Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 20:05
Static task
static1
Behavioral task
behavioral1
Sample
8d7e517c9d3b5fe21ea0a658e206556f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8d7e517c9d3b5fe21ea0a658e206556f.exe
Resource
win10v2004-20231215-en
General
-
Target
8d7e517c9d3b5fe21ea0a658e206556f.exe
-
Size
21.2MB
-
MD5
8d7e517c9d3b5fe21ea0a658e206556f
-
SHA1
5fab76edadb005f706b185a162a646bcd2eac575
-
SHA256
60a6eab67a9084a9062e927af2d3baa082b68f03cd695cc10973fbd162a644d0
-
SHA512
7a782ffddcd95ee7ec524a81e2c886b7e0ea08cbd18bd3a96b96d1063e654571ae5dae74e5051057d87dd191a153172592a3488075076ede398ddc963c1cccf2
-
SSDEEP
393216:sJU8TDEs4pwaSvRu5ZdVFvRnNdlHgIF9Mdksntfwk+f6Bg7QQvBh1+Qp+QjFVTWd:sqARa+ReZdVfRhF9MLndR+V7lhcFQjt4
Malware Config
Extracted
quasar
1.4.0.0
Office04
fw1.sshreach.me:11726
gYtQRg6YdEcKjBSbuQ
-
encryption_key
kZsVnRGkwCKF8NT2Xwjm
-
install_name
update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft Api Update
-
subdirectory
SubDir
Signatures
-
flow ioc pid Process 25 ip-api.com Process not Found 4368 schtasks.exe 74 ip-api.com Process not Found 106 ip-api.com Process not Found -
Quasar payload 22 IoCs
resource yara_rule behavioral2/memory/5036-55-0x00000000005A0000-0x0000000000944000-memory.dmp family_quasar behavioral2/memory/5036-1444-0x00000000005A0000-0x0000000000944000-memory.dmp family_quasar behavioral2/memory/244-1531-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/244-4705-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/7756-4707-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/7756-4709-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/7756-4722-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/8232-4726-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/8232-4728-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/8232-4741-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/8696-4745-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/8696-4747-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/8696-4758-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/5340-4761-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/5340-4763-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/5340-4772-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/5740-4777-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/5740-4776-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/5740-4786-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/6004-4789-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/6004-4799-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar behavioral2/memory/6768-4802-0x00000000005E0000-0x0000000000984000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
flow pid Process 35 7756 cmd.exe -
Checks computer location settings 2 TTPs 35 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 8d7e517c9d3b5fe21ea0a658e206556f.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation update.exe -
Executes dropped EXE 37 IoCs
pid Process 3012 Bscz.exe 5036 Tjlhmjuvlwj.exe 244 update.exe 1016 Bscz.exe 7756 cmd.exe 8232 update.exe 8696 update.exe 5340 update.exe 5740 update.exe 6004 update.exe 6768 update.exe 672 update.exe 5300 update.exe 1244 update.exe 2268 update.exe 2628 update.exe 8548 update.exe 8296 update.exe 5816 update.exe 5580 update.exe 6488 update.exe 7120 update.exe 7236 update.exe 3548 update.exe 3240 update.exe 2000 update.exe 8148 update.exe 8120 update.exe 8772 update.exe 8240 update.exe 5668 update.exe 5520 update.exe 6432 update.exe 6892 update.exe 4720 update.exe 4472 update.exe 8056 update.exe -
Loads dropped DLL 20 IoCs
pid Process 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe 1016 Bscz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Api Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\update.exe\"" update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com 74 ip-api.com 106 ip-api.com -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf cmd.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf update.exe File created C:\autorun.inf cmd.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe File created F:\autorun.inf update.exe File created C:\autorun.inf update.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 46 IoCs
pid Process 5036 Tjlhmjuvlwj.exe 244 update.exe 7756 cmd.exe 8232 update.exe 8696 update.exe 5340 update.exe 5740 update.exe 5740 update.exe 6004 update.exe 6004 update.exe 6768 update.exe 672 update.exe 5300 update.exe 5300 update.exe 1244 update.exe 2268 update.exe 2268 update.exe 2628 update.exe 8548 update.exe 8296 update.exe 8296 update.exe 5816 update.exe 5580 update.exe 6488 update.exe 6488 update.exe 7120 update.exe 7120 update.exe 7236 update.exe 3548 update.exe 3548 update.exe 3240 update.exe 2000 update.exe 8148 update.exe 8120 update.exe 8120 update.exe 8772 update.exe 8240 update.exe 5668 update.exe 5520 update.exe 6432 update.exe 6432 update.exe 6892 update.exe 6892 update.exe 4720 update.exe 4472 update.exe 8056 update.exe -
