596 powershell.exe Token: SeSystemtimePrivilege 1596 powershell.exe Token: SeProfSingleProcessPrivilege 1596 powershell.exe Token: SeIncBasePriorityPrivilege 1596 powershell.exe Token: SeCreatePagefilePrivilege 1596 powershell.exe Token: SeBackupPrivilege 1596 powershell.exe Token: SeRestorePrivilege 1596 powershell.exe Token: SeShutdownPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeSystemEnvironmentPrivilege 1596 powershell.exe Token: SeRemoteShutdownPrivilege 1596 powershell.exe Token: SeUndockPrivilege 1596 powershell.exe Token: SeManageVolumePrivilege 1596 powershell.exe Token: 33 1596 powershell.exe Token: 34 1596 powershell.exe Token: 35 1596 powershell.exe Token: 36 1596 powershell.exe Token: SeIncreaseQuotaPrivilege 1596 powershell.exe Token: SeSecurityPrivilege 1596 powershell.exe Token: SeTakeOwnershipPrivilege 1596 powershell.exe Token: SeLoadDriverPrivilege 1596 powershell.exe Token: SeSystemProfilePrivilege 1596 powershell.exe Token: SeSystemtimePrivilege 1596 powershell.exe Token: SeProfSingleProcessPrivilege 1596 powershell.exe Token: SeIncBasePriorityPrivilege 1596 powershell.exe Token: SeCreatePagefilePrivilege 1596 powershell.exe Token: SeBackupPrivilege 1596 powershell.exe Token: SeRestorePrivilege 1596 powershell.exe Token: SeShutdownPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeSystemEnvironmentPrivilege 1596 powershell.exe Token: SeRemoteShutdownPrivilege 1596 powershell.exe Token: SeUndockPrivilege 1596 powershell.exe Token: SeManageVolumePrivilege 1596 powershell.exe Token: 33 1596 powershell.exe Token: 34 1596 powershell.exe Token: 35 1596 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe 1736 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4848 wrote to memory of 4144 4848 4363463463464363463463463.exe 91 PID 4848 wrote to memory of 4144 4848 4363463463464363463463463.exe 91 PID 4848 wrote to memory of 2012 4848 4363463463464363463463463.exe 92 PID 4848 wrote to memory of 2012 4848 4363463463464363463463463.exe 92 PID 2496 wrote to memory of 1104 2496 winupsecvmgr.exe 102 PID 2496 wrote to memory of 1736 2496 winupsecvmgr.exe 103 PID 4848 wrote to memory of 228 4848 4363463463464363463463463.exe 104 PID 4848 wrote to memory of 228 4848 4363463463464363463463463.exe 104 PID 4848 wrote to memory of 228 4848 4363463463464363463463463.exe 104 PID 4848 wrote to memory of 4560 4848 4363463463464363463463463.exe 105 PID 4848 wrote to memory of 4560 4848 4363463463464363463463463.exe 105 PID 4848 wrote to memory of 4560 4848 4363463463464363463463463.exe 105 PID 4560 wrote to memory of 572 4560 surfex.exe 107 PID 4560 wrote to memory of 572 4560 surfex.exe 107 PID 4560 wrote to memory of 572 4560 surfex.exe 107 PID 4560 wrote to memory of 572 4560 surfex.exe 107 PID 4560 wrote to memory of 572 4560 surfex.exe 107 PID 4560 wrote to memory of 572 4560 surfex.exe 107 PID 4560 wrote to memory of 572 4560 surfex.exe 107 PID 4560 wrote to memory of 572 4560 surfex.exe 107 PID 228 wrote to memory of 4840 228 s.exe 108 PID 228 wrote to memory of 4840 228 s.exe 108 PID 228 wrote to memory of 4840 228 s.exe 108 PID 4840 wrote to memory of 2948 4840 sysvplervcs.exe 110 PID 4840 wrote to memory of 2948 4840 sysvplervcs.exe 110 PID 4840 wrote to memory of 2948 4840 sysvplervcs.exe 110 PID 4840 wrote to memory of 3704 4840 sysvplervcs.exe 111 PID 4840 wrote to memory of 3704 4840 sysvplervcs.exe 111 PID 4840 wrote to