Analysis
-
max time kernel
1086s -
max time network
1088s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-11-2024 18:35
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.09.7z
Resource
win11-20241007-en
General
-
Target
https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.09.7z
Malware Config
Extracted
emotet
Epoch2
192.158.216.73:80
85.214.28.226:8080
142.44.137.67:443
162.241.242.173:8080
85.152.162.105:80
62.30.7.67:443
78.24.219.147:8080
74.120.55.163:80
169.239.182.217:8080
216.208.76.186:80
95.213.236.64:8080
200.114.213.233:8080
104.131.44.150:8080
70.121.172.89:80
75.139.38.211:80
185.94.252.104:443
97.82.79.83:80
103.86.49.11:8080
79.98.24.39:8080
83.169.36.251:8080
188.219.31.12:80
74.208.45.104:8080
137.59.187.107:8080
174.45.13.118:80
194.187.133.160:443
50.81.3.113:80
201.173.217.124:443
139.99.158.11:443
68.188.112.97:80
113.160.130.116:8443
173.62.217.22:443
139.130.242.43:80
190.160.53.126:80
137.119.36.33:80
209.141.54.221:8080
24.179.13.119:80
120.150.60.189:80
107.5.122.110:80
121.124.124.40:7080
203.153.216.189:7080
157.245.99.39:8080
85.105.205.77:8080
173.81.218.65:80
110.145.77.103:80
47.144.21.12:443
95.179.229.244:8080
187.161.206.24:80
46.105.131.79:8080
189.212.199.126:443
168.235.67.138:7080
24.137.76.62:80
85.66.181.138:80
200.41.121.90:80
5.39.91.110:7080
104.236.246.93:8080
172.91.208.86:80
99.224.14.125:80
37.139.21.175:8080
109.74.5.95:8080
1.221.254.82:80
61.19.246.238:443
5.196.74.210:8080
67.205.85.243:8080
79.137.83.50:443
94.200.114.161:80
70.180.43.7:80
190.55.181.54:443
47.146.117.214:80
89.205.113.80:80
37.187.72.193:8080
84.39.182.7:80
104.131.11.150:443
139.162.108.71:8080
87.106.136.232:8080
153.232.188.106:80
37.70.8.161:80
112.185.64.233:80
87.106.139.101:8080
94.23.237.171:443
24.43.99.75:80
203.117.253.142:80
98.109.204.230:80
93.147.212.206:80
91.211.88.52:7080
139.59.60.244:8080
176.111.60.55:8080
180.92.239.110:8080
62.75.141.82:80
174.102.48.180:443
38.18.235.242:80
5.196.108.189:8080
113.61.66.94:80
108.46.29.236:80
134.209.36.254:8080
66.65.136.14:80
76.175.162.101:80
174.106.122.139:80
50.35.17.13:80
96.249.236.156:443
85.96.199.93:80
142.112.10.95:20
94.1.108.190:443
121.7.127.163:80
213.196.135.145:80
181.169.34.190:80
42.200.107.142:80
140.186.212.146:80
105.186.233.33:80
71.72.196.159:80
139.162.60.124:8080
124.41.215.226:80
67.10.155.92:80
78.187.156.31:80
195.7.12.8:80
187.49.206.134:80
123.176.25.234:80
78.188.106.53:443
104.251.33.179:80
68.252.26.78:80
172.104.97.173:8080
110.142.236.207:80
91.146.156.228:80
118.83.154.64:443
216.139.123.119:80
121.7.31.214:80
181.169.235.7:80
82.80.155.43:80
50.91.114.38:80
24.43.32.186:80
130.0.132.242:80
80.241.255.202:8080
220.245.198.194:80
190.240.194.77:443
89.216.122.92:80
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Sages101*
Extracted
agenttesla
Protocol: smtp- Host:
mail.gautengelectrical.co.za - Port:
587 - Username:
[email protected] - Password:
*2wo)L6EXH7% - Email To:
[email protected]
Extracted
lokibot
http://brokensoul.ga/Colba4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
revengerat
Guest
pmoses13-47804.portmap.io:47804
RV_MUTEX
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Emotet family
-
Lokibot family
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 2 IoCs
resource yara_rule behavioral1/memory/17968-31659-0x0000000000B30000-0x0000000000BCA000-memory.dmp family_masslogger behavioral1/memory/17968-31877-0x0000000000400000-0x0000000000541000-memory.dmp family_masslogger -
Masslogger family
-
Njrat family
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
AgentTesla payload 4 IoCs
resource yara_rule behavioral1/memory/2520-611-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla behavioral1/memory/1496-654-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/4740-869-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/6312-7106-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
resource yara_rule behavioral1/memory/3856-1468-0x0000000000B10000-0x0000000000B20000-memory.dmp emotet behavioral1/memory/3856-1464-0x0000000000AF0000-0x0000000000B02000-memory.dmp emotet -
Renames multiple (554) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x000600000002a6c0-969.dat revengerat -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2068 netsh.exe -
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral1/files/0x0006000000025a26-511.dat office_macro_on_action -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\International\Geo\Nation vdjbvsjkbfkl.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 23 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71275e6cb74a33d474d45a3741ae530.exe ssfax.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.js Systemt.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.js.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs notepad.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe vbc.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71275e6cb74a33d474d45a3741ae530.exe Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.lnk Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.lnk.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe Systemt.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.js.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c71275e6cb74a33d474d45a3741ae530.exe ssfax.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systemt.exe Systemt.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.lnk Systemt.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.js Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System Manager.lnk.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe -
Executes dropped EXE 34 IoCs
pid Process 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2880 HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe 2256 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 644 HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe 2876 HEUR-Exploit.Win32.ShellCode.Agent.pef-01e0a44ad38177b6896ce04277ab57bde050154db8b5ec0b227f3f8c614667ea.exe 1496 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 2336 HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe 4720 HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe 3312 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 4892 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 864 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 1976 HEUR-Trojan.Win32.Zenpak.pef-000ce16aa593d3de6ee74dc23d0ef231a77383c7545990d32c47f038314d0051.exe 3164 HEUR-Trojan.Win32.RRAT.gen-02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0.exe 464 Systemt.exe 992 Trojan.MSIL.Disfa.bqd-0184b4f25bb27328803dae537c07ad8c5ea11b149a7293840b4b36701cec80a1.exe 3184 ssfax.exe 3856 HEUR-Trojan-Banker.Win32.Emotet.pef-0007e938052e444208feef8729dfbccf28120fd63299e8d331582be49b4041be.exe 2508 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 1976 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 480 HEUR-Trojan-Banker.Win32.Emotet.pef-028c68081e1016b01f710e66e8082d0513ce46a995502fd192d06d7e8dab4e54.exe 4016 UDS-DangerousObject.Multi.Generic-01da092bc20b08ea1bea6de68bc460606e7c34254de25501d0c4f385eb02e6bb.exe 3164 HEUR-Backdoor.MSIL.Androm.gen-01cd063d42c49b0612db611805a26403a9418e18f683321012809158bbd27742.exe 6188 Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe 10116 HEUR-Trojan.Win32.Kryptik.gen-0213d8db1a9c13b9dc0926e8102e937054512783c310e9b9ede0f069271ea727.exe 13736 vdjbvsjkbfkl.exe 17968 vdjbvsjkbfkl.exe 18652 vdjbvsjkbfkl.exe 13820 chrome.exe 20432 chrome.exe 19864 chrome.exe 16584 chrome.exe 7120 chrome.exe 5796 chrome.exe -
Loads dropped DLL 7 IoCs
pid Process 3792 rundll32.exe 13820 chrome.exe 20432 chrome.exe 19864 chrome.exe 16584 chrome.exe 7120 chrome.exe 5796 chrome.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 53 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook vdjbvsjkbfkl.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\yZBPl = "C:\\Users\\Admin\\AppData\\Roaming\\yZBPl\\yZBPl.exe" HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\c71275e6cb74a33d474d45a3741ae530 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ssfax.exe\" .." ssfax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c71275e6cb74a33d474d45a3741ae530 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ssfax.exe\" .." ssfax.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\yZBPl = "C:\\Users\\Admin\\AppData\\Roaming\\yZBPl\\yZBPl.exe" HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WCPCe = "C:\\Users\\Admin\\AppData\\Roaming\\WCPCe\\WCPCe.exe" RegSvcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Manager = "C:\\Windows\\system32\\Systemt.exe" Systemt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe = "C:\\Windows\\System32\\Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe" Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\Music\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Music\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\SystemManager\Program Files (x86)\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification F:\SystemManager\$RECYCLE.BIN\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\Videos\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Public\Documents\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\SystemManager\$Recycle.Bin\S-1-5-21-2253712635-4068079004-3870069674-1000\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\V: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\Y: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\Z: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\X: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\A: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\B: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\G: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\H: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\I: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\M: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\W: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\E: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\L: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\N: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\P: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\Q: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\T: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\J: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\O: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\R: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\S: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe File opened (read-only) \??