Detects Pyinstaller 4 IoCs
resource yara_rule behavioral2/files/0x0008000000023210-10.dat pyinstaller behavioral2/files/0x0008000000023210-12.dat pyinstaller behavioral2/files/0x0008000000023210-26.dat pyinstaller behavioral2/files/0x0008000000023210-2361.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 34 IoCs
pid pid_target Process procid_target 7648 244 WerFault.exe 100 8152 7756 WerFault.exe 112 8600 8232 WerFault.exe 123 9072 8696 WerFault.exe 134 5824 5340 WerFault.exe 146 5924 5740 WerFault.exe 157 6652 6004 WerFault.exe 169 7136 6768 WerFault.exe 181 7244 672 WerFault.exe 192 1592 5300 WerFault.exe 203 3708 1244 WerFault.exe 214 1548 2268 WerFault.exe 225 8364 2628 WerFault.exe 236 8708 8548 WerFault.exe 247 5412 8296 WerFault.exe 248 5968 5816 WerFault.exe 269 6596 5580 WerFault.exe 280 6972 6488 WerFault.exe 285 7436 7120 WerFault.exe 302 4248 7236 WerFault.exe 313 7260 3548 WerFault.exe 324 700 3240 WerFault.exe 335 4432 2000 WerFault.exe 346 7584 8148 WerFault.exe 357 4652 8120 WerFault.exe 368 2448 8772 WerFault.exe 379 5372 8240 WerFault.exe 390 6708 5668 WerFault.exe 401 6012 5520 WerFault.exe 412 4328 6432 WerFault.exe 423 1444 6892 WerFault.exe 434 4972 4720 WerFault.exe 439 2928 4472 WerFault.exe 456 8480 8056 WerFault.exe 467 -
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7984 schtasks.exe 4792 schtasks.exe 8620 schtasks.exe 4120 schtasks.exe 6424 schtasks.exe 5184 schtasks.exe 5208 schtasks.exe 7768 schtasks.exe 8936 schtasks.exe 5500 schtasks.exe 8920 schtasks.exe 4704 schtasks.exe 5708 schtasks.exe 8412 schtasks.exe 5516 schtasks.exe 5580 schtasks.exe 9144 schtasks.exe 4656 schtasks.exe 6912 schtasks.exe 8504 schtasks.exe 3388 schtasks.exe 8852 schtasks.exe 7452 schtasks.exe 9100 schtasks.exe 2532 schtasks.exe 6988 schtasks.exe 7844 schtasks.exe 6712 schtasks.exe 4880 schtasks.exe 8456 schtasks.exe 8388 schtasks.exe 7708 schtasks.exe 6296 schtasks.exe 8824 schtasks.exe 5200 schtasks.exe 6384 schtasks.exe 7380 schtasks.exe 6268 schtasks.exe 9024 schtasks.exe 1280 schtasks.exe 3876 schtasks.exe 5164 schtasks.exe 8060 schtasks.exe 8436 schtasks.exe 264 schtasks.exe 2072 schtasks.exe 7016 schtasks.exe 4344 schtasks.exe 7912 schtasks.exe 6916 schtasks.exe 3160 schtasks.exe 6008 schtasks.exe 7468 schtasks.exe 2432 schtasks.exe 7372 schtasks.exe 4368 schtasks.exe 5212 schtasks.exe 4828 schtasks.exe 5156 schtasks.exe 4736 schtasks.exe 3196 schtasks.exe 6928 schtasks.exe 8116 schtasks.exe 8876 schtasks.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 5804 PING.EXE 6692 PING.EXE 7160 PING.EXE 2884 PING.EXE 8160 PING.EXE 8636 PING.EXE 3780 PING.EXE 9200 PING.EXE 6188 PING.EXE 9092 PING.EXE 6544 PING.EXE 6788 PING.EXE 7640 PING.EXE 7208 PING.EXE 2836 PING.EXE 5944 PING.EXE 5148 PING.EXE 5704 PING.EXE 7328 PING.EXE 2556 PING.EXE 7888 PING.EXE 2108 PING.EXE 5432 PING.EXE 4852 PING.EXE 7628 PING.EXE 1788 PING.EXE 8420 PING.EXE 7356 PING.EXE 4728 PING.EXE 5400 PING.EXE 6092 PING.EXE 7788 PING.EXE 8744 PING.EXE 7076 PING.EXE -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 5036 Tjlhmjuvlwj.exe Token: SeDebugPrivilege 244 update.exe Token: SeDebugPrivilege 7756 cmd.exe Token: SeDebugPrivilege 8232 update.exe Token: SeDebugPrivilege 8696 update.exe Token: SeDebugPrivilege 5340 update.exe Token: SeDebugPrivilege 5740 update.exe Token: SeDebugPrivilege 6004 update.exe Token: SeDebugPrivilege 6768 update.exe Token: SeDebugPrivilege 672 update.exe Token: SeDebugPrivilege 5300 update.exe Token: SeDebugPrivilege 1244 update.exe Token: SeDebugPrivilege 2268 update.exe Token: SeDebugPrivilege 2628 update.exe Token: SeDebugPrivilege 8548 update.exe Token: SeDebugPrivilege 8296 update.exe Token: SeDebugPrivilege 5816 update.exe Token: SeDebugPrivilege 5580 update.exe Token: SeDebugPrivilege 6488 update.exe Token: SeDebugPrivilege 7120 update.exe Token: SeDebugPrivilege 7236 update.exe Token: SeDebugPrivilege 3548 update.exe Token: SeDebugPrivilege 3240 update.exe Token: SeDebugPrivilege 2000 update.exe Token: SeDebugPrivilege 8148 update.exe Token: SeDebugPrivilege 8120 update.exe Token: SeDebugPrivilege 8772 update.exe Token: SeDebugPrivilege 8240 update.exe Token: SeDebugPrivilege 5668 update.exe Token: SeDebugPrivilege 5520 update.exe Token: SeDebugPrivilege 6432 update.exe Token: SeDebugPrivilege 6892 update.exe Token: SeDebugPrivilege 4720 update.exe Token: SeDebugPrivilege 4472 update.exe Token: SeDebugPrivilege 8056 update.