memory of 3704 4840 sysvplervcs.exe 111 PID 2948 wrote to memory of 4672 2948 cmd.exe 114 PID 2948 wrote to memory of 4672 2948 cmd.exe 114 PID 2948 wrote to memory of 4672 2948 cmd.exe 114 PID 3704 wrote to memory of 2044 3704 cmd.exe 115 PID 3704 wrote to memory of 2044 3704 cmd.exe 115 PID 3704 wrote to memory of 2044 3704 cmd.exe 115 PID 3704 wrote to memory of 2552 3704 cmd.exe 116 PID 3704 wrote to memory of 2552 3704 cmd.exe 116 PID 3704 wrote to memory of 2552 3704 cmd.exe 116 PID 3704 wrote to memory of 1972 3704 cmd.exe 117 PID 3704 wrote to memory of 1972 3704 cmd.exe 117 PID 3704 wrote to memory of 1972 3704 cmd.exe 117 PID 3704 wrote to memory of 2944 3704 cmd.exe 118 PID 3704 wrote to memory of 2944 3704 cmd.exe 118 PID 3704 wrote to memory of 2944 3704 cmd.exe 118 PID 3704 wrote to memory of 1304 3704 cmd.exe 119 PID 3704 wrote to memory of 1304 3704 cmd.exe 119 PID 3704 wrote to memory of 1304 3704 cmd.exe 119 PID 4840 wrote to memory of 1380 4840 sysvplervcs.exe 121 PID 4840 wrote to memory of 1380 4840 sysvplervcs.exe 121 PID 4840 wrote to memory of 1380 4840 sysvplervcs.exe 121 PID 4840 wrote to memory of 2316 4840 sysvplervcs.exe 122 PID 4840 wrote to memory of 2316 4840 sysvplervcs.exe 122 PID 2316 wrote to memory of 2004 2316 1186626615.exe 123 PID 2316 wrote to memory of 2004 2316 1186626615.exe 123 PID 2316 wrote to memory of 4320 2316 1186626615.exe 125 PID 2316 wrote to memory of 4320 2316 1186626615.exe 125 PID 2004 wrote to memory of 252 2004 cmd.exe 127 PID 2004 wrote to memory of 252 2004 cmd.exe 127 PID 4320 wrote to memory of 1520 4320 cmd.exe 128 PID 4320 wrote to memory of 1520 4320 cmd.exe 128 PID 4840 wrote to memory of 3044 4840 sysvplervcs.exe 129 PID 4840 wrote to memory of 3044 4840 sysvplervcs.exe 129 PID 4840 wrote to memory of 3044 4840 sysvplervcs.exe 129 PID 4848 wrote to memory of 2044 4848 4363463463464363463463463.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4144
-
-
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\Files\s.exe"C:\Users\Admin\AppData\Local\Temp\Files\s.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\sysvplervcs.exeC:\Windows\sysvplervcs.exe4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4672
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2552
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1972
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2944
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS /wait6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1304
-
-
-
C:\Users\Admin\AppData\Local\Temp\3210330757.exeC:\Users\Admin\AppData\Local\Temp\3210330757.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\889914022.exeC:\Users\Admin\AppData\Local\Temp\889914022.exe6⤵PID:952
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122887⤵PID:3696
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 14326⤵
- Program crash
PID:3940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 14326⤵
- Program crash
PID:1304
-
-
-
C:\Users\Admin\AppData\Local\Temp\1186626615.exeC:\Users\Admin\AppData\Local\Temp\1186626615.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵PID:252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵PID:1520
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1320819612.exeC:\Users\Admin\AppData\Local\Temp\1320819612.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\3081912714.exeC:\Users\Admin\AppData\Local\Temp\3081912714.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\3154139472.exeC:\Users\Admin\AppData\Local\Temp\3154139472.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2556