\U: HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 214 api.ipify.org -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\Systemt.exe HEUR-Trojan.Win32.RRAT.gen-02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0.exe File created C:\Windows\system32\Systemt.exe Systemt.exe File created C:\Windows\System32\Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Windows\System32\Info.hta Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 644 set thread context of 2520 644 HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe 131 PID 2256 set thread context of 1496 2256 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 142 PID 2336 set thread context of 4720 2336 HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe 149 PID 3312 set thread context of 4740 3312 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 165 PID 2508 set thread context of 1976 2508 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 308 PID 3164 set thread context of 6312 3164 HEUR-Backdoor.MSIL.Androm.gen-01cd063d42c49b0612db611805a26403a9418e18f683321012809158bbd27742.exe 335 PID 13736 set thread context of 17968 13736 vdjbvsjkbfkl.exe 359 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\FeedbackHubLargeTile.scale-125.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-40_altform-unplated.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIF.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmpnscfg.exe.mui Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxManifest.xml Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\FocusTrapZone.js Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-72_altform-lightunplated_contrast-black.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Microsoft.Apps.Stubs.Handoff.winmd Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\vreg\osmuxmui.msi.16.en-us.vreg.dat.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\node_modules\@microsoft\load-themed-styles\lib-amd\index.js Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-80_altform-unplated.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Dropdown.js Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\it-it\Resources.resw Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-400.png Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Internet Explorer\hmmapi.dll Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.PasswordManager.Resources.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.id-43ADF887.[[email protected]].harma Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2288 2876 WerFault.exe 139 1892 1976 WerFault.exe 173 -
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.MSIL.Disfa.bqd-0184b4f25bb27328803dae537c07ad8c5ea11b149a7293840b4b36701cec80a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Backdoor.MSIL.Androm.gen-01cd063d42c49b0612db611805a26403a9418e18f683321012809158bbd27742.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.Win32.Kryptik.gen-0213d8db1a9c13b9dc0926e8102e937054512783c310e9b9ede0f069271ea727.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDS-DangerousObject.Multi.Generic-01da092bc20b08ea1bea6de68bc460606e7c34254de25501d0c4f385eb02e6bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Banker.Win32.Emotet.pef-0007e938052e444208feef8729dfbccf28120fd63299e8d331582be49b4041be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Banker.Win32.Emotet.pef-028c68081e1016b01f710e66e8082d0513ce46a995502fd192d06d7e8dab4e54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjbvsjkbfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjbvsjkbfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Exploit.Win32.ShellCode.Agent.pef-01e0a44ad38177b6896ce04277ab57bde050154db8b5ec0b227f3f8c614667ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.Win32.Zenpak.pef-000ce16aa593d3de6ee74dc23d0ef231a77383c7545990d32c47f038314d0051.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssfax.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjbvsjkbfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x001a00000002ab42-1677.dat nsis_installer_1 behavioral1/files/0x001a00000002ab42-1677.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 25 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 15404 vssadmin.exe 19956 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765152059423841" chrome.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache SearchHost.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Bazaar.2020.09.7z:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\appdata\vdjbvsjkbfkl.exe:ZoneIdentifier notepad.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1860 schtasks.exe 4756 schtasks.exe 2532 schtasks.exe 6248 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 17968 vdjbvsjkbfkl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3864 chrome.exe 3864 chrome.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 1500 chrome.exe 1500 chrome.exe 1500 chrome.exe 1500 chrome.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 644 HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe 644 HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe 644 HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe 2520 RegAsm.exe 2520 RegAsm.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2256 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 2256 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 1496 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 1496 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 1496 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 1496 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2336 HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe 2336 HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 3312 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 3312 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 3312 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 3312 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 3312 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 3312 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 3540 7zFM.exe 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 3184 ssfax.exe 1976 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 644 HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe 644 HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe 2336 HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe 3792 rundll32.exe 3792 rundll32.exe 3792 rundll32.exe 3792 rundll32.exe 13736 vdjbvsjkbfkl.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeRestorePrivilege 3540 7zFM.exe Token: 35 3540 7zFM.exe Token: SeSecurityPrivilege 3540 7zFM.exe Token: SeSecurityPrivilege 3540 7zFM.exe Token: SeSecurityPrivilege 3540 7zFM.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe Token: SeShutdownPrivilege 3864 chrome.exe Token: SeCreatePagefilePrivilege 3864 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe 3540 7zFM.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe 3864 chrome.exe -
Suspicious use of SetWindowsHookEx 50 IoCs
pid Process 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 2484 HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe 3836 MiniSearchHost.exe 2880 HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe 2880 HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe 2880 HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe 1496 HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe 4740 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 4544 vbc.exe 2604 vbc.exe 5064 vbc.exe 4976 vbc.exe 3448 vbc.exe 752 vbc.exe 828 vbc.exe 4040 vbc.exe 1976 vbc.exe 3456 vbc.exe 5012 vbc.exe 1464 vbc.exe 4812 vbc.exe 2968 vbc.exe 1820 vbc.exe 3400 vbc.exe 1176 vbc.exe 3124 vbc.exe 2024 vbc.exe 2080 vbc.exe 2560 vbc.exe 2300 vbc.exe 1976 HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe 17968 vdjbvsjkbfkl.exe 15836 SearchHost.exe 13508 SearchHost.exe 14476 SearchHost.exe 14160 SearchHost.exe 10316 SearchHost.exe 12196 SearchHost.exe 5532 SearchHost.exe 6776 SearchHost.exe 7000 SearchHost.exe 5232 SearchHost.exe 6380 SearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 4988 wrote to memory of 2936 4988 firefox.exe 79 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 1748 2936 firefox.exe 80 PID 2936 wrote to memory of 2976 2936 firefox.exe 82 PID 2936 wrote to memory of 2976 2936 firefox.exe 82 PID 2936 wrote to memory of 2976 2936 firefox.exe 82 PID 2936 wrote to memory of 2976 2936 firefox.exe 82 PID 2936 wrote to memory of 2976 2936 firefox.exe 82 PID 2936 wrote to memory of 2976 2936 firefox.exe 82 PID 2936 wrote to memory of 2976 2936 firefox.exe 82 PID 2936 wrote to memory of 2976 2936 firefox.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vdjbvsjkbfkl.exe
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.09.7z"1⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.09.7z2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1476 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1994f338-1b12-46dc-9296-d1be37d082e4} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" gpu3⤵PID:1748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e43b820e-b7fa-4ce2-8738-fbb3074c9b9b} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" socket3⤵
- Checks processor information in registry
PID:2976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 3088 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {737c9eeb-0d53-49f3-93cc-692b92ec23b3} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:1592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3692 -childID 2 -isForBrowser -prefsHandle 3252 -prefMapHandle 3700 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57e10953-7748-49cf-8554-013973082383} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:2556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 4768 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d258cfb-ae1e-482d-a3f3-b90ab36915fe} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" utility3⤵
- Checks processor information in registry
PID:3144
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27091 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e6095c6-338d-4a09-8e31-2b3171dac996} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:2916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 4 -isForBrowser -prefsHandle 5780 -prefMapHandle 5652 -prefsLen 27091 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2888bbe2-829f-4014-9917-c6b4d84c29d5} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:3452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 5 -isForBrowser -prefsHandle 5992 -prefMapHandle 5996 -prefsLen 27091 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31719564-313a-4442-bc50-16c1653b4736} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" tab3⤵PID:4144
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2880
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Bazaar.2020.09.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3864 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff703ecc40,0x7fff703ecc4c,0x7fff703ecc582⤵PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1952 /prefetch:22⤵PID:3340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1988 /prefetch:32⤵PID:1468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:82⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:3772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4344 /prefetch:12⤵PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1576,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5104,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:82⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:82⤵PID:2724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=280,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4752,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:20432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3156,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:19864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4628,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:16584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3444,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3488,i,16195313968169760307,15483786518574887173,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5796