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5036 Tjlhmjuvlwj.exe 244 update.exe 244 update.exe 7756 cmd.exe 7756 cmd.exe 8232 update.exe 8232 update.exe 8696 update.exe 8696 update.exe 5340 update.exe 5340 update.exe 5740 update.exe 5740 update.exe 6004 update.exe 6004 update.exe 6768 update.exe 6768 update.exe 672 update.exe 672 update.exe 5300 update.exe 5300 update.exe 1244 update.exe 1244 update.exe 2268 update.exe 2268 update.exe 2628 update.exe 2628 update.exe 8548 update.exe 8296 update.exe 8548 update.exe 8296 update.exe 5816 update.exe 5816 update.exe 5580 update.exe 5580 update.exe 6488 update.exe 6488 update.exe 7120 update.exe 7120 update.exe 7236 update.exe 7236 update.exe 3548 update.exe 3548 update.exe 3240 update.exe 3240 update.exe 2000 update.exe 2000 update.exe 8148 update.exe 8148 update.exe 8120 update.exe 8120 update.exe 8772 update.exe 8772 update.exe 8240 update.exe 8240 update.exe 5668 update.exe 5668 update.exe 5520 update.exe 5520 update.exe 6432 update.exe 6432 update.exe 6892 update.exe 6892 update.exe 4720 update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3452 wrote to memory of 3012 3452 8d7e517c9d3b5fe21ea0a658e206556f.exe 92 PID 3452 wrote to memory of 3012 3452 8d7e517c9d3b5fe21ea0a658e206556f.exe 92 PID 3452 wrote to memory of 5036 3452 8d7e517c9d3b5fe21ea0a658e206556f.exe 93 PID 3452 wrote to memory of 5036 3452 8d7e517c9d3b5fe21ea0a658e206556f.exe 93 PID 3452 wrote to memory of 5036 3452 8d7e517c9d3b5fe21ea0a658e206556f.exe 93 PID 5036 wrote to memory of 4368 5036 Tjlhmjuvlwj.exe 98 PID 5036 wrote to memory of 4368 5036 Tjlhmjuvlwj.exe 98 PID 5036 wrote to memory of 4368 5036 Tjlhmjuvlwj.exe 98 PID 5036 wrote to memory of 244 5036 Tjlhmjuvlwj.exe 100 PID 5036 wrote to memory of 244 5036 Tjlhmjuvlwj.exe 100 PID 5036 wrote to memory of 244 5036 Tjlhmjuvlwj.exe 100 PID 3012 wrote to memory of 1016 3012 Bscz.exe 111 PID 3012 wrote to memory of 1016 3012 Bscz.exe 111 PID 244 wrote to memory of 5212 244 update.exe 101 PID 244 wrote to memory of 5212 244 update.exe 101 PID 244 wrote to memory of 5212 244 update.exe 101 PID 244 wrote to memory of 6928 244 update.exe 104 PID 244 wrote to memory of 6928 244 update.exe 104 PID 244 wrote to memory of 6928 244 update.exe 104 PID 244 wrote to memory of 7544 244 update.exe 105 PID 244 wrote to memory of 7544 244 update.exe 105 PID 244 wrote to memory of 7544 244 update.exe 105 PID 7544 wrote to memory of 7608 7544 cmd.exe 224 PID 7544 wrote to memory of 7608 7544 cmd.exe 224 PID 7544 wrote to memory of 7608 7544 cmd.exe 224 PID 7544 wrote to memory of 7640 7544 cmd.exe 109 PID 7544 wrote to memory of 7640 7544 cmd.exe 109 PID 7544 wrote to memory of 7640 7544 cmd.exe 109 PID 7544 wrote to memory of 7756 7544 cmd.exe 246 PID 7544 wrote to memory of 7756 7544 cmd.exe 246 PID 7544 wrote to memory of 7756 7544 cmd.exe 246 PID 7756 wrote to memory of 7912 7756 cmd.exe 114 PID 7756 wrote to memory of 7912 7756 cmd.exe 114 PID 7756 wrote to memory of 7912 7756 cmd.exe 114 PID 7756 wrote to memory of 7984 7756 cmd.exe 116 PID 7756 wrote to memory of 7984 7756 cmd.exe 116 PID 7756 wrote to memory of 7984 7756 cmd.exe 116 PID 7756 wrote to memory of 8064 7756 cmd.exe 122 PID 7756 wrote to memory of 8064 7756 cmd.exe 122 PID 7756 wrote to memory of 8064 7756 cmd.exe 122 PID 8064 wrote to memory of 8136 8064 cmd.exe 119 PID 8064 wrote to memory of 8136 8064 cmd.exe 119 PID 8064 wrote to memory of 8136 8064 cmd.exe 119 PID 8064 wrote to memory of 8160 8064 cmd.exe 118 PID 8064 wrote to memory of 8160 8064 cmd.exe 118 PID 8064 wrote to memory of 8160 8064 cmd.exe 118 PID 8232 wrote to memory of 8388 8232 update.exe 127 PID 8232 wrote to memory of 8388 8232 update.exe 127 PID 8232 wrote to memory of 8388 8232 update.exe 127 PID 8232 wrote to memory of 8456 8232 update.exe 125 PID 8232 wrote to memory of 8456 8232 update.exe 125 PID 8232 wrote to memory of 8456 8232 update.exe 125 PID 8232 wrote to memory of 8536 8232 update.exe 133 PID 8232 wrote to memory of 8536 8232 update.exe 133 PID 8232 wrote to memory of 8536 8232 update.exe 133 PID 8536 wrote to memory of 8616 8536 cmd.exe 130 PID 8536 wrote to memory of 8616 8536 cmd.exe 130 PID 8536 wrote to memory of 8616 8536 cmd.exe 130 PID 8536 wrote to memory of 8636 8536 cmd.exe 129 PID 8536 wrote to memory of 8636 8536 cmd.exe 129 PID 8536 wrote to memory of 8636 8536 cmd.exe 129 PID 8064 wrote to memory of 8696 8064 cmd.exe 134 PID 8064 wrote to memory of 8696 8064 cmd.exe 134 PID 8064 wrote to memory of 8696 8064 cmd.exe 134