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe"C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:572
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\random.exe"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
PID:4976 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffbbbf5cc40,0x7ffbbbf5cc4c,0x7ffbbbf5cc585⤵PID:4380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,14438500193528549902,17351070872354431004,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1940 /prefetch:25⤵PID:232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,14438500193528549902,17351070872354431004,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2168 /prefetch:35⤵PID:524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1300,i,14438500193528549902,17351070872354431004,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2208 /prefetch:85⤵PID:4756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,14438500193528549902,17351070872354431004,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3136 /prefetch:15⤵
- Uses browser remote debugging
PID:3892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,14438500193528549902,17351070872354431004,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3152 /prefetch:15⤵
- Uses browser remote debugging
PID:4020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3652,i,14438500193528549902,17351070872354431004,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3176 /prefetch:15⤵
- Uses browser remote debugging
PID:2496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 10204⤵
- Program crash
PID:4252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 9564⤵
- Program crash
PID:4052
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\343dsxs.exe"C:\Users\Admin\AppData\Local\Temp\Files\343dsxs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2308
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4136
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2624
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\819525829.exeC:\Users\Admin\AppData\Local\Temp\819525829.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\sysnldcvmr.exeC:\Windows\sysnldcvmr.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\337141775.exeC:\Users\Admin\AppData\Local\Temp\337141775.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\2357524481.exeC:\Users\Admin\AppData\Local\Temp\2357524481.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵PID:2520
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f8⤵PID:3604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"7⤵PID:868
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"8⤵PID:1484
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2696613756.exeC:\Users\Admin\AppData\Local\Temp\2696613756.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\56612674.exeC:\Users\Admin\AppData\Local\Temp\56612674.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2308
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\whiteheroin.exe"C:\Users\Admin\AppData\Local\Temp\Files\whiteheroin.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4524