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2916
-
C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe"C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2484
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3836
-
C:\Users\Admin\Desktop\HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe"C:\Users\Admin\Desktop\HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd /c rd "C:\Windows\system32\drivers\etcyTHIx" /S /Q2⤵
- System Location Discovery: System Language Discovery
PID:3140
-
-
C:\Users\Admin\Desktop\HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe"C:\Users\Admin\Desktop\HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2256 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPigSLdqxVx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AEB.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1860
-
-
C:\Users\Admin\Desktop\HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe"C:\Users\Admin\Desktop\HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe"C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2088
-
C:\Users\Admin\Desktop\HEUR-Exploit.Win32.ShellCode.Agent.pef-01e0a44ad38177b6896ce04277ab57bde050154db8b5ec0b227f3f8c614667ea.exe"C:\Users\Admin\Desktop\HEUR-Exploit.Win32.ShellCode.Agent.pef-01e0a44ad38177b6896ce04277ab57bde050154db8b5ec0b227f3f8c614667ea.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 2562⤵
- Program crash
PID:2288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2876 -ip 28761⤵PID:480
-
C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe"C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2336 -
C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe"C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
PID:4720
-
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3312 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQVhWINGJBw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4180.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4756
-
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"2⤵
- Executes dropped EXE
PID:4892
-
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"2⤵
- Executes dropped EXE
PID:864
-
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:4740
-
-
C:\Users\Admin\Desktop\HEUR-Trojan.Win32.Zenpak.pef-000ce16aa593d3de6ee74dc23d0ef231a77383c7545990d32c47f038314d0051.exe"C:\Users\Admin\Desktop\HEUR-Trojan.Win32.Zenpak.pef-000ce16aa593d3de6ee74dc23d0ef231a77383c7545990d32c47f038314d0051.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 2762⤵
- Program crash
PID:1892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1976 -ip 19761⤵PID:1572
-
C:\Users\Admin\Desktop\HEUR-Trojan.Win32.RRAT.gen-02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0.exe"C:\Users\Admin\Desktop\HEUR-Trojan.Win32.RRAT.gen-02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rdtew_df.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:4544 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc765D8772730F4DBAA928D2DAC983C95F.TMP"3⤵PID:948
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ylju36zm.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:2604 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc986F581C9B1948D19EB833F43B8BEF16.TMP"3⤵PID:2176
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i1e57hwe.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:5064 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C8030B08BE54AA7BEBF335E52ABCE11.TMP"3⤵PID:2472
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ondcdemj.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:4976 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc132184D0FC624AE0A261E1980F62A1A.TMP"3⤵PID:4500
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hu-dzo3y.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5F3229A95C34936AF755C74BCA95426.TMP"3⤵PID:2956
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fmv5gcuq.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:752 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98D0F94911564F30B6CEC3A211622D4C.TMP"3⤵PID:4060
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxooigwr.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:828 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD27CDA3C9B3418BAB979346558601F.TMP"3⤵PID:3872
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gdz3cu7y.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:4040 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF272B66897C648EF833D105686591E83.TMP"3⤵PID:1184
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xasw4vqu.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:1976 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2062.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF282A9F8B5E4BE0A33582D9227DE62.TMP"3⤵PID:4768
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dpnnjydo.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:3456 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES214C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24FC40F71CBF459ABACF59681342A7E4.TMP"3⤵PID:4928
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7_odawqm.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:5012 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc693DA5D743AA4CDA9CB86586FCE6E63.TMP"3⤵PID:2024
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\96cb3s8u.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:1464 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53EA2CEE19D642B78BCAC1AA7CF18250.TMP"3⤵PID:2284
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r_jhjlet.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:4812 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB62F32A8694F41CDA6733EC9B69B37E.TMP"3⤵PID:2916
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y0xnczno.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2488.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C79377A4944F01A4B8B4ED35BF9A67.TMP"3⤵PID:3532
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6utrfcqt.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:1820 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2515.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF28CB56CAFD64D8B928156D268A15755.TMP"3⤵PID:3720
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2msny2no.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:3400 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75DBA6721CD54A649B3A94A6BD50C84D.TMP"3⤵PID:3312
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\temtagm0.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:1176 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES267C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E2EE9898B184128BEB06153CFFD6C.TMP"3⤵PID:3184
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\op4vqryr.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:3124 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1305764CB441A39C155956BFAC638.TMP"3⤵PID:1088
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xi6l0cah.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:2024 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2786.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9A859DA7DCB4D88A2861329AC46E713.TMP"3⤵PID:1224
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c9du7bw-.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:2080 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2813.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F1A3054C8324186B8FAC7EC8B7CCBEB.TMP"3⤵PID:4976
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\exkqw3ie.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:2560 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8CA5513FF5C4F739C832194F717498A.TMP"3⤵PID:2528
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yfwbnhkj.cmdline"2⤵
- Suspicious use of SetWindowsHookEx
PID:2300 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES296A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1A5A9D4EE38452995CC6CF1D88DF76.TMP"3⤵PID:568
-
-
-
C:\Windows\system32\Systemt.exe"C:\Windows\system32\Systemt.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:464 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c4hjpg8f.cmdline"3⤵
- Drops startup file
PID:2516 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62C3AD28EF1546D8B55392F779723BA.TMP"4⤵PID:4628
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mmknpe2c.cmdline"3⤵PID:2716
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF38D8E6F49C242DF951E1312C5DA29F3.TMP"4⤵PID:576
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rgubmajb.cmdline"3⤵PID:1952
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7D4E24E34C4928A97FB0F29955F7E5.TMP"4⤵PID:1820
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f22xw7cc.cmdline"3⤵PID:2040
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5091257D789E4BFE9AD941E6BCD7F6E3.TMP"4⤵PID:2984
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kpslanx_.cmdline"3⤵PID:4944
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA31EAD95ED0A4AD0A1D26DE63AC09E.TMP"4⤵PID:4184
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tr01o8ph.cmdline"3⤵PID:4972
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44ACA02C83B44E6D9130713D309553AA.TMP"4⤵PID:900
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ose3alzb.cmdline"3⤵PID:2976
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CCCB36856A74EA08E3A9312F6F03E.TMP"4⤵PID:4008
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rnmcwf8n.cmdline"3⤵PID:1560
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95AAC3C2EC504898A9F6A37AA699F182.TMP"4⤵PID:4628
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mrg8zaaw.cmdline"3⤵PID:2560
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFCC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc456E831EDAE647178B8820A2E4E97179.TMP"4⤵PID:2524
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kimarpcl.cmdline"3⤵PID:3856
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD03A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAE522EDFF64ED888E66E6355373E62.TMP"4⤵PID:4512
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lbiohx_b.cmdline"3⤵PID:4672
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D8CC85C127C42D88A23CA30DDDE9270.TMP"4⤵PID:1104
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bdfsfx_s.cmdline"3⤵PID:6988
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD57C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C2D660D368442438471FB6674A4C5F0.TMP"4⤵PID:11100