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe"C:\Users\Admin\AppData\Local\Temp\8d7e517c9d3b5fe21ea0a658e206556f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\Bscz.exe"C:\Users\Admin\AppData\Local\Temp\Bscz.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\Bscz.exe"C:\Users\Admin\AppData\Local\Temp\Bscz.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016
-
-
-
C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe"C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Tjlhmjuvlwj.exe" /rl HIGHEST /f3⤵
- Quasar RAT
- Creates scheduled task(s)
PID:4368
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:5212
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 14⤵
- Creates scheduled task(s)
PID:6928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZPir7R0lgWyP.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:7544 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:7608
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:7640
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"5⤵PID:7756
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:7912
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 16⤵
- Creates scheduled task(s)
PID:7984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7756 -s 24006⤵
- Program crash
PID:8152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAnv9mNGqMPu.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:8064 -
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8696 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 18⤵
- Creates scheduled task(s)
PID:8920
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:8852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8696 -s 23688⤵
- Program crash
PID:9072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fL4YPqG8To7H.bat" "8⤵PID:9000
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5740 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 110⤵
- Creates scheduled task(s)
PID:5516
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:5580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1CoERHXBT5Oz.bat" "10⤵PID:5444
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:5944
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6768 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 112⤵
- Creates scheduled task(s)
PID:6988
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f12⤵
- Creates scheduled task(s)
PID:6916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 192812⤵
- Program crash
PID:7136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xf5igb5ibpcy.bat" "12⤵PID:7068
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5300 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f14⤵
- Creates scheduled task(s)
PID:5156
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 114⤵
- Creates scheduled task(s)
PID:3160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YLJtVbjzS2vA.bat" "14⤵PID:700
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:2884
-
-
C:\Windows\SysWOW64\chcp.comchcp 6500115⤵PID:3320
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2268 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 116⤵
- Creates scheduled task(s)
PID:4792
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f16⤵
- Creates scheduled task(s)
PID:7708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWZWlecr5UdX.bat" "16⤵PID:3840
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:7888
-
-
C:\Windows\SysWOW64\chcp.comchcp 6500117⤵PID:7568
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8548 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f18⤵
- Creates scheduled task(s)
PID:8116
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 118⤵
- Creates scheduled task(s)
PID:8876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A8RO7XFNykfP.bat" "18⤵PID:9028
-
C:\Windows\SysWOW64\chcp.comchcp 6500119⤵PID:8832
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:8744
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5580 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f20⤵
- Creates scheduled task(s)
PID:4656
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 120⤵
- Creates scheduled task(s)
PID:6296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WzC48yWRx2w6.bat" "20⤵PID:6504
-
C:\Windows\SysWOW64\chcp.comchcp 6500121⤵PID:6708
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:6544
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7236 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f22⤵
- Creates scheduled task(s)
PID:7468
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 122⤵PID:5320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O9eycHEz5fxa.bat" "22⤵PID:7116