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\lum250.exe"C:\Users\Admin\AppData\Local\Temp\Files\lum250.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\Files\DeliciousPart.exe"C:\Users\Admin\AppData\Local\Temp\Files\DeliciousPart.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Tall Tall.bat & Tall.bat4⤵
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:4092
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
PID:228
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"5⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3498775⤵
- System Location Discovery: System Language Discovery
PID:4628
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ORDINANCECHILDHOODCONVERTENDORSED" Booty5⤵
- System Location Discovery: System Language Discovery
PID:1168
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Norwegian + ..\Mysql + ..\Tours + ..\Awareness + ..\Picking K5⤵
- System Location Discovery: System Language Discovery
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\349877\Faced.pifFaced.pif K5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4900 -
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /create /tn "BioMind" /tr "wscript //B 'C:\Users\Admin\AppData\Local\BioTech Dynamics\BioMind.js'" /sc onlogon /F /RL HIGHEST6⤵
- Scheduled Task/Job: Scheduled Task
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe6⤵PID:5372
-
-
C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe6⤵PID:5832
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 155⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted8888.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted8888.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3676
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\hell9o.exe"C:\Users\Admin\AppData\Local\Temp\Files\hell9o.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD4⤵PID:868
-
C:\Windows\system32\reg.exereg DELETE HKEY_CLASSES_ROOT /f5⤵
- Modifies system executable filetype association
- Modifies registry class
PID:4332
-
-
C:\Windows\system32\reg.exereg DELETE HKEY_CURRENT_USER /f5⤵
- Boot or Logon Autostart Execution: Active Setup
- Manipulates Digital Signatures
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
PID:3900
-
-
C:\Windows\system32\reg.exereg DELETE HKEY_LOCAL_MACHINE /f5⤵
- Boot or Logon Autostart Execution: Active Setup
- Manipulates Digital Signatures
- Modifies system executable filetype association
- Event Triggered Execution: Netsh Helper DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:3524
-
-
C:\Windows\system32\reg.exereg DELETE HKEY_USERS /f5⤵PID:5760
-
-
C:\Windows\system32\reg.exereg DELETE HKEY_CURRENT_CONFIG /f5⤵PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD4⤵PID:5740
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"2⤵PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3920
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1104
-
-
C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3416
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"2⤵PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1988
-
-
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496
-
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2044 -ip 20441⤵PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1380 -ip 13801⤵PID:3828
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000098 000000841⤵PID:3328
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000118 000000841⤵PID:4628
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 000000841⤵PID:1168