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tebqh-nt.cmdline"3⤵PID:8788
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stths2e6.cmdline"3⤵PID:15068
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE73F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F616DE31E2B417A9D129BAA94BD123.TMP"4⤵PID:21460
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w7lo37pt.cmdline"3⤵PID:7116
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5056960398F74D2A8A3E748404F34F9.TMP"4⤵PID:17028
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtk11atr.cmdline"3⤵PID:20120
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d1xjgn8f.cmdline"3⤵PID:21896
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jlrlftfx.cmdline"3⤵PID:10948
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF95769152CA5479AB7247551A83140D2.TMP"4⤵PID:8116
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kcdikgvd.cmdline"3⤵PID:10976
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA34C82671BBD4D0A9FE0219976D1B036.TMP"4⤵PID:16988
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hjajnumk.cmdline"3⤵PID:8208
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE35FD38954644983B564A7A55A6693.TMP"4⤵PID:22076
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omibw-5v.cmdline"3⤵PID:22028
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc943BC92BF0A6462AAECE7F53B93C65EA.TMP"4⤵PID:20276
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\etp1wkbx.cmdline"3⤵PID:17956
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F3E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BE38A7B24484992AFB1BEA770838324.TMP"4⤵PID:20848
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxs2x_i1.cmdline"3⤵PID:20132
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6028.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4083209CF40B4D2CA66AA67983112C41.TMP"4⤵PID:19580
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rxjwmsvp.cmdline"3⤵PID:18560
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6103.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFA19F157F174E94A366D5BB4CE74EB3.TMP"4⤵PID:18488
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\svno3hyc.cmdline"3⤵PID:18680
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES61BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3615F60F0D41ED9D3C3066F7C8FEB0.TMP"4⤵PID:20916
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmely--m.cmdline"3⤵PID:20148
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES626A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61C2EDB55CA4F6CBE56262843B29535.TMP"4⤵PID:10848
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jbkzi0fy.cmdline"3⤵PID:11000
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc943C1706922E4DC699D381567A7114EB.TMP"4⤵PID:21832
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tyuq2_e_.cmdline"3⤵PID:20528
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7BB904DDB274B0FB9B7BF5FF5E9C56.TMP"4⤵PID:20880
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z58nbteh.cmdline"3⤵PID:20888
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES645E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AA117B6D7B6486BBDC6F5911CF7154D.TMP"4⤵PID:17012
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mxtzcm2z.cmdline"3⤵PID:16568
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6549.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F7E74A8A20C443A9CCA416EDD55F2.TMP"4⤵PID:21084
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\psvqzemp.cmdline"3⤵PID:19832
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6614.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3CDE955404638A9ABB681F69D932.TMP"4⤵PID:20328
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yy4lrb_2.cmdline"3⤵PID:19100
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD7F62D6957F4839AC3E528A24F567.TMP"4⤵PID:17988
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xl5vmbvk.cmdline"3⤵PID:17248
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6827.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85905D7CE7604AFAA66D7718CC4F549.TMP"4⤵PID:11644
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xgzj2lsg.cmdline"3⤵PID:19924
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6AAC61D64464ECD9A6648716D3D78E.TMP"4⤵PID:17128
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cskqcbqv.cmdline"3⤵PID:11724
-
-
-
C:\Users\Admin\Desktop\Trojan.MSIL.Disfa.bqd-0184b4f25bb27328803dae537c07ad8c5ea11b149a7293840b4b36701cec80a1.exe"C:\Users\Admin\Desktop\Trojan.MSIL.Disfa.bqd-0184b4f25bb27328803dae537c07ad8c5ea11b149a7293840b4b36701cec80a1.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:992 -
C:\Users\Admin\AppData\Roaming\ssfax.exe"C:\Users\Admin\AppData\Roaming\ssfax.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3184 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ssfax.exe" "ssfax.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2068
-
-
-
C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.pef-0007e938052e444208feef8729dfbccf28120fd63299e8d331582be49b4041be.exe"C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.pef-0007e938052e444208feef8729dfbccf28120fd63299e8d331582be49b4041be.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3856
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQVhWINGJBw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C19.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2532
-
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.pef-028c68081e1016b01f710e66e8082d0513ce46a995502fd192d06d7e8dab4e54.exe"C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.pef-028c68081e1016b01f710e66e8082d0513ce46a995502fd192d06d7e8dab4e54.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:480
-
C:\Users\Admin\Desktop\UDS-DangerousObject.Multi.Generic-01da092bc20b08ea1bea6de68bc460606e7c34254de25501d0c4f385eb02e6bb.exe"C:\Users\Admin\Desktop\UDS-DangerousObject.Multi.Generic-01da092bc20b08ea1bea6de68bc460606e7c34254de25501d0c4f385eb02e6bb.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe ClootAmp,Hurley2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:3792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:3356
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:5016
-
-
-
C:\Users\Admin\Desktop\HEUR-Backdoor.MSIL.Androm.gen-01cd063d42c49b0612db611805a26403a9418e18f683321012809158bbd27742.exe"C:\Users\Admin\Desktop\HEUR-Backdoor.MSIL.Androm.gen-01cd063d42c49b0612db611805a26403a9418e18f683321012809158bbd27742.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gUkVmFaQx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC554.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:6248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6312
-
-
C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe"C:\Users\Admin\Desktop\Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:6188 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:6824
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:9092
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:15404
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:21828
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:12556
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:19956
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:17664
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:13432
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:16256
-
C:\Users\Admin\Desktop\HEUR-Trojan.Win32.Kryptik.gen-0213d8db1a9c13b9dc0926e8102e937054512783c310e9b9ede0f069271ea727.exe"C:\Users\Admin\Desktop\HEUR-Trojan.Win32.Kryptik.gen-0213d8db1a9c13b9dc0926e8102e937054512783c310e9b9ede0f069271ea727.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:10116 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:9444 -
C:\Users\Admin\AppData\Roaming\appdata\vdjbvsjkbfkl.exe"C:\Users\Admin\AppData\Roaming\appdata\vdjbvsjkbfkl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:13736 -
C:\Users\Admin\AppData\Roaming\appdata\vdjbvsjkbfkl.exe"C:\Users\Admin\AppData\Roaming\appdata\vdjbvsjkbfkl.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:17968
-
-
C:\Users\Admin\AppData\Roaming\appdata\vdjbvsjkbfkl.exe"C:\Users\Admin\AppData\Roaming\appdata\vdjbvsjkbfkl.exe" 2 17968 2415830464⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:18652
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:16432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:15836
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13508
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14476
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14160
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10316
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\ef744861dd8142edb37af13d722c3fa4 /t 20404 /p 134321⤵PID:5456
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:12196
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5532
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6776
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7000
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5232
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6380
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:12356
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-43ADF887.[[email protected]].harma
Filesize2.9MB
MD5cc39a45c198cd6cb1b70d312e01c599c
SHA1ff767db24f8c99b50e701b56ee566548ae7de1f9
SHA256b74e5a033db4b0fe269b402783b0701233e5c608e18f46398e0fc56c44379122
SHA512c7df9d870bef2827e23a8e76912f7ffdfa79021b8e4951585688d23169683acd5074f2a9cbec4c13fc2db6da8153f91216f6be5720a997abb2d2c4fe7e48b2c6
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Trojan-Ransom.Win32.Crusis.to-038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6.exe
Filesize92KB
MD588f7e8884d0a2aea195a67aa89c089c9
SHA13271ef30b4463debab5563c49a79f7b9cfa4988f
SHA256038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6
SHA51283248136deb6602c0d305d93bacdfaec6727d0a3c0469d169ec13443bb5799d9d9b061b1748c6a3db1ac55809ef37df9ed25f1344b89e0a32645c5489f807a3d
-
Filesize
4KB
MD51aeb31263fe0bbc20af9e4352978ddeb
SHA15b3bc4e08862c0df913811ad1cb6fb6c82c781fc
SHA256bd00ef0480683638fe864da372b04ec7138cc5d65bcf0b243bc786bc0e131795
SHA51242784c34d62f10be666141cc9c0df8a32dcca10cbcc5b2290a079bfac52ebaa2728692b788dd8b07458df13cdd400fae66ad750e3fdecaa6cb76e91cb12aafca
-
Filesize
4KB
MD564f9afd2e2b7c29a2ad40db97db28c77
SHA1d77fa89a43487273bed14ee808f66acca43ab637
SHA2569b20a3f11914f88b94dfaa6f846a20629d560dd71a5142585a676c2ef72dc292
SHA5127dd80a4ed4330fe77057943993a610fbd2b2aa9262f811d51f977df7fbcc07263d95c53e2fb16f2451bd77a45a1569727fbf19aeded6248d57c10f48c84cb4da
-
Filesize
4KB
MD58ed5524986f29308512c7e11334d554b
SHA15f893602980d9d5e5d014eb90c85225cca09c1ea
SHA2564592a55979209d25a187845ae13dc9d8efc4c84bcf681eb6d0f530a116aefe04
SHA5125c6e87b235d00e8d747135558019f4442a6b9e8f36734588e2144a153a03769cc267b3a1c00dc1526ba1dd153aee93e869d331c92c40c60ca6438579da21c5af
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7df6b1c4-61cf-46d4-a4b7-196296e92a95.tmp
Filesize9KB
MD55808924528b3a24a91c7dca1b12b683e
SHA151325e236dea2ebc9a83c795fa66758dc5b6f1b0