-
C:\Windows\SysWOW64\chcp.comchcp 6500123⤵PID:5136
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:5148
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f24⤵PID:4192
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 124⤵
- Creates scheduled task(s)
PID:2532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsovWj4hpyER.bat" "24⤵PID:6192
-
C:\Windows\SysWOW64\chcp.comchcp 6500125⤵PID:4324
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:7628
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8772 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f26⤵
- Creates scheduled task(s)
PID:8436
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 126⤵
- Creates scheduled task(s)
PID:8936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XetzY5SCzpfw.bat" "26⤵PID:3156
-
C:\Windows\SysWOW64\chcp.comchcp 6500127⤵PID:1608
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:7328
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5520 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f28⤵
- Creates scheduled task(s)
PID:3876
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 128⤵
- Creates scheduled task(s)
PID:3388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmX9Fe0RbezW.bat" "28⤵PID:7108
-
C:\Windows\SysWOW64\chcp.comchcp 6500129⤵PID:6656
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
PID:6092
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f30⤵
- Creates scheduled task(s)
PID:4880
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 130⤵
- Creates scheduled task(s)
PID:4344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fwz3ixj0iI0z.bat" "30⤵PID:4100
-
C:\Windows\SysWOW64\chcp.comchcp 6500131⤵PID:2052
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
PID:6188
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 195230⤵
- Program crash
PID:2928
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 134028⤵
- Program crash
PID:6012
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8772 -s 241626⤵
- Program crash
PID:2448
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 187224⤵
- Program crash
PID:4432
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 240422⤵
- Program crash
PID:4248
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 240420⤵
- Program crash
PID:6596
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8548 -s 242018⤵
- Program crash
PID:8708
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 240816⤵
- Program crash
PID:1548
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 239614⤵
- Program crash
PID:1592
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 242410⤵
- Program crash
PID:5924
-
-
-
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵PID:8408
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:8420
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 24124⤵
- Program crash
PID:7648
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 244 -ip 2441⤵PID:7588
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
PID:8160
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:8136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7756 -ip 77561⤵PID:8088
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exeC:\Users\Admin\AppData\Roaming\SubDir\update.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8232 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 12⤵
- Creates scheduled task(s)
PID:8456
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:8388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8232 -s 24122⤵
- Program crash
PID:8600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jLnwyRsGjUJu.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:8536 -
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5340 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:6384
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 14⤵
- Creates scheduled task(s)
PID:4828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 22684⤵
- Program crash
PID:5824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JpsA1Va6N2En.bat" "4⤵PID:5436
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6004 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:6268
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 16⤵
- Creates scheduled task(s)
PID:6424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 24206⤵
- Program crash
PID:6652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8xVKh48LzsYN.bat" "6⤵PID:6576
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:672 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 18⤵
- Creates scheduled task(s)
PID:7380
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:7452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 23888⤵