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 000000841⤵PID:5116
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f4 000000841⤵PID:2284
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 000000841⤵PID:3900
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 000000841⤵PID:3524
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
8Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD553de377db9605faa35d2711b937ded16
SHA17e4b727f3764acfa88e206920a130301194138c0
SHA256acd6d23957be255861f4203c65f1f9ca4195acb17dbb7d43851c14f5b54a9396
SHA5128749afb3441cecb011c80ef66ab2db823b4c0a9df0f60663bdbc068585fa6a58164bfcb2167e4eea87102ac6736a84326f9e96163aa390b41d2bb78d04dfb927
-
Filesize
334B
MD588f6599d557ec2b7a12b3ab4faf3c364
SHA11bc917d0543deee57c7e13f7ed182c8692e69458
SHA256781cf1f98ccd2cf18079967e28996a722e75fa28cb2ecc8b638e2efcdf751e8d
SHA512d1633a186dbc849f8c056bd53df4b24f972f170cb4e602b487d89b9762ce78699cf148d70f62272e8e2d13888a73b38910b43c378af8d21102a3fd2e08731d19
-
Filesize
1.0MB
MD5c63860691927d62432750013b5a20f5f
SHA103678170aadf6bab2ac2b742f5ea2fd1b11feca3
SHA25669d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353
SHA5123357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD5beddacb1b8cdf9b2701ec9ba52fc7a57
SHA142fc5858911200e8615ce0c223d19a3521468773
SHA256839ab90ed4c452c99e6610f0bdc0be6290475e34407e5d3fa9c5fb38b6eeaf0e
SHA512b738727610cccc12e4271974d7cf95cfaf143bc4010e3e3a90fe31ae922630821d46dad255a3ba7044c45cefaca3cb40696a46d55be0e5b3cc0b58cb5abfc04a
-
Filesize
2KB
MD5f9349064c7c8f8467cc12d78a462e5f9
SHA15e1d27fc64751cd8c0e9448ee47741da588b3484
SHA256883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b
SHA5123229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf
-
Filesize
108KB
MD51fcb78fb6cf9720e9d9494c42142d885
SHA1fef9c2e728ab9d56ce9ed28934b3182b6f1d5379
SHA25684652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02
SHA512cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3
-
Filesize
53KB
MD522cf505cc320ce75f33f6b5f48bf9cab
SHA1ba1e6093184fbfdeaded03d4bb92f8ddce674ca2
SHA256a57ef05fae2cbae2a9eb9d12d697de5d3e62110e00a935ea28589aa45ef57b08
SHA5121188f1ee92bf5135cebb597192703e29be4d8276a1178ae30a02ba33b51e1bae99f237da2f14d06f5cc1ba5ae414e45347ea3f5dcd296c7833c652b49fb716c3
-
Filesize
1KB
MD57b28e8ba65ea8d0cb1a0ae523c0494da
SHA14fa0966840954dd7186176c4787986a301e143aa
SHA25679c94378df545880fb70c8cf68edd10e17584865074d77b3ab03d96a7916c436
SHA5125a310c06ee69ef55a77fa8dabf748cf587b0393727a95a98c883e868c4e31d5d35f80a010d04089c44f464f8fd9f47102d5871f3dfb51f909dbbd1e8f01d0043
-
Filesize
21KB
MD5481e260e1ca8b4f08ec0705e8b9383ab
SHA17dda7a90e5703d004174ad451841be1c59e76d53
SHA2566ec5f87aa3497b1c6a3ee7cd39d79dc16bd47171387aefd564bfd4297a212f54
SHA512f834e2e04121ff72a553230788d1f109f3f4569841fa3f128843e18d99d8d687e2fb7af4198caff99bf97f23fe7e60315c6b58d4d2f91a0940a59111d80e65d0
-
Filesize
1KB
MD54498be3991c42bf711990ed773673653
SHA1ad81c8440a1b422be3d09374c7d69089f2a4b84e
SHA25612a3fe4807534f2b3330bdaa9d83f5b5849d1fc01f615039a768bc2f20525d0d
SHA51289462027c6262c6fd414654b5a2171d825337e90a13d27357f288b19e78f35a9abd8d050311e95bb95b5c5ecf22df7b2c60e7b3c6b1090b06df15cc5372898b1
-
Filesize
1KB
MD53b67c679b84d7eefb113f87bd50be385
SHA1300d1f0a782a1fac8cb60c09844b4a29d20dde61
SHA2565af979ea87db0604052b3993e3d5b5bb6de5037f9a280e9bc9863778c47f3712
SHA512b9045b16e33b1d840fbccd28861f8a2717e32b96b5fa102d8d4324a3eef177599bbc889b2163905ccd8afe0e7ea4b3716320e2ce33be90bec4ab11c136534ea8