SHA256df3fcae0f3e12e3208b320192c87d6d5c7dbb4ac8fd435872d39587cb0e243e1
SHA512338986d9cecb39dcee57d012c64ca94701e3d3bc0469cfb329b05734932a7f66f6b85ad52d27e6770e1279ab493ec87005a1d4226b8e2c5f5b9f4b773fce7a89
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\805b9051-a4ff-4b87-b202-12dcd758d5e9.tmp
Filesize9KB
MD547c28ac1f9f5dfcd3bd506cb1a989747
SHA1f62a187fe763fb3efced63f9592a7d5225a8d2f0
SHA256b2b5420fd2193694709142991c4f37d7882dcb19acfa09bb45f8bcaf27095d9a
SHA5129d0c70b7dfdee61a486239515dd7abfe9f9173bdb61d4a48f962a0f139daca2e903438db7653bad4d2079e53e860fa217bfeadd03e344becc6cc4de36e0539a4
-
Filesize
649B
MD5d6221cfc810f1507d4513d6580c249d6
SHA18e057991029d1f9d02887cf5064d75d3516b6a28
SHA2561e21fe0856571f0cf3284300b8990db75d4268022d865fb27405e6f820c8a9ce
SHA512617e38a4b69b862eefb4799a56c13e7f1fc086700de6de78a1826cfdd126e26bc6f55358a6f6dc578b8a51b62ddb4886dcfb8cfcb476e476947f1f1ea0732530
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
576B
MD57b6bdd6fd1886701580d6eab50dc10a9
SHA1ae374a9e7618cf68f6b8f64819c80c495a64884f
SHA25632677eb3ae150de883592acafcd13c7c816fe6c19898f417672f163897aa13c2
SHA512299a9f8a1db54bc54239098594d23f8ac15376b4e9273cdaabce50cbdb7ef2c295207272f90e614e6819e3cc6e2ed9c364c664225bf3f8fdbc6c43cbeb435d18
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe67db6e.TMP
Filesize456B
MD54a66f4452fac3d670d146cf33ac279c8
SHA10fbedd426ebd65202d55ad78d7fd6d6a0cb65b81
SHA2567d022f101d7043c15b6b0e031ab14fd631f2ebd3894ffefce9c3dbe838499e1d
SHA512eba5f174db4ae9f70b8723856916bf2778c92549c499fa43add1a950fa931aece2941f8465f0037d85a81305a8c1b52723b3cfffe614b9dc7e13921e9a08c8bb
-
Filesize
1KB
MD5661ddc8067705da2ce234f6d177ce976
SHA1b122323e7a4f8f391d343511e79ce93c625dc50d
SHA256befdb5f611b49d7776124488db0fecdea6e3c7838f6f234dfcad2731cdb98d10
SHA512c5241631d7f260b93fea13eab1b65b21af04046505df3cd13161fad8a6e07b8b95ed77e2cfd92e46fcf108a2193ba9e1300fd7bd9a14053c2b738ea91e602e44
-
Filesize
1KB
MD5ee602b55f0a9a0c3c2388e06eee14933
SHA11d98590f9be60eeaaaebea00219042901712c634
SHA25641b47ff1d06636071c9d358bf4fa41f12bdcccadd3e350c5f91bc37421a812d2
SHA5126d0ba8377fe614e42d57614011441a9d21a67b8c93402bf6decf6086647e85a11c78ceb4fa222686290e80f8ff08ba03b48b6d74225b0af5773e6395587e2c01
-
Filesize
1KB
MD5fea3d42856fdfabb61904ded360d1b05
SHA1eec745172a44c58bd39a8e10d8386be655e904ba
SHA2560f0b3537be9c441cad055e8366983a243ab8d3b092fbebcb7615193d078a7e23
SHA5127a7a2707ebfabf1a8cfdd94df12fa1b027e435e651c8c8801b7e4e477f56d159f96621a2a080e4fe0a0c6d4a106e87d8b418dd178b29f88f31d7940063bef7b9
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD583d4d6c955d5284977a7179f38485c33
SHA1f937bd98764d069553ce39baa040de5242c9b962
SHA256eeca9bac10ce107fc872a2b82b240030701d7415c97e0e98a149c107d0cea88c
SHA5123040e83857ebccd1dd850d42f8518fd24526656a0eced1a9f5bd5bdbcb5c54926c409faac9f0c973590cba6a54e02fc34c2b7cb364d93a92daa6e80a21db18da
-
Filesize
690B
MD5ba18ff352e1700ef6cb532f1a8226362
SHA1aeaf942d06abed084e68d565de05d41714ea81dd
SHA256ac07d647628979fc913d60da37d0e0484e08cbaf083d157ac04a3b185a1aa828
SHA5123c023b898ed263e89c9b1dbcfe317525d3a4aef3538bb134ed2ff8f4a71cfbb4b1d57ffaa9832cbf7e53c3e5c3aecc07e36efe93f7f38301fc1ad85283f8c7ed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe67ab75.TMP
Filesize690B
MD53fd4e32334968bd1b8ed1fb3f60a6703
SHA1f4a50e3814d9d06447bfa263f6388182da545499
SHA2567abd75d636a71d108f4bcca378a52ead0a0853f942b4d93a2bc74cdf0a751382
SHA512be6ef64fe33fe6fed3b41726392af344064d4a3219985eae4cddbd67329311819fdd46aae1f6bb38886173c866d2528db1f4c292c834fa3f94299e980bfa94e4
-
Filesize
9KB
MD5c85f46c3cf279040d085e03b7bfde262
SHA18f48e7e1d904d7379a023d0fe85237cbcbc0d3cc
SHA256ef561041e59fae2213f0143899de5734344bf0d93cd949624d582772e2b248f8
SHA512df107f3617a0b9ce2a0e099a2cda7630f3b7589653745fafcaefc33d8c5bb5cb038c1ff4111427a99b5989190b4c378b995c6bed09db10fcce26066cf32acfa1
-
Filesize
9KB
MD5d1df3c9e96cd9b1da0b1fdb8fc35068a
SHA1e20d3177cb1fab655bdff6bc2cd32b36b3d63cd5
SHA25631c50f56071a11574e3c7fb2f7fdf71e6556d5502af970f3159b7ac0b3b9b0b3
SHA512c72db1190b537499f9a4c43e8a02c8dac34f795f4f678331f271eb5bf5b13753a84dc4aa29fb6e0cf579f184d2ab92073666e9b6ae793f876f2237a982530741
-
Filesize
9KB
MD54eb8fd81744bc71ce45d3b7ade432623
SHA142970b3265ca9babef2594ef2171c6dc1130c48f
SHA256f1c98c96be08cad77c67ff5562d3984d31c85d85b5c27956c71f1237fcea9bf9
SHA51279ad6929b2df6f30acc64b0146b3e8d008b78bbb43c70783018eba76677a8a45327be9227369add837b48d4e6206ae48eaef462f12a9a8e1c891f50c767b2bcc
-
Filesize
9KB
MD582401fdca07edc3fd21481d924724765
SHA1b36afa77d5cfa115d79fc31111c32c586f7058f5
SHA25637cdd789a15a44729c4e4838dd80d995777873a12ad66e71fe6eef086a227310
SHA512acd4bb64bc964a5537f2d90d06bb23acedccc23bf3a5f0776370b6af8e58d3c98269598bf509deb5ad9f159d0f6346e5343798f011e962edc0832c5d8751188f
-
Filesize
9KB
MD5cd6d80c4e4d77fd1bdbda2f9ad7281f0
SHA11993386350ef217bdfbcc2b4e96defeb2c092575
SHA256b5266550737c31f8c16876d28cac71e55f335c6ff0a3a8b33a7e429a6f227ede
SHA512821d0bdf781b19c77b9ada2669b4bc747204ee4dd936821911ba37e7e732a2b451ec839dedb6a7e2ac299f64e340b7ee3cd3cc4d9f50702ea901b8ffff34a3ff
-
Filesize
9KB
MD5a02aced29f7edae187828a458aca72e6
SHA13911d7b8fae9fa347c15d01716e219d09265c808
SHA25616322f109681837374eaa3c46f94c3f09e54b3d85fc340ef60ab18a837a592f2
SHA5125df9a970bcf7d9dc34e56d4068cd8c72eee47cd48c130b3f54c10fac75aca3922be6159c4bac80215dbe11a7e0f4a4d137f74fda5a4fd50b7392c8e5903fbe41
-
Filesize
9KB
MD5416bff4e3bfb3f3914ce5bed9dbac193
SHA15667d6e6507b486b49869d8c34d841df0a9f797e
SHA25691394af85be9691ae5152b5fc6516152af5deb539406588989e29f6083a7434c
SHA512b0541631819289e5a3729e8637d1bdc0a88695b4059c2539ad13cb46e6fcd01e0880317d3f797fb431f015f2064ba34db9bad7f1adf866b921e7f7f34bc1a386
-
Filesize
9KB
MD5300270bc0d69e4658a288114568b46bb
SHA1433880deb28a7830352b2493b2f4e700475296d8
SHA2567759d739c58539df351446179e1eb00fcef490cc169d279bb36aed7ee51b85c1
SHA5128396e5f255fb5f4ab9aa70c82a9ae2fe8913ebb17d17370ed6c9356b1e737a88d515c90c62ae835c47dfa13fc8479bd0dc8a4743638c724c3490a0111119bffb
-
Filesize
9KB
MD5ac2488f73c0a92641c0b809148332663
SHA13bb300520471e0fca0a8354776016f2783edc8da
SHA256e4e473acdc220a870b60a573c01ed2c188635adc8294789b7d783838d7a3a7c1
SHA5124f5ee7db1ea9e45d35a24ea47bf871df6fecd49ee00606c286d08d941eec4976974b479444511f99b735b11b67f9d41f0969a94fab1b95054110e801324dc7b9
-
Filesize
9KB
MD58a564556531e91bf61e57093d2556e5b
SHA19713fbc2ea7f2a92eedc4c951f5f576d82d3b8d1
SHA2561cf1b7994677d5c2e477b362f929c8b376c920a70572e55b06fc94c0fd5c96cd
SHA51249d436430157a3d0dc6ab1f8987b2058ac26a0a752e8c92e2073cc32c727b4c737cd4855b739d34780d628a77e4e412b0e8c35b9a874c361dec89dcd8eb8d6ee
-
Filesize
9KB
MD5fefb7e6bb0350357419422815e281552
SHA1daa5e9f35f191eafde08e156608b93bf2e844347
SHA2568e5351402a58774fedc32af860b07030035c14946949bc34674316f08090d542
SHA512476cbd0a2128ed5b67cd16b61b0ebf7d8b6207271b3184bbfebc0d32620e904f939253e670b96eed3e9963f43c78b2052f4ad26e1173debb9471c102524db24c
-
Filesize
9KB
MD5bac25cb3eb6d398ad06bd566bdb1c05f
SHA10ee79ef5708fb748698ea2bd1db84ceec288947e
SHA2560ae74b46a504e6ec58f80750cf9ca52db6801ce4a11b5642159553c797fb3376
SHA512bbf123341fd8fca842a608fd1b88e7aa1d7abc71b097765f1b641ee06b805909d61c5eb1c574eacbebdb6805060d6cff2a5059fba71c9e0ba7bcbedf5e7f8fcc
-
Filesize
9KB
MD52fab21c3ce9bc5d6f0d3eed5a47b9d5a
SHA13624f10c1383f16f841f2683921621a4868a5b52
SHA25618df633ae1a9f2e056b98ebff2e1ebee834c581a41bad08bc53d7b76c31078a8
SHA512c58259127179f39652ffad716fe7412b9d3ad2b07cf84e5ac57210479868ddc5223a33d135c7638a33e87f4dbad7ef1f08393eacf28998016ae2db2825f2526c
-
Filesize
9KB
MD59bd9b7a50bd76d79d262e6c7afc1d96d
SHA174b2b9b44206677bdef0e488517674531a8a4b2d
SHA25650539df17eaff0afd32c184f8c422ca61de3682ddf42a584a8a4de540006f754
SHA51225f42c3e1550d47cb7b6ad48139df101f1d20798a7fe4f5e3195e7799620b682f0eab2ef2fa4748e4ecfd9e028fa7882f7184e95d59b98afa6903a352b28fe4f
-
Filesize
9KB
MD57f397bad1b09f5c4b0c3467ce73e1e44
SHA1937f490456a07446e57b6ed875d390af8bf4da89
SHA25607945bcc7c715fab6b6b49e2ec289492939000b427783b1ff4544d1cf463d197
SHA512a75b36f11559af8bfa45f7fcae98eb62c7504b24d419ae32898f366a3bfc71fcdf6b383e2a6775066fae9876c25cb5c425da0161ae011aa515e8472f5945b945
-
Filesize
9KB
MD51c010893ef12d65efefa9e2077173e27
SHA1f97a3677edd180adb377138951f02a61c79d0b30
SHA2563376747bbe233e44821296541041badbdeb83605974bdd48b22c9cf574200f89
SHA512f7d57a5d2031595307ba53f39710d55eeba565705b1f589830ae3941f7714eafc0eaff85730aecc660d2c32e9a092d0df901685201b9e9f683f360f9dfbf69ba
-
Filesize
9KB
MD537e384b10ace4b411a0773691b107673
SHA19be1981f94634a491a07717b9117098066d52a98
SHA256de9d51672c03f1822cc6b45c95c74a8b3309d04c2f52e24e5030893c030ac889
SHA512806594ef10677be7f94b8bc7c26421da017e3e6dfc3389953a7f3954ce87cb45544d6a0b51cfae0e65676aaf2e086fa622e2842b476327d658e82cc78a8e2a1e
-
Filesize
9KB
MD5344ced3bb1b34e9bffe8478083fb1a77
SHA1754cdb7c9254a988cebbd99c41a1a5ad853e13f8
SHA256e547472dbbeb4b77827aa8ab3a93ed5b19eeacbf4d9c908adb7778ea3020ab4f
SHA5123f319825a89d72a9528df373f513c26a26f836e2c4af3b55d27e9691aa4550e89d14814787a01ef5b9beeb6990be9c2994d5721fc42cbb228f3e44c92769c701
-
Filesize
9KB
MD5be339dfb1a2a5ee46a571b88eee1717b
SHA1d3ada3cde8f21e87dd2a673d12bdbaaee20f1a13
SHA2563f5fea4ab144f7950e4d1f623dd90e132485a64e52e0f9b3b90ae1acf08814ec
SHA512fec9032063ce01254023dfc2cde40b973dc087146948e93c4ccc28882fff44afa053a3c9f868e98a08cf1c69b18052214a0a57b5bcde872852357c9353550cc8
-
Filesize
9KB
MD535842ccbc4440e469569dd545dfc8117
SHA1b55ef8f26c9d8517d1290d2469e5ad2b99f2536f
SHA25661c1250c61e7b66d04d5d0a51b33cd4e7bbeabedcec3d4b34c578d6a6bf002cc
SHA5121443dd82025627f7e765b8d1bacad86e1e3eec1e5bf39b6e667d28b66ed6a25dffb2fea612a84e80d2783e923a1a67c2f49e177a01f3f3c9f6ab718c40050ea6
-
Filesize
9KB
MD512c6462d5a838fdac180049649f61130
SHA121dff88114cabc2fe2c44aec725a3da8b859968b
SHA256c28718594bf2fbee8221f03d202b1b5ee7ae5ecda749b3f3eff26a4f847e22be
SHA512258cd84abae0757576f5258ffbe616f30d9475da0186b83de2c3eef7b67fb0cee141a06a18246a3f78ba5b95a670d698831294c22da916aecf526185f82c9cde
-
Filesize
9KB
MD51d2972efc0a29e2ac3925bd2f33a0efd
SHA1a46cc0a4df3dc6c1d5823d242c24f18b6fb1858b
SHA2569a2117ac7f9c52edff2ae3acbc9a0f75f651c565d733174068883504eb38e938
SHA512f1363c39661c44f7207b107e25bad56f7f79b39cb121db8b7ff2092c0d74da3629c0880ce964c1b6887e2b017eab814625085de4e3cd56da40e0739564bb3bd5
-
Filesize
9KB
MD5b38716f81fb75e1c479ee1aa1a98d78f
SHA1f76d430a5cf2ba0d7d14a5e0dc19d7c6c65d0294
SHA2564251cece20bd8254c92a6d2fd7c327b6f65a3a4f823f9f688f4c5186e771c73e
SHA512a1430993519439647874368fe1b751eba3e491907193727d4a548465efd6235dee9665a0a1505b4160db5f6edef1c281715b773e1e911fc2fe92caeb7fabf659
-
Filesize
9KB
MD539cb3f16d9e86415611256c7c61eae68
SHA141060048629cbc652de146abfc4716e8fe882e70
SHA25607b2767b610e5b62de67dd15c2e4b1c0603c4d45501b9abde75ea7d9ae44fa82
SHA51287853cfca252684fcbb67bdd27a5a55612f39eb93a6533701e39f9f14f945907c6208c1054cffe792d4e1c3739ad049f40fc6ddd52fc8022dccaa7dc31579149
-
Filesize
9KB
MD552c2a44f879deaa3ed1183914c8ce57e
SHA12821495c3fd034ddb966a6c97a453ecf8a1725dc
SHA2561e40709c0d7a9a5d30e2a7b5541f006624731f233b591a820b228f8a31cf8c18
SHA512637fe26a42b3f63b1bc479406d413e6e7356d3697303fbd4ebd7326163000aed19a4781ff9d2f770b307ec6bccb537eb0aca12f056d289a21489746ef65cf4be
-
Filesize
9KB
MD5d8543f7545918b95d77843f1aea44fc9