- Program crash
PID:7244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B9tKIHPhW3jU.bat" "8⤵PID:7312
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1244 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:2072
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 110⤵PID:532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iDzuIS5VgjUd.bat" "10⤵PID:7636
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:2556
-
-
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵PID:3308
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2628 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f12⤵
- Creates scheduled task(s)
PID:7768
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 112⤵
- Creates scheduled task(s)
PID:7844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 240812⤵
- Program crash
PID:8364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UnjkKdhuAiFi.bat" "12⤵
- Blocklisted process makes network request
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:7756 -
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5816 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f14⤵
- Creates scheduled task(s)
PID:9100
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 114⤵
- Creates scheduled task(s)
PID:9024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qNzo4adSWvgo.bat" "14⤵PID:5640
-
C:\Windows\SysWOW64\chcp.comchcp 6500115⤵PID:5924
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:5704
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7120 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f16⤵
- Creates scheduled task(s)
PID:6912
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 116⤵
- Creates scheduled task(s)
PID:8504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6pbwW0M758k.bat" "16⤵PID:6604
-
C:\Windows\SysWOW64\chcp.comchcp 6500117⤵PID:7416
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:7356
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3240 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f18⤵
- Creates scheduled task(s)
PID:1280
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 118⤵
- Creates scheduled task(s)
PID:4736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33wGQewoZsTo.bat" "18⤵PID:5488
-
C:\Windows\SysWOW64\chcp.comchcp 6500119⤵PID:5212
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:4852
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8120 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f20⤵
- Creates scheduled task(s)
PID:8824
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 120⤵
- Creates scheduled task(s)
PID:8620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NydjXXPJTEjB.bat" "20⤵PID:8272
-
C:\Windows\SysWOW64\chcp.comchcp 6500121⤵PID:8548
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:1788
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5668 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f22⤵
- Creates scheduled task(s)
PID:2432
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 122⤵
- Creates scheduled task(s)
PID:7016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qP5T07nW6AGG.bat" "22⤵PID:2988
-
C:\Windows\SysWOW64\chcp.comchcp 6500123⤵PID:9208
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:9200
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4720 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f24⤵
- Creates scheduled task(s)
PID:264
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 124⤵
- Creates scheduled task(s)
PID:5208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUB30JTLGr0P.bat" "24⤵PID:7316
-
C:\Windows\SysWOW64\chcp.comchcp 6500125⤵PID:2204
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:2836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 240024⤵
- Program crash
PID:4972
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 241222⤵
- Program crash
PID:6708
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8120 -s 240420⤵
- Program crash
PID:4652
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 240818⤵
- Program crash
PID:700
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 184016⤵
- Program crash
PID:7436
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 242814⤵
- Program crash
PID:5968
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 239610⤵
- Program crash
PID:3708
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
PID:8636
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:8616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 8232 -ip 82321⤵PID:8544
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
PID:9092