-
Filesize
1KB
MD5a6253ae4760439fdd712f70dec2be499
SHA15f5da738f8b5a0810fca545201f56d8b4be8ff1f
SHA256dd5a1fcf5a7c43ce71c14469e38f8ae33b92c4b670de379af9a531235e50e302
SHA5122288ad388f3b5a7fcaf1a2d8234a6430075a45565d36250fe609adabeaf12984662c1a7ccb7dc44562c764193aeca22b8d679b3fe3f1a08f838e003943a8e64c
-
Filesize
8KB
MD5cb8420e681f68db1bad5ed24e7b22114
SHA1416fc65d538d3622f5ca71c667a11df88a927c31
SHA2565850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea
SHA512baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf
-
Filesize
49KB
MD56946486673f91392724e944be9ca9249
SHA1e74009983ced1fa683cda30b52ae889bc2ca6395
SHA256885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd
SHA512e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9
-
Filesize
10KB
MD596509ab828867d81c1693b614b22f41d
SHA1c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca
-
Filesize
65KB
MD515582e6b7aba679732ba5380b2279023
SHA18a87b88e988736645489b04aaf073a4300860227
SHA256ab5d90ce12df6b62e3e30c596c3b7ba5724fd2b695dfce163b9ca8f27a934320
SHA51282313130df456e6408b82f9b8f16b901dce9651178b9534000ddc83113c2ee9973b3efd523ed559c167039140c7ee9d0a9474302c2dfa49a5bdf23f903316ae8
-
Filesize
79KB
MD50c883b1d66afce606d9830f48d69d74b
SHA1fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5
-
Filesize
5KB
MD5456e8d3795990ee35e9cbc227cd15982
SHA19975e340561e157ac4e3c4c8fd33d7eef308268d
SHA256c9a8704bdb3aced2af9ef516c6c1ea53145460a763d54bacf3da50f07fbee52e
SHA512bbf344bee7a00522667aca111db321d9520ce5e986e4f7069343923553388321b95479897af013ce214783f23ce665980c67d2998373c3f61a1ce1c30bd93f69
-
Filesize
413KB
MD57b0a50d5495209fa15500df08a56428f
SHA1ab792139aaa0344213aa558e53fa056d5923b8f0
SHA256d7f591f60eea358649cd97b73296b31a682e22fc5784df440026c3086de3d835
SHA512c1fe0cb875124c9069f01fc3ef44d864ec82cfad49ee733edecd8b9b5e021594937362641aa33d865aa8a3ec376e46162c988906b0cb7bd0666e873988fe3661
-
Filesize
854KB
MD58432070440b9827f88a75bef7e65dd60
SHA16c7a2124b7076383f577eb0042f9ea917b2b4066
SHA256459443def8fd0c940b2da33d9703fcf5771dbcd9ce4aff2dcc670528c1d1d3c1
SHA51250d8ca74f51257b03678fcb9e98b8ad3eb412403d3b87efdba1dbf09af207aba6e21f849fe811600467e4d5803188ed8e521c407e8942adf0a002c1d937bbf61
-
Filesize
208KB
MD5031836b5b4c2fc0ba30f29e8a936b24e
SHA1adc7e7ec27f548afd50fac684c009cfe5c2e0090
SHA256bf4f27f6932ce75b1746f5364af3abacbdafa59913da513a168d86ea0ad3a3a4
SHA512ac58ed6b9a3ce4c35366e99e72e4ee1c87048a11979c91f69740d49b3c1f4f4dc3cbaa66287c73530806b8359933e7b6df0bbab01bc3dd4f351988a6a3cd3b6d
-
Filesize
172KB
MD52e933118fecbaf64bbd76514c47a2164
SHA1a70a1673c4c7d0c0c12bc42bc676a1e9a09edc21
SHA2565268359ebc3f9e709c8eee1fa9d3e7c579b3e4563fabb9c394abe0fe2e39137f
SHA512c34672e55625462d16051cd725c96d634e459d61a9552f858f0b234d5eedf67594ca336f4fd695e3046c4e0485d4fa4497b6c604ee4144c49a6c1c0838628bdb
-
Filesize
1.8MB
MD55b015748645c5df44a771f9fc6e136c3
SHA1bf34d4e66f4210904be094e256bd42af8cb69a13
SHA256622c5cb9a11085da8240c94262f596b687b3ecc2bc805b7f5a01cc335f7df909
SHA512026a32a969f973f91f6e848ce3509546ef70bddfdb39ed08c177c2cd1eddeb1297a2d722fa8542a9a09a3d0b9d4c8df0d35139b1c7ae0beba1b964a6b8003302
-
Filesize
5.6MB
MD513b26b2c7048a92d6a843c1302618fad
SHA189c2dfc01ac12ef2704c7669844ec69f1700c1ca
SHA2561753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256
SHA512d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455
-
Filesize
9KB
MD58d8e6c7952a9dc7c0c73911c4dbc5518