SHA194c2d8e6c119c8c81e4b0b9492cdef06d3622835
SHA256d156cbed04dd8fcfa438ef6de19b54293ba849e4d0ecab9204760ed636f36f52
SHA512b589ce91a96d76d6bc1559adedd117bd988f042f21a2ef761151cc5cfa68aca2f37322e40b260c6f37d2cf12e9b3fa7391b2e68aa73ddd8866174308280b93f2
-
Filesize
9KB
MD5c97f0b0dad6407a00693b4097f255f29
SHA1ea33aba9502641405abc14594b329ada24674f3b
SHA256a9094bb6e80c40465535d4862ef632dbaf83966e714355ed4c7fdac91f5678a0
SHA5120a9ef1c8a05e89e44bebc6f19f549113c6869c54343a955c2ead94060a7a9c2a8e091c62e1f204c4a7700a824003e9464b564ec26c3aaceb26f9b18a457230c5
-
Filesize
9KB
MD57ab35505652dca16b2cd44628449b648
SHA1a87713112664d98073e2b8b6a67279820b380e5a
SHA256040204e2986827cf737545d8db765cf365eb39740d7269778dd23f5151040d32
SHA512ecfeef99528740f0fbd338827198ab884a8a3f5d0f486cea849e57be0c06e547369d564a166fc6a1788c0bf10b995feb23e0852ef7befe057d9fde6dd4f90ec6
-
Filesize
9KB
MD5b5d88dd42ea2bb147bd56578a89c8ee2
SHA1726dcad47624d5f242f2b5114d36c058ba3a52a5
SHA25654f951d370a24263ff63758086fdd5979f37f934238b04ca7c1211e648e3595f
SHA512a774a4703321562d81b4a471a3771940aef7d40e0a751e1401aed776cb2065e1c92aa96cdee5d86b53f3c4a7f8173e41e6e344be08e076349b7666ca4d342864
-
Filesize
9KB
MD5f95973ac628efcf78a3fc735ba87cd67
SHA17af6ea978fdd2d4aab0c296bb8f6e5ecbd2367a6
SHA2560330f13db04234aea942de4e7289c3ed4363452fe74b946b7c8e77f147ba956d
SHA5126ef5d7f7f30a2e2657e8013ac678d4ce5eafa8443e56aa241310969b8a148e131e8bef318865daad9ba6fe6148ec618c9efa88c0761e75d808f7370c99206b6a
-
Filesize
9KB
MD5b47d66a806d6860a3c9e4a5860cff790
SHA1debef3c774d1bab94a55f8703e5951facc4fad08
SHA256196197059e531509121a43ef752e57f3f0546c4af14fdea791b38810e258af97
SHA5126c5044217235d9fcaea730ee28944c7e83516769efeb6a9dd1ed8d18ee19b95777cef521dabf868d1dcb457deb25865619dfaf33599e4a5bb138a62176a79f21
-
Filesize
9KB
MD5f91864b10da7c00138ba14a2a60d3d13
SHA17399a39349938eff492f96866cf6b8eab5c7df99
SHA256328dccca12e2a2551ab0567b765d49b32310f6f6c396f38ded6285270b48b184
SHA5129b96b2bd6625acf192c5a09eca5fc5668f67f91ed688e068f6ab86a223013868afde2813cd1e9acfda71292974aed6ec2796ad0de1ebcaff7db044aa322c0ad8
-
Filesize
9KB
MD507e5c5c826d3e391c6ec1a20711b6f3b
SHA12c8fd85a6f2a18a83a4e50ab056505853d63b18a
SHA256dd087cd6e96a904748d8830c369de57604db0114dc81b38c7167f8c08b06df31
SHA512d50ac3db35b52c57c950a6552dabb768cfcb78507d8bcaf52f65f750f2fe7b517dba773667d8b5f9d70a3f7b5e92a79c8fda2cb2540c51d091b95921c865850b
-
Filesize
9KB
MD5fba479a7000119806656d26b7e308090
SHA17065877edb45423ce076ed09b32d75f38d8653a6
SHA256d532ce43d092974a1188ce10611d9f99f532a0d0d58c4855a3d0d4c61fad6027
SHA512f8aa18c70898434db1d7506eec8963c88b7d447a7207cd36122b033592c68644fc48cb21534758a4621836464738ee112462b20947dbfbd817b826a48d5f271f
-
Filesize
9KB
MD5d31e80d9c5d4640872dc770a5a5029c6
SHA1d5c1f0cf2bb188c967661df2d7f7080ea91cd8ee
SHA256e619007f0b808f3f11df6a39b53e736d4870831bf151c27353e170686f538c21
SHA5125d4b9eb2747860dc44836606c3e2b3af3e670c335cce20ac5132de69edc893f30cc77d2c806f08b69460c2beea1aa3cefe16352d87ff3918629d56e30a367b44
-
Filesize
9KB
MD53ab9fda896d6313fa3d0717719de7f69
SHA1c41a7c855714f9bd6bde103bdebca38f3f427ff2
SHA256d17a3118ac697af0b15747a50d0b2830785929b95dbf4e5878ab0da30284d078
SHA5127d84862741b15288538d8fe5a3fdc54311e81cf2b7ba2124099dc4ddf396e8bd566ea8616fe42f4955570761c1b872d5ad20f99b92492a9359e6f5ab65b65d8a
-
Filesize
9KB
MD5e017172874cda4592d1f3af3909bebe2
SHA1557ccd644ab061e93fdf4d3872ce835d396e22b8
SHA256820f3ed651a2da046f3a9f23d5660cf7a833057544725edfe5c23703a5f2885c
SHA512fc7a1e99f1eb8cbfb3411419f8e1ad038a20858414b70f79b3f285e5435c7f6ed0a46387616a56aa2feb38df821a74a61770d294e699ecc5065f4e6fe6756afd
-
Filesize
9KB
MD57f4e449c557c267cfcd1bba8b8aed719
SHA1a685b69fc92bd4231629bd15b60895660d766c13
SHA256059bc12d8e61229373a786dbffb0461fdfda33e5c5967c54f96cb68268085651
SHA51245b81de6c6d20c43739dfe61039a051efae5d245def0be24af8a9e27f0e03142d35b60a790d396ec84d7a6576673c348881b9dcc09fba072763a58ed82337e33
-
Filesize
10KB
MD5e2b1fca1baddaf672664ed88296f7ddb
SHA1a2e92d29ca41a6915b0b25d1da80691820abe28e
SHA25609382d097a486d949df3287535d51e5be16f77a26b5b957b15d57fdd507d4f4a
SHA512bd1548522e32b9993e4f9bddb404ac2137d1a133bd164e570113b099f6e8e97b7509e5f650de9a595f3624231c9c92837f74ef28477d3d670062378362678dea
-
Filesize
10KB
MD5dcdb90b90ac46a140375302e1f070337
SHA1637fc7e0e17776982f4fc277bb44b917ad760d3e
SHA256de9b006086b3ff83bbf7b79ce954071de54ed6c5f9f124ab488abb91508ae48f
SHA512a22378dcac76b28f71e0db83687bf9f74707b57f6eba7c23710f64b62f6b23dc6a98fc6c79824d26433e98a0bb85df3c5f50a1287740c41e2ba5d02d17dae824
-
Filesize
9KB
MD5eb4ab83a9ea505a9f234cf89334d618a
SHA16e82e6d175e95e1db79d940df1ecd18a3cb6743e
SHA256c39d55d13e66dc44509e54378b5b3b372c47b914a3ed92ce1d1f76e49ed66edb
SHA5127079c4526c536c2517d1954d4b01c88cdd8ef1c0d0ba87f0affc178a2c6c826bf6018ac4f165e88f9018ba1769667da70f2c91237a816dd3e7986f40d9910435
-
Filesize
9KB
MD5a652f3fa7e51d96cd7c3bdf36a284cac
SHA19c6f09cf24f9f8311618d5e1fc565f514cbf5c69
SHA2568ae024e4783338f230724af1bb49a49f1304db657426f4b11e96fbf9a392fde6
SHA512531fb0124f33fb457e83f07b5681108859e693713136b6478c8ad953a79716b335e44a8f9e2e29490b0144a082971df59f171d1f2d5ebe135540d25d6e440c2a
-
Filesize
9KB
MD5b7762a43b1dfc4a005f3edac9615be74
SHA10cf87b13e533d956e3c1fd699a255108ea777a6d
SHA25649c382b0b589b01ed99ee274a3121b277f46be629984376d92ef7304384c983a
SHA51290a7df82bc8e4ac6b5c4dcfcef88b78eec3d461e85100c85ff81960ca1ab34dcd2973d7a61028a12b663f149727227fdb0f1ebbe0c2dc1d96dbf12aa8b75c092
-
Filesize
9KB
MD5f274b56ad6f76a509b747606237730b5
SHA1299fa087e164231021fbd6c80ad071193c4e5ab4
SHA25620e88314b5708719f67f27cd8958788433445fe04777834da83efa4332be497e
SHA51278160c1c4275d6434cce41093d7a17a8feee40b6ba416d27ef5b8b1272da14615a9c35bac673b4423dcd81dc7b598e5aa973f8924a748555a16721c133f464f6
-
Filesize
9KB
MD567c5bd4f453634f5948f3f590e6a3a39
SHA1d0115b44039aba90fce1d21a2e338ecd162460bf
SHA256485734bc98a6f2b7ce1692d05e948ee35623e903c545c5661f5e82a6a524e9b9
SHA5123025d9e6e32f39ab957f7d734f02254d1fcb5863707357f34d665dfafa90058d84051941e3fc40f05eaae2529f5fe98ac2a70b87f26c7ea793ed10fd8980f6a0
-
Filesize
10KB
MD501a776f43a51717b3f7a5b01e21ebff0
SHA14aef3e177ef2f4707ba4d3ceffb22612f73a991f
SHA256d86ab1154d71033b98c7e5d5ea80a205db4c1355756edc42535889d3d1809116
SHA5122105be9f83b4943573f98542f87cbfa9b24342a7af37c84446140d82d6f814e6e0e0364b87e94a7601d868aa667440100a62c23656c652ba855b7d360cedc221
-
Filesize
9KB
MD5556a2c67807a5ad00ca6281705db782b
SHA15f8fca201e6ba8927ee0403e38974bab988b8fe9
SHA256f34dfeec3cda6ecf038e69baf79d2edf58d16e4917c37cb2171419dfab6e7354
SHA51260fd9ce519fb93f9b07bf30fef62bd7c1ae43b67f1018ac2d9a73e88c52de1028eeeac662dc3a354afd1d11d733a1ee55b06c25548bf0d8f080dbadfd9d061ff
-
Filesize
9KB
MD5e0f8880f0c5833f4f4f4208722144445
SHA12e24eee5140bbf8183ff70c5e90b9bbee1b88c78
SHA256f1a7e248da4b4cb0bf00de1da655a406bfae1f2c15a8e6ffeaa7c74bddc0d698
SHA512ddaf05b56825051561d5736cefdbb61b7471e985dc476591d071a3ba63287cd621b7178a40d23cad145b3600189d6bd2f70674ae31e98eb0a36ed5cac90a43c6
-
Filesize
9KB
MD54500e30ded2ab9078ecbe840f8bf4317
SHA1e7c685c8938ef0fe1236a2205b64c398f94a6d25
SHA256454a486ed6fbbd55965432445165c6916e77d5b2dd2d8c1eb29d235ea9580d52
SHA512e71607a95d7ff7f7871a3c40a1206a55bc58f55f9b15e36126233dc0cbdc18d0694f5e03f9b59fbded65a6b15ba0e734de4c132f349247b2e55d88c0f9ddfad2
-
Filesize
9KB
MD5c7ee28bd73ee8918f8c0b51ffe574049
SHA11fa0c00229e2ecaa61bd3fc248c42b61c2b19255
SHA25607fcd66f2ddad29196801d4ce7bebf78a6895c435c8f90c64f39235251466043
SHA5126eaa0df2c8df23a6947a1cdbe97589d790e41ed1aca2aca5b741504a4184a430ff46c8eaf4de1a24de0ff2394de6e267bbc2cdb9831b08224c530acceed54afa
-
Filesize
9KB
MD52aaea0ef2c48670c41d05788e11bfe29
SHA1bc6ad2c0a9bffc234234bc765b82b0a342150b9e
SHA256df384bc6a62038b4e9fd375967c94adafe8989b7276beb4f714aa6c14aed5aea
SHA51235cb91182de8d8b69b9c9053a3df80a75db12448114616fab033e88e8607f46943b4f039815e894c54543ee1d216f9d8620cb5693155c95fa7a063e912855fa7
-
Filesize
9KB
MD5e068e5886c809f6c011c1987c05382d7
SHA1bc87b5053cf1422008ee5c2cd804e8dc9b72f6f3
SHA2569f34b3773bbdef74106abb2dc0579776c5b45bbfc53d818b32bc074401b99949
SHA512e1f2f107fe348fb88514470c0388c9877a8bd9b221b3a5d3303bbacd43f3cb94313d52e9d1fb67592f4a668cbfd9f7f43f49799c9d55b761c0cf246681a6a5ff
-
Filesize
9KB
MD5d0900dfda67c6b394fc86c2ffc06cc5a
SHA1aec85028d01b1e948ab5c6c203f9f6b978506b13
SHA256bb416be4a791886d93768fc4e69ab2db408370c6c3ccc67be5757c17961c7acc
SHA5125124e1306b275ffa5346e6a85bfc248e266da7ccdcf4f4f9129f127b1b00f9acdbc28db5e0ee2712bb2feebfae49a817b10af28d58ad7d64248b747b74b0fc6c
-
Filesize
9KB
MD51ce61903c634ea366e551b79f91cc507
SHA1f4ab365454aeece748e5dec6d695f166138463b6
SHA256262c535fd9bc501928ca06219f198edc7fc38608f9e4a664463dd5d2f63c0cfb
SHA512581df7072b029cc8e965229b1c649f8531dcb0415d94c76c9d8163b3c259d619826320c706fd1a1db970b756abc885d268326ef22adbb65a2287bd8be6472d99
-
Filesize
9KB
MD5b85cb4626b69d76f5e6c533ce9bdab12
SHA125f5fe8086b02d608590678bcf1342338c6988e1
SHA256ba32fa78612e6164d6700f0cf36ad8f4c045938d5d570f8486a47d98deddfd4f
SHA5123f7340f796b416783c3e4ce141f73033bca140085d7c6ab3c5d1f7d6e201f8984b0c4bc061e2181af1d0f8e5eddd1476036e0a5771b83d135e4f5dd07b52e696
-
Filesize
9KB
MD573114f1eed3711441f19f8942ad4999a
SHA1393f0202abb768df5133a75bf321d0c44ae1eaf2
SHA256ad9f6329feda1b7dd93a80738eb8d276f068152a3225e4d5a9dadc5b1023c31d
SHA512b4448f7db5642d38ec05e2d8d955a788a47201fc8ea645120486e377464ae3fe531c4433d6134499ca170bf55c4f025e54d1c0cf6cba8b5fb87da2b0aff42b92
-
Filesize
9KB
MD54ef63475b21c2315ab114a813c9e327c
SHA10579e5d115f4de2f224df714595c239fedc52973
SHA256832c064ddf15efb226c80e33dcee513126ed10ed16055077431d2a9187836a72
SHA512b93cf093fe5c9098f57b2ad97fd5bf1645a1d1c969ab660c58ead64087fbcce9645022067a2230f2a8b2d9837b1a7336d149a5c253e76a906dd3d286df66df90
-
Filesize
9KB
MD591c5433134244247e0fcb90360390716
SHA18edba45c7b556f9bc0ac2025e3f6f1d90dc64e3d
SHA256c01b87e764071b77a5a46c87d18de7ad535c867b0580c3b18dfd17076330bbbf
SHA5120e15e0354a64bbbe24adb8b4ed56a9a9a8a63d93ab5449b935d287b40cf3476d201dcc9dc52f97b164367a225197dc6abdbea544d0c0e909c63ef5a8ab8c4255
-
Filesize
9KB
MD5c8ca45ad3172830772e845f83e9ec6e9
SHA1b1c694e2ac6b89a2fd8f4238e1221deea332db2f
SHA25666778c794b95ef715a58ae0ff7e51951d38efbf88b0ec22d97bf6d8a4034b589
SHA5125eecb855f82185b485010e66402e877e37c65d9bf13cf1bd746f270a39cec29fc650d05439bf292265a94e0663b3c111622eb99e72682ee66a57f01dd4ceb52f
-
Filesize
9KB
MD5c223c4f4aa73021205dc24dd2b97e2d2
SHA1d82553f8a38cc2eeecbd1cdd7265dca7b0d4d2a8
SHA25652a18132ca38ef7c539b218b5137abca6dc278abd82b4f900e61a7810371cac5
SHA51226adb54770917f5cbf5acd8f5fb24553c35d55496561c863674c40b3a09463361451144078e560b458ff210ff76137cda312bcbc938a15da60a13f57227b7f2f
-
Filesize
9KB
MD556ce95ad84a90a2180bbdcf584a0072a
SHA19928eac0ccb19e8a05208604e358d9086b0ad7a7
SHA256c70b9f6739f0c2c406c191ed055e6cf2038b141e96e769ac93194c86091ce02a
SHA5127d4a10fb134ed5d14d6df3f04c19b123bc7593ba29fae27a85a9c0cddb11ac964d3fe045336046afe360b4d2cdf8482b74177f0d56f0d71c9c3fb94bd96d4bc2
-
Filesize
9KB
MD521cd23b3b8b7a3b7a12a47933659b9c8
SHA17b351a4f4a3d01cd27e8ef990c3712a0f145f7c7
SHA256cbdf5ac13eece81e992806eeff91f773ed7a4174743b525081c9413cbe75f9e0
SHA5129da8057fcda6447b04cdaed8d92515f60eb194302650dad96248e1d289eb7841abfe73420385c876ede8774fbe07ea2ebb4c2014fafaebd29b420ee666554341