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:9064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 8696 -ip 86961⤵PID:9008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5340 -ip 53401⤵PID:3928
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
PID:5804
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:5828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5740 -ip 57401⤵PID:5440
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:5912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6004 -ip 60041⤵PID:6592
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
PID:6692
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:6676
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
PID:7160
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:7128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6768 -ip 67681⤵PID:7076
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
PID:7208
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:7236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 672 -ip 6721⤵PID:7300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5300 -ip 53001⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1244 -ip 12441⤵PID:7608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2268 -ip 22681⤵PID:7664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2628 -ip 26281⤵PID:4756
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exeC:\Users\Admin\AppData\Roaming\SubDir\update.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8296 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4704
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 12⤵
- Creates scheduled task(s)
PID:9144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9sMSgA9A6ttO.bat" "2⤵PID:4772
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:5432
-
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:6392
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6488 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:6008
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 14⤵PID:4876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5DXnYjyrMKzV.bat" "4⤵PID:6876
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:7064
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:7076
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3548 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:5184
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 16⤵
- Creates scheduled task(s)
PID:5164
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcGh7gey3ve4.bat" "6⤵PID:812
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵PID:2144
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:4728
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8148 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:8060
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 18⤵
- Creates scheduled task(s)
PID:3196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gT0N97v13Cvl.bat" "8⤵PID:7864
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵PID:7640
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:3780
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8240 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:5500
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 110⤵
- Creates scheduled task(s)
PID:5708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1RRL9DiHNSqh.bat" "10⤵PID:5968
-
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵PID:5016
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:5400
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6432 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f12⤵PID:6844
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 112⤵
- Creates scheduled task(s)
PID:6712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qa5VpmHWyI9H.bat" "12⤵PID:3996
-
C:\Windows\SysWOW64\chcp.comchcp 6500113⤵PID:3452
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:6788
-
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exe"C:\Users\Admin\AppData\Roaming\SubDir\update.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:8056 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f14⤵
- Creates scheduled task(s)
PID:4120
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 114⤵
- Creates scheduled task(s)
PID:8412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80b8BT7wChWj.bat" "14⤵PID:7880
-
C:\Windows\SysWOW64\chcp.comchcp 6500115⤵PID:8288
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:7788
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8056 -s 240814⤵
- Program crash
PID:8480
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 239212⤵
- Program crash
PID:4328
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8240 -s 241610⤵
- Program crash
PID:5372