SHA19098da03b33b2c822065b49d5220359c275d5e94
SHA256feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
SHA51291a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645
-
Filesize
4.2MB
MD5b3dc981652f781ec4bbd152e7d14a1ac
SHA11d726d4399d9f34e891187e2e7d29ebdcbc4da61
SHA256abf8b7685a4a38bb376bee90dc89adcf881033dab98b53081e9475045126c62c
SHA512b9f212e51a6319604948e146fccd31f142473add8508c19686f3d35ff0dd74f3d6ddf41618d084aab732d878c5d58d0b60979734a7c8f5271119fb8653e7a58e
-
Filesize
96KB
MD5930c41bc0c20865af61a95bcf0c3b289
SHA1cecf37c3b6c76d9a79dd2a97cfc518621a6ac924
SHA2561f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff
SHA512fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2
-
Filesize
125KB
MD51ec718ada22e61a5bbbc2407a842b95b
SHA1c3cb7876db3734c686b64a7bf83984bf61a2a9ef
SHA2562e3bc4c6b0789469f9b7fe876adbc47b5b22f6b15ec7dff70ad588d838937677
SHA512ccc2b06edd4b724eba92f251bc62df424c61ea0668c06b06080a1206021889b5791855672f422ecfe889aba6d8b4f8fccf6ba23eddf358e7d84056a549e5fb8f
-
Filesize
310KB
MD51f4b0637137572a1fb34aaa033149506
SHA1c209c9a60a752bc7980a3d9d53daf4b4b32973a9
SHA25660c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648
SHA5124fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86
-
Filesize
164KB
MD54cbc3c777f08cfbd14fc1ead80a5dd50
SHA1dc94c1792a3ca2531dde570f9142c82c6336fadb
SHA256115eb84390be11a5cbd396a9b950fcbe799e1684d0a6995ada7bca184fffba8f
SHA512dee450b527956f9f22034984afdfd4c8c2a3e9933ad847c48bbe1873113b299814900137c98e8e25875230a649e8c46a77b5505729b3cd785c69b1df161a62b1
-
Filesize
729KB
MD5ca0a3f23c4743c84b5978306a4491f6f
SHA158cf2b0555271badc3802e658569031666cb7d7e
SHA256944113e85a7cf29d41fbbb30f87ea2554d036448a0bdb1e4e2b2ade3f99a9359
SHA5129767f2afbe92eddc46a5654f7f8d6eb10da305df5b009d7407ba9822e5d0f9cc374728900e5ebed15e9849f155a77f44d96f16b4bcca650a42257bdca7f29cbd
-
Filesize
159B
MD5e26bcceba32f987399a0decf331f0697
SHA164540b56c5ff6dbb963faa50a85159c62edf7365
SHA2560fd1b221f5a865fd9d796857f51724ad6460d409e2cffe8cfaef091daa689d05
SHA512d96236da499970dfd6702150a5140e947547e50e3ec6b5ee3d7923ddcc637a01a9e747ecac0b81d4268cbe1a7788c63d5b4ec1373fc46318d8a5d676f510d508
-
Filesize
24KB
MD5033649d7b623b2f8cd29854ccb6d6a4b
SHA19772f7b7b11625fc3dea7598cdf5b6d0fc511ae6
SHA25604a0fbd0b5c3e4f7e3558a3871fe3f3cce5013a330941c3e72b4cdb19c81f2ad
SHA51290df8c97c8d8062970d76af2235c3ab78208c95c332bbc04e72e2782cb926ab12dbb1098914f453eb7b095ee7dc50f80d4cb96c5931a51a25efb5d91a3c50989
-
Filesize
10KB
MD57bb1b88b0dad0d85e482bf27d8ed266f
SHA153621cae980c2232d1a06b834ee54f4cc551901c
SHA256f06031fd4be1e9e5d057622752c9d1f1ce4511c2839f4b218b4d5fa89a783225
SHA512cc479a4aed0568ddbf47d6e83d2a4f837fac47000244a7b6ceb81c02ab4480ae7a0dcf5d38cf05e179ff6fbc69e32e08041cdf65d52fe092de59fd3840d8a70d
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
765KB
MD54bb92f145d95b180e356baf280e283f0
SHA105e6167c0af3ef8c01724469f1ad815f3b6a665d
SHA2567438b6d40f44532a6fdb0bf2e4c936d672a10e5b3f8f3011d37736c51767f949
SHA512548b9080c7ab9227c4a6f41507b5488b1bb2652537596fff9208a40131fd59f890e4b97773b511353679c934c3a869666c79ba3a26600cb30df5e1e5d84b9644
-
Filesize
129B
MD5082aa56dc6180d87af01710356f24639
SHA15aaba07366f93b300a59a8d41772caa538cc3fd2
SHA2564e097fa00408362871d54848e648fdbd994ecf0a261b4f19c87d602a9ddd9993
SHA5129f310bcde7fde2bad46822f4db6aeb1cf2cd8c79614a9af5be44e17ca2f1ef5fa0e0c91f6e93db5d34de5fd05962a32b5ccd79780018ea68af9a0fca39234ae6