-
Filesize
9KB
MD538117b2f4b66778c17aba8aaa8e70a3b
SHA1d84b0cc2c2dc98acac17c32b9e2e0dfebb0aa466
SHA256000fc5dac98f67d83bcb06fa231780c760df7cb335b6195b4faeeff5964e196b
SHA512d5911ffe6efb15a5c19aa4b783519595db00b532990317be5ff9a5e3351dce11d1dc13d38321888870d89dfae9ef6c5305c64cf45a61fe52e8289686b296043c
-
Filesize
9KB
MD59ce552933c8711fd143d0ed0fa06ffdc
SHA1d70683aa48c5669687dd371722716ff2e339d516
SHA256bd3f344835fb0200f0aaf6cc54624f33a8f68cf007623d2fd598b114d199d5fc
SHA5120b6c1485d33ce95ebef293c1e4c4ec5aa69390afb2a6cdcf600d9714776cf0f10c76298eadbd1080be9026805bb77bfb460a74befe4c7e565201550f0a478a83
-
Filesize
9KB
MD57f6fb24cf2c9126039a3f02783ef1577
SHA1483d9783613579e1f9f4e1e3f07d84c8ab26b7a9
SHA256d90f1dfec57458eff1b93a53ce450051f3d8bbe6aa104f559128190558ad9327
SHA5129d6d4a7aae84e6c79112be5c228040316c750727b84dce4095821812f6eb83f757aaa5d3a855bfbef5b43782ea8468d3910329aa68d3f5edf07322277ea50928
-
Filesize
9KB
MD5b9c13e2bf46df2ea3227a83e0f06a826
SHA1b70ddd0606c368608706547086ae3901d7eb3ef4
SHA2567e4b7c220770263951ee88aa3a1d9b46e7e91e30b5ec0468f1f67a926c18616a
SHA512a48c482eac207f6a26a54933358d765bc3ec40deeefaaf45c62b4048f9d939c9f379c7a4f4120f7fb97b8d745738a0848d2486ee64a1481d4a9241528339a223
-
Filesize
15KB
MD5efe6f0d4a5edb043397f86df057b5e22
SHA108ba25562620c33d95fe9449c0116b35425a831f
SHA256c2a8a3be71b1ec13198738dbf26bd56e08f2256a8e813c4ead1b769128da1a3c
SHA512dc866d0ad664337a98c8140acdf98cb28644754792a8d3a1be5770c18660e9f38ec1810bd7749dc4010f09c388c32bc2681216f58baf313551a204412d3ad98f
-
Filesize
228KB
MD59a286bec80636fdc1c788a8224e96dc3
SHA111f72827940b6d979defe66e28c2b3c496ea3782
SHA25613a8ec41c235ebbd6131e8db3aa9ce33315a2908e47c1b3217956d12d1c050d5
SHA51288b418304051aa50d83e2df5f3db4abf7bc3b60f07f6067a822707ce38fd9f044e68b9f60907413a10528e26e502a153fd70b89b29058fe2e97084e381bf9671
-
Filesize
228KB
MD5b56abf66857f738c30f80fb0a9035156
SHA1ced9fa59870d2a2b44ab32ea3a086c1207742a77
SHA2569d6bfdfec210a69946fde061953cb1f79bc1d063574a7add63065c4b309206e3
SHA5121b9cf599d1dfabc2c7d8ac2ba7343e37747a1f28bb48c6772182b7d0a66aa3c93190cfda90238b4288527941cc0e5c22b19928fc1a56873b3809ccaece64fb1b
-
Filesize
233KB
MD53015cf9ed640c274e52db009b03454b2
SHA1167359090bd9ad9385ca5111ce22c2612c3c2134
SHA256c5c61e8a0286fd02ede76195684ff230445dc74bb0de7a43abbc32a8846d9a70
SHA512ead90392c288db67fe04742f11c6c9352d3a15c2b4865944af419450da2d344fbbbb36a9493c6b9f4e1696b7e31500a4686c454d012a347776286736b28267e6
-
Filesize
233KB
MD55fdd7665655795d7b9431719ea1c16da
SHA12b0178ff526e6de6b77e06ceceecfa706528e93c
SHA256b1160e16be15bc00b1964e9835580f32b9e38f0b0d795fbddc9ca7aeb565174b
SHA5125b48eb947883d50297fcc367fba948f3cb0b7b5b0dd6ba2945caaebb84056b366bfbfb8c671f12594ac2e82564f72e44a639a464b0a0b729ceb59378ae849fd7
-
Filesize
233KB
MD53cd491cb9a80aa05f7579981a34be9dc
SHA1206ac0445987043058b50930b7ba971f7a4ab9bf
SHA256dfc3b6e14db834060ea28451e293b9a5096c2aeaa1208756029b91a3b6626231
SHA5121e18f4f122ceac4ff422ae73fad58ddd35b9ee3398f3518f84a66d2a8b1e031f51054b5f90c8866ab8d6c89d986edc17650db53366b854d75f35a20303510187
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jj59r4xg.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD557ee89aa099e3d515bb86b305e9e3f40
SHA1a93c0923a9c7b8f19b1c1c23d54c5a78ee3f2094
SHA2560da2001cf4a241a502018ac7e831f0016d20bec984f80be717f76328d43b4639
SHA51245b79eed9d8847fa85efb5217cc929d0a7839ff092c2be459e3b4fbabc2d786970057e4bdadf76465bf196b4f97118ae87a5618d06f17feba377dc568285f0d6
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133765159649805892.txt
Filesize67KB
MD561dd7ae9997f536dfc02fead9cb4f6f0
SHA13aa39cffd48cc540235f4077151e900555c217a9
SHA256f0233b8cb685ef97e5a7f74dbeb4db883f01c487c025cc8ba115a3567f873e00
SHA512176e67838dcd82424857c19ffa19c956cdc450e291b52cbfaac0ecdea7d17b35f8faa8f3e12cec0753d071c2ef18f57f95a9d55305844bd68a6e79dcef3e4f13
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD577a8b2c86dd26c214bc11c989789b62d
SHA18b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499
SHA256e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8
SHA512c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5b32ca2853a2ebe84f1da4830bae142f1
SHA13487e691b7688e9e0929d3957d6aa4aeba9153fc
SHA256fe2d95baff1aadf624c7b954a6b86bb7e578c9064ca5de84bded4c80bb916fa3
SHA512b861cb3fd2c52c85938a253fc7c04032fe74a635816867fefe9865414e454b5305e29e79aef7581380266fce4720bb4eb680e547df32c072c56d2783844e6338
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
Filesize10KB
MD59b7263f1ca0cb053f63db9017227d435
SHA108d511f5503755f3e79e9aed89e77e16f0d78f1b
SHA256c3e07023fa5327d2f4efefcc517cda5ae5b568cb10dbc3d04f95c4f687b9d72a
SHA512e0c7c5e1ecd98d4e916cfdd46c36e94f6eee7da9acefcc91f3f7a79c27e4a0a26b1a9a4abe66a5ef5bb6a02c3f9d681137e04b83b23dd79464edf7b839caf1d2
-
Filesize
5KB
MD5a78779b6b8f8cf83939852b741444467
SHA184e198a5e300bcaf09091de101f226ce700eeb2e
SHA256a8e969e902d80a11b9d66050923a07f837675dac571b4cc767c6d0bd22dd2f53
SHA51269309253e84533a7f512fe7ac62af3edc94d181e74733be32fd250473588314af129344c777440207022ce9d76454138b0d494978c4e3d8713844caae8234ed6
-
Filesize
5KB
MD594333ab0d3f91663917d567279730713
SHA1e915d7063c5dc17863bb8405ccc76755a59ae513
SHA2568dab7f834ee7cada0e00a1905aaa250aced13aa0b30a30e38b0856f8f424ec0c
SHA512333f414ae98ead3a5341fda98edd58b2ee2829ec8a995123984cac1878d559eb8ce0d0f596f971038fa52ff884e58165e40af60b1ba9918f89937e53b24170d8
-
Filesize
5KB
MD5255a991a646d9cbea0d0ba5086f298c3
SHA13022b85233cf3471a58d453f8aafcd15943eac79
SHA25698b6c9419618033809bc5c935262554ef309d4c90aef95da838a93d8ffcbb317
SHA51278194946c39b6af09e5a618698bb9e1bd356c5566d8fc35b22c812f582aa84fddabd87a41f2afced4de463f5f214799c57873958a52342e5cef19e231c8116f1
-
Filesize
5KB
MD53f27708d29b5ee1d62355947d913dac4
SHA18afa4e39a8bee804604c7b64d8dc1a57fbd81464
SHA256d1a2792bac228360c8340882f7b977b5b267fb7eb8c5340086fd15adde1c91b1
SHA5125273287164a5d1ec1090e795b45e99e068db0652c5721d9d853b30f4707f2041e4fb773ca54946feb8dfd92fd8be15fd0c13e6fedc78b04a2adee5101351960d
-
Filesize
5KB
MD57d5bfa4b6a0bfe0c5431215e7508a036
SHA1c881ff2bdff6c3b21d339f789f31e11a3057c45f
SHA25645729b8a56f27d5702b6699a1ad9dd697a2fefd0d724c00c861bd06a60bf02c6
SHA512424fcbc946867ac17ce8410b4ca4f8889778d095896fd140e401a94b49df978332e17f4013f53a81b034123be3939c5864983bafbea09199ccc845a284ab1e59
-
Filesize
273B
MD5c1c1de65b8f4496d44904afc9f636162
SHA120af419b6fe37117e31268ac90fb2d31c5eec128
SHA2565d96327d05b0d23adcb4c144aa839c8f2e15b0aee68ae2a92d7c85c7f5e4ae5f
SHA5128c3bfb1adaba2928dd3f6b35543d8e98f65fc010207b5c17a1909a04e0feb75c60880875c90469d0262e28d7bde0a08c50719ee45df792bf38bd6716d42368d3
-
Filesize
383B
MD57ba97fdcf959cc50ccba58b7aac0d845
SHA15ad29e81fad153cc6171ef38d8bdab3ff2d2dacf
SHA25652c775a1160cbe12d07a495b3be62ab9e5c6f0b9bebe86c901df32d30f1ce02f
SHA51293588cacbfef08ac937d163c7b4186cc1616503a90b55d0c089d3639c0ead9d6e412bc20082ebfe5743dbaaa9540078581d17a5c36ef2eee8eb6d8ebedbe03dc
-
Filesize
267B
MD58e577bb4c6e6ca6eddd26e9192b4364c
SHA1f398a3b578ccb464e1939beeed5ea0a349e0075c
SHA256e2c8d9ff62bdc7c51653dd5d070249b94bdda4167bf1271333dd059cef382972
SHA512807fd086a1b7f727f7beab2453853cb7445a4d3aa9ed11fd0b1144f73867a7b298eaa680dedac6a1c911558418858e0a6ee09f23820159d41879781680b33859
-
Filesize
379B
MD5e84a6e54fe0aafcb30c6af89eac57b03
SHA1fbcfbd89d163183dca0599e2ca61ff64ec9e6791
SHA2566a33259441751b2062d261b482a4830f51a1a09868c2d5691f18e66e20f1f3b4
SHA5124ba956d564c0ebbedf32f0c927cdbdd631a6d4daeefdcc2e6901c43ffab4ea7300d3d3770061710fe2342acaedd6043741afd2daea2e457f9972059c43fdfdb8
-
Filesize
259B
MD5c1e09cf7008a2369613aa273a04c3124
SHA1edc206b6310c77393e58091b6ac4771ff37542e4
SHA256ce9f8a551e5ead064f7dc18f416c516f82d03eb6c1d73c3415ebd1c22d745477
SHA512a0501ca4f7880998a4c979c6fefc71cf4eac14642987fa376deaefbc29fe50899fd160b67d6966f4d5ce7a07fcb0e739481f8d7557f6acb7a523261da55c703b
-
Filesize
365B
MD5a6c85a86110364cbb4f412fd5df34a57
SHA117073bc4d04a333526db235c19cfe4a6376f4d5d
SHA256d376f00f3f158c49cbdc1f00f450a460b9b5e4e08df3d10d59f767cef05a147d
SHA512d50414cdc46adab04c5b0b5f03227cf5e23a1d45e559e8cdc53719a5fb02d5ea0dcb9e86c6dba869daa830f4e86fbf5e91623ae00fd81632576b9e520fec9e37
-
Filesize
230B
MD5c427c70394762e5a578c5fe4ed28cab5
SHA1e9196cc1953f4bc79846ec13aae873c2f82fdfae
SHA256f3b1ffb0d766810a2f958c7399837dd8c3e6dd15916429d4b61152a8d5fb0f14
SHA512c279b1079abb542fafa5b9afcba666c3e4856f7cd1fd16b379399e4e8ea3f1c13a3572e3f335e61af57d860efb336532a7e10192150fdd33759c4b89420f13ed
-
Filesize
379B
MD5a235c5dccb6ecd642d6fd40a55bbfead
SHA1703f2fa7a0ec5ddd193aa672b0265055f16e68a1
SHA25622a09001a1d9e174b00e226cdeda2f6bbed071df9c2bcfa21dfb9bf51ec275bc
SHA51204f61516173e672979728b5cb64155aa66f529ffc3069615b31bb30d2a87c44c90264b3a57fe7efeebd8c0d4558d4201a3973e6824d33dd32b662fc48b7d6f4f
-
Filesize
259B
MD549eb0431423b40e7dc5146942d142482
SHA192298c0b48b015b11d378e49d8e3c810232f4617
SHA256c89629492a5cd11ce96186f4f77fbb7398c332abe90a1a9c319c8e0939a02f36
SHA5127573bd426177356617293995c2b60a2256bdc417b1ccd07516e0ea338d0aab2b437e53d87613bbc7d101064d16ff1fde398a880858e3ad7b84c98cf0122e4d18
-
Filesize
1KB
MD55be4bef9b54389449720c99549993d37
SHA1fcf2044b2741b8bfae6ae40315cd25c32c9ca1a0
SHA256090506b1f2c404bd0914a0cee6fd9ba5ed82d747f6c5625f96f796e4fb439656
SHA512432af11091dcfe03b0dd41ec1d3a01fef0c5c9a5a3f7db72638713d89a97de144a2f830f22ce3df1b3a0a300a816c110de2cb5413641f8ce8d357af67eaddee1
-
Filesize
1KB
MD50d2916c8c1ba38bdc4731c91e88fd1cd
SHA1488dd0b5ae7a07f33aa469d1f14ea522a8ef3b5e
SHA256b3d90e229a33a04bcdc4b95cfe89037372397011a7bc5e862510b0b01382a884
SHA512e05f2e9ca411e9e2a299605a8225eee927d629463b7cd332986dc150f2c61c62fe47b8fd7c724b1236333b61015e12192d83dff9ae9d89888e78cf325978b47d
-
Filesize
50KB
MD56fee1f69b6caa54d771a434bd2719beb
SHA17c46c718a398f765ab1626e34eca68029d6fd263
SHA2565ac917537b3ed7079c400633ffcad610020da509493a1f9f98c69643b45bf403
SHA5121f81e42b0bdf713d7f396567850b007eda6cf391580db7d2515d23fd47d696af101b6f39617f5e9cf90eb790de7a9c57c5af27b979857e49f582bd78448a24e2
-
Filesize
4KB
MD56d1a51899c665c004fe188e351adb4be
SHA134b6bb1257a94b1fd6d97ecc906295daf4c4640e
SHA256351d2e1fcb1018b663341bc1c88e6e2ea0b30193e4fe26fa0b6dc2b7939f198f
SHA512fe8a4b3249465a193295ffe6bd30e07b81aa048195591c255477a2b326ab1c1de8595b000ac5c522e915ce642f73dbe85913fa9af7ad2a740d80b68e8ead39b3
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
5KB
MD5fb15c776df6dc12939c8012710156cf3
SHA1181f0f2feee263490d8a706dcbf4b08d93abfb42
SHA25613be81c20b23951124042d7b509afba92a1a0396f63399ed945ae1c29c1783dc
SHA512786b42779eb420fc0e487cf67037c126f5c6418a64916fff03a759ec762eed08dd110766a6041c53739763a64ae76ea3356e56b47e7a77b85e6946ba1d6f7586
-
Filesize
5KB
MD59daaa36a3ec1951b3272ccf3bec49d6d
SHA1879a8e9724494c228d30ed8f5a45622aa7676693
SHA25671b7259457a1cbaec78eb971b5a8c180fd4b0adb9d836c1f0190a2dd0657e085
SHA51216db344bb7c5cc34c7abea6cd8348fb205cc365c2dc09a2cb647550052c71908c2e3d1c575078d6eeb4c1a5fa042de06d102fd112471194b581916a4fa34b22e
-
Filesize
4KB
MD58050208281fc881aa3799b00dfb89b99
SHA16e5a65599b1b7b3c1b4f268b6d37ad57a9081965
SHA2566618407f40d0464f56b4c2ebfeb00c289bbc757e5444d1ef706285f5d76ac850
SHA512c860847bea3c7a920583dddcee190a20df894dee86a338bd27427ca097c2a8f69a1873317549fa534d41b8e017e415950f417ae729d86d191ae709552c99a6be