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8148 -s 24208⤵
- Program crash
PID:7584
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 23966⤵
- Program crash
PID:7260
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 24124⤵
- Program crash
PID:6972
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8296 -s 24162⤵
- Program crash
PID:5412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8548 -ip 85481⤵PID:9084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8296 -ip 82961⤵PID:624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5816 -ip 58161⤵PID:5456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5580 -ip 55801⤵PID:6528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6488 -ip 64881⤵PID:6900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7120 -ip 71201⤵PID:6600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7236 -ip 72361⤵PID:7096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3548 -ip 35481⤵PID:1396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3240 -ip 32401⤵PID:5464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2000 -ip 20001⤵PID:6180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8148 -ip 81481⤵PID:8444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8120 -ip 81201⤵PID:8252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 8772 -ip 87721⤵PID:3340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8240 -ip 82401⤵PID:5684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5668 -ip 56681⤵PID:5432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5520 -ip 55201⤵PID:7004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6432 -ip 64321⤵PID:1840
-
C:\Users\Admin\AppData\Roaming\SubDir\update.exeC:\Users\Admin\AppData\Roaming\SubDir\update.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6892 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft Api Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:7372
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\update.exe" /sc MINUTE /MO 12⤵
- Creates scheduled task(s)
PID:5200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwPxDbVyJOAj.bat" "2⤵PID:5172
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:7292
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
PID:2108
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 24002⤵
- Program crash
PID:1444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6892 -ip 68921⤵PID:4040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4720 -ip 47201⤵PID:7432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4472 -ip 44721⤵PID:7084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8056 -ip 80561⤵PID:7924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554KB
MD51d7f1c99ffb61cbff1e81735e806e320
SHA182b418b6e39897225085f77c6b473727bbd0d71e
SHA256cacb097df50ac2a0c81d0a4f89f459b4b2ba7a7beae0b3c4169e2df97b2c17a4
SHA5129c11d113c011b86695ebd918e95e8f5dfaad45cb218d60d3c710d8d4be312b747cb624cf7d3f634e72cfafd7538818a0bd0c97f558ed92b45ed411b8f03e71a1
-
Filesize
680KB
MD5b3c9cfd0cf50e181cea23bf656c746d5
SHA108c404eb0f11a4bacbe0a0fdd35a2ad9104feccd
SHA256dad68973fece4833be10ee850d51a458ff22e6238b571f214f2da6f4fe704c6f
SHA512e1e919e5a2995252888fbebc8762b787ce04d2a6edcef96d7d7de3a99fac29ce9714c197ae8562ab287d55fbd8c19370e7a709eb6843ef2dba3050f0b2542aed
-
Filesize
336KB
MD5b727383310b1626693add5a17e15ac08
SHA1191426e4db25269446959d966bee2e2b3c9c57f4
SHA2566481ce2b9dedb44616f6b04ee6c270c6d69bb125c7f8d21d6e2354b9e4fa6caa
SHA5124965878dcf9018325176bf3f0ef38202b50880519d304564f25ecaf33a766f04e27017f0f0d3c42f06c4069c50582dd5b1cad3fbd6bf7d2e5e5ebb812d043717
-
Filesize
537KB
MD55fa95b1a9438e0b8eb654f394c8d5867
SHA1ecd720cedec2298a1b3a124f312e7b608cd45910
SHA25690b4ea3171c4eaee3ec42c816669a5e8365b07e49916de5fc8fa75849acf21d6
SHA51256bc5b6fe44d026841375ca7aaf8dfad3b56be834d98f743186530136256542909eb1b50d36f4e2ff092fec45c6019355f5957d22ed40e978a9f937f0eab70a1
-
Filesize
485KB
MD52d357bb0ce3b32590b7f7235e0d94f02
SHA1a1717b5c5668738aac54ef06db9af40290890e82
SHA25635731ff149b5938100afc59419d08c38ca4b7316bbc58bd9c2a8e27122dd460b
SHA512c1170e4ff08c8a46a3dbe18f4f06060031cc68f5ce9f3e70ce26dea47541a3f5ebcb185c90ac1a6dad428c3018c3296a66836a108020f632ba74ea604ef850c5
-
Filesize
515KB
MD5a36d8271a26bfa2dc88f9b80c589075c
SHA153233e535895bf285d9db34511a2d691151cdd65
SHA256a46a35bc1eb42060c5e6dd0d7d85a64d3d47415552647d9a1207853394c8bb69
SHA5120c3b81989e13006f752d399d30a2b09af3d86e01c4ce29d734af5aee7983a3b3101899d2b6726f86009fa99b30cb7bf02485107dd9b3f9333c69e48e89441df3
-
Filesize
207B
MD57a9b8cbae504ae5f319cd840ff19c5d8
SHA119fe5deb02f2fde14997ba7a80be7218fb321bf3
SHA2561295ec594175759a4e1405bc172d8a7f8595b0045afecd107b8