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
5KB
MD5ad1f240c6462102bb2e7b791c59c64bb
SHA1620c0f7526a724d0b8ff346a79b692509cce3980
SHA256a4336d8cd1fd5356948b4135d2dff7974a4c7566e3f730913b2bc6eab2fec916
SHA5126779ab7ead48f8c991995027eebffbd219d3279e25e53eacfb899411f3685ea2c227335fef0f858bb0e52433cac0a03bf82ab1e154398dde287ecb7834714d17
-
Filesize
365B
MD524ac7b7dbfccefe4c44a8d03507e51ee
SHA1f3c6fe2f007e753e488ee07fe496d0bd72981d54
SHA256acfaf99af2c9c4439ba2091513608e30f4b6263551aeb6e1fffee346fe468507
SHA512b8f0f99040b8842bb66b7616f9020921d2c43b052b169c410c08fe27888f27a049f516cfc20643aa68dfeaa62d0bc58a5f0a4edf4fa0b0153769e2bf5fac8e5a
-
Filesize
230B
MD56de772230dc17174de71a7bcf00b467c
SHA1abf90970fc3bacab035aaaa40ad6efc0f484c4e5
SHA25635f82343e68f600b21b8bae0f9a524d8dc2d5b19c797658d9d6f0b9ab37590af
SHA5123a8cb460642513283d0fac4670d33ae1c8a2678ee53262c7610dc84e2f331b879f9c00bd4d850c9842dfeb368876283e4fab229d1f0b51c40fabb67098506cb3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2253712635-4068079004-3870069674-1000\0f5007522459c86e95ffcc62f32308f1_8eddfaa5-5215-4a3e-9643-56d670a6027a
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2253712635-4068079004-3870069674-1000\0f5007522459c86e95ffcc62f32308f1_8eddfaa5-5215-4a3e-9643-56d670a6027a
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin
Filesize6KB
MD5ae0af309bc2846b3e1bac8890656589e
SHA15068c74d97545f3b41dda2461b0f90bc4e7d9e60
SHA2566d9ed075b25f69c4004b9ce516755ebad0e640c63458d2948a716e0cf69fff6f
SHA512012b96d9c65a27db0c4411723055bacdde428b95a90129ba990394dd81b4571a7992f2219b9b2f6982f41a4fd0055c633785265562fec2b9224e4f370559435b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin
Filesize6KB
MD521fd05cb27dce9aca9f0d4934bb667f0
SHA1125d4ea6221859f6412834eb0dd00de82a4b6a5e
SHA256610868d47dfd513ebf3a0b9c4883771f98acc7e385ebf7dcb15d4be358736f74
SHA5125d4229bf7b73a33878f65f8330831c26710789ac7258026ab6b723a5526b179dbe94cbb94dcded30c175bfa6ee11780dd260f4772eb2ede18bc9a77b4beafd6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52dfd437c57bcdc89b37db0c70be7405c
SHA16eed6d43d3b7eba3ad563745a531f551747b11e6
SHA2560b8d974e336161e3a6b5e790798d000492c32655afc4d87b1ce31c45009c807b
SHA512bcc0c1bb2290b5994284ffb07abd5ffb743518c9def41636c9edac2bbd626786e469506b4d45bc35b954edea7548f4496610d3466b11f0e63c997942c0450eca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\335f0eb4-7628-43ad-99a9-0c02c4095536
Filesize671B
MD51dcf22caced07c203cc81259118dc6e5
SHA167e48b48f99b9bcc05984f6d8bf9bdeccf297189
SHA256dbdc10287bae9a5b4155312a5c80053d4f21ab73ea9776dd22a01ec7fd626946
SHA512b966c3c44b29f6ed77c869a87a8379a15ddc69a6f7aad025d3779208b59748c8438fd48fee308d9e71a3a54911a03cc40790af1d59a9c4ef025773d9cf67b7c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\5ea8f49f-b807-4eba-8694-3de7165f1f39
Filesize25KB
MD59664673f49149b8fd9aab132307e7a90
SHA10d03fc1273172f94e66ef5bf775fc52a818d8750
SHA2566678d184ca466f652b38b08093f3ef4490de1771114450960f4ee234ad2a2daf
SHA51225c501f393e0aae6bf8d6c50a452dae30e3caea27d975ad201dff615f35e32ccf8d570c7a34a3b1b1572db603a75bcff03e33e3a3a0bfc777297a24ee91b53be
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\e4110f4c-c47f-4190-831d-78245b5b7de9
Filesize982B
MD53030e5e69c8158e238c422c90ea97068
SHA1b655634d7a9665311c6c65cfaf4f474bdc830632
SHA2569a877e0b546ad92f14746aacc86b0cf17534ecab7fc3e6ec4b2e9170bc275b87
SHA512b5cf8d368dcad9bfbdd0010f5949d0aa99747f661fb5a3b0c6b99c62c694e6769acd648da71a0e11ff5b8144e83dd163af83cdf78d19b1f8397e16b2e22f1ceb
-
Filesize
10KB
MD512b8307e8c57255cc4bdeae10f9368c3
SHA1eff8a295372c263d9616f6c6269f99fffdb50a51
SHA25637076342167d7f86083e81ddf59894bf9cc13ba8e63b50a590c3cc137d4bf3b7
SHA512cd1245ba739c056f8ac29e0ac0b6eee07d14a7e9d6d3fd214059d50906a811c1425026a23ec1eeeb49b698581947d50a195fc93c67514a71f4b6aa21d91b16a6
-
Filesize
10KB
MD5687deee4dc118f0e002d4177951f2380
SHA144ac9772388a731ba8629ccc68f4d0a4feb017ff
SHA256574d92aa6a538e8d32d53062a86cd646dc7af7b715c58705c0209d428e8a1a0b
SHA512af1a0c36e04ce8cf5191daddf26bd999252f798bb5bab9dbff309a9d1342d8b93a3725aedf60bf53e50d60c2904c1c75c7bc9660bd23befba00e866ecbd24c7c
-
Filesize
10KB
MD596f2c046dfc6f33d83adc65498d9a8be
SHA12a190c291bd13e39d9255e05f9fd7c5d2b40cce2
SHA256702ba2883ea5781223a345cda2f57fec96e2fbfedeaa19b05b43496278c6f43a
SHA512aef0866fb74c356120fab0ee196b0fc321f9ea315693dc40aa5c653c850d9185302b8a5ac99245670818f82e3538802708e89d26a57f404499334f43d4c47f88
-
Filesize
10KB
MD53fab93f50bbff557d72c7f8721907cd0
SHA1c6b403b510db4431496cd47a8d81158b10086a00
SHA256487accf33da1734c63e32feb9e1a25effb66e344ef6b696caf93f4fa9f983be6
SHA512f8ec7f45b311b1563d98429c33472954354f02baf271a61507d0227d18d74ee27ee6b456407a8e4fb3b60abf4742bf95981fb8bee9d743a99d78cb3cd70e68d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionCheckpoints.json
Filesize228B
MD566bdbb6de2094027600e5df8fbbf28f4
SHA1ce033f719ebce89ac8e5c6f0c9fed58c52eca985
SHA256df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc
SHA51218782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660
-
Filesize
23KB
MD57f9b9484cfcb33be75b0d1cd17aa562b
SHA17086afa606c7e5211e5ee112695e641650502684
SHA2560184b4f25bb27328803dae537c07ad8c5ea11b149a7293840b4b36701cec80a1
SHA512258b90a5a3513d98876c3506daf5bcb8cf87588a7a201f804b219bb1f76e4768ce8a36793090e93b763fe121fbc2c0d886f7df9406d3799b45d6447c247d4db1
-
C:\Users\Admin\Desktop\Exploit.HWP.Agent.ac-0327c1cf8c7c700d4674f045577c273fdeacd1db9cb7d52a9121e65517208757.exe
Filesize46KB
MD51c669d4b2bea6b56dd6e00adabc6319f
SHA15939729a5dfe8b09cf093d47b7606b2055c8f182
SHA2560327c1cf8c7c700d4674f045577c273fdeacd1db9cb7d52a9121e65517208757
SHA512a4e8dac13efeda94382d41c82c00137d13c67a16748f3348561daf32b10a4a7698af2cccbda90410fc52fdd31eea38adb75373a2a3fd2811f16742e663c45291
-
C:\Users\Admin\Desktop\HEUR-Backdoor.Win32.Androm.gen-03887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a.exe
Filesize630KB
MD5624256432006a3a4343de33aae57efea
SHA11f940fffa126b856d0fd0b769d89efc66dda7ffa
SHA25603887a563644f15ae45078bc21aea1928e67d6c2ca1d0e5f1ec64152cb02df7a
SHA512fd7c1e80e6faca3a0693c451b0fa3ae5f28da764accbda6fb8a61669c7f855a2a01284156faf1b477f58688d3efc21afe555915ff12595d85fcaea076c665bf8
-
C:\Users\Admin\Desktop\HEUR-Exploit.Win32.ShellCode.Agent.pef-01e0a44ad38177b6896ce04277ab57bde050154db8b5ec0b227f3f8c614667ea.exe
Filesize674KB
MD5b50fd130d0981ff1c307e4b745cb5576
SHA1319b182086b7b12bb58571529d43b62092233248
SHA25601e0a44ad38177b6896ce04277ab57bde050154db8b5ec0b227f3f8c614667ea
SHA512124467dac783fb30ff3dad32d47fc60d59b99993e70e7faf1c53a9eba49369ff5e09569ed55c2bf6d50f38b43c1a0dfcdd66daee9a9d66c50c72348d83f20227
-
C:\Users\Admin\Desktop\HEUR-Trojan-Banker.Win32.Emotet.pef-032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa.exe
Filesize72KB
MD5c7fcaf4cf046deb93fd45b0700628273
SHA17eb568ebf7000a44f0ebcca12c8557f274ce35f7
SHA256032b90053c404f1a417f4e83f3968f5bcc1a7aa077a1b57c1338b8d1e20b1caa
SHA512b524df505ddea1155a7ce7812ecb252402cdd6cd9f6a09648cd418d3a65f92dc124283b2449593a13a19dbe11f4f49609cb4487b7624997c28eb5e929509ff75
-
C:\Users\Admin\Desktop\HEUR-Trojan-Downloader.Script.Generic-00079d5a48bf881ea9d93d48bfbbe5710a2aab6adfe43abb38c78ecaa3cd0d7c.exe
Filesize37KB
MD501dc5e2a1d0c2d4b33f7548c00f02e92
SHA1db5ea3d27bda12747e10eb7ab385e4927c8837e2
SHA25600079d5a48bf881ea9d93d48bfbbe5710a2aab6adfe43abb38c78ecaa3cd0d7c
SHA512697fb4c5831e469d4e11f72adcfa6a5cdb5f72ef515fd0e1a16a0636dd585626c39a3d64ba22bb87488938f92cf34e48425dfd4e6cec3d0c389452b49e56bce6
-
C:\Users\Admin\Desktop\HEUR-Trojan-GameThief.Win32.OnLineGames.gen-013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825.exe
Filesize4.2MB
MD5f75d1f78ded764d93ec696b65b8ab3ef
SHA18a8ded939cc8e6fb26946381ba9b74651e5e71c3
SHA256013c053bbbd1b145ff848a085f247191722f5409953776658732397393e9b825
SHA512b7ca47be17a327c33decb9a917c10993d67efe3eab7b3c3f20adab11f878298a07e66a1d24078f1eb3b39869b89e8aedf1aff1d8b8191cc97b79943574cb68b5
-
C:\Users\Admin\Desktop\HEUR-Trojan-Spy.MSIL.Noon.gen-0316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54.exe
Filesize1.4MB
MD5c1c430620e88eb5816ecf9df8a1a35d7
SHA110828ef660ee37e3174916b81391a0a1698aea87
SHA2560316213feaee3be7a81a92145a71590679f110345f0a0994b0f93a89da3a4b54
SHA512bf2da05e50f40f05b0689509571a8ffc86749092065405bc63f0cf5f1e2b7eabb512b3f2082ba941bcea383672e2978bb442c7dc783afe31c9d496edb05fb820
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Bsymem.gen-012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac.exe
Filesize942KB
MD530619d87ec29a17cb5aae379b9a524ea
SHA16317b11ea4347932bc47beedcba1e8bb8b3e3220
SHA256012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac
SHA512d3975f4d9b62824677d02a6cfc894bcf7c156531236db0c21db050e697bd3eaea4df711deabfd6d75c73ae7290bd2392295711880161fbd829a8dd0f9cd1014b
-
C:\Users\Admin\Desktop\HEUR-Trojan.MSIL.Injuke.gen-0026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22.exe
Filesize538KB
MD5f3897a74c013ad0633834a5ebd102dd5
SHA143fb70ca2cdd5f580b922c45c0ca1a00e3e084ae
SHA2560026e51b3f6f58bc2fe6dcdd7725e323b2788614451bcdb534746597c5a92f22
SHA5121b1add0b70d3ef36479736587bd8300d8944d4f0a559339e0aa6332427f25a2678f4c6fce8811a56b33c51a41754e1a7608aa6966b8a4065d0f0404e4db62c78
-
C:\Users\Admin\Desktop\HEUR-Trojan.VBS.SAgent.gen-02426893e1fb6b3cc4dba759e7d85a0da3696d4753921487b49bddc629d6ff77.exe
Filesize2.6MB
MD563e31fd9190ac6115f7f0e86e55077ab
SHA136abaaf70244a713fd3033f64afd8823badd068e
SHA25602426893e1fb6b3cc4dba759e7d85a0da3696d4753921487b49bddc629d6ff77
SHA5120e5061b6162e32a71788b61f4e0d179370d3dc7c22238dd88c75049f93961772e7035dee298860e3e68e72d9f93f05381db5b1e109f66b5f34bf640203d7dc1e
-
C:\Users\Admin\Desktop\HEUR-Trojan.Win32.RRAT.gen-02a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0.exe
Filesize108KB
MD5fbdca5d8d0459e4f2c0a1a6f9870a000
SHA165ccc01b26739706066f7c5d8b52ef67e4830f89
SHA25602a390aad8d557693715b7d58f42d6685a6f464a7df854b2652993d9e2e53ef0
SHA5120ab28167405d40634a6353f7ade8dc7a3ddf57920ac211568a8b44c75be5be108f4f8e6c15d512367542e3057f6bc690c65c1d67d38a073a46e8941e7c1cdf1d
-
C:\Users\Admin\Desktop\HEUR-Trojan.Win32.Zenpak.pef-000ce16aa593d3de6ee74dc23d0ef231a77383c7545990d32c47f038314d0051.exe
Filesize166KB
MD58692ca84b76d38ec5c260265413e4ca2
SHA104ae6c5ee39ae1f56bae5e91ecaafb7f7cbee5c7
SHA256000ce16aa593d3de6ee74dc23d0ef231a77383c7545990d32c47f038314d0051
SHA512d4af4f9597d7266a5b9962ceb89a10cc50b7c426fc49682ac50b4c21ae08cf78d015f1ce5cd21b9f54a5591d475ced11195b45bae69ac918a64c910e434a608d
-
C:\Users\Admin\Desktop\Trojan.VBS.SAgent.b-03515798ecb938f5f56cae858854e780bfb9ec2dbb266633b0b317c4962ffb0b.exe
Filesize61KB
MD5448786dee886a78e946b2fcd5976eeff
SHA1506fe9443a06df95a57f783115bfa716b99c4a0e
SHA25603515798ecb938f5f56cae858854e780bfb9ec2dbb266633b0b317c4962ffb0b
SHA512e0233424bccab49e82b3493a7b53ddc67e9e80627d3e95e29640fc0c480404fb8209359af73ade5e672db36cb23c0d709d69040a9d0c394096fcf5d3f5789b12
-
Filesize
29.7MB
MD5322e0876091a361585f2e4735a43614e
SHA148c639f95c2a7d68af535eb70c736b82c2a51bf2
SHA2563396018004b864a95870d88257e206be73bf4a3135d3e94ad8f2bd8ec1646f1e
SHA51262f4327d34f9c2e3211fa101045592fb5f89aaef08b04f9b22334bb7e9de55342ae07f9fe7e46e5e71775de525e970d8c94cb029caaecbe99453133db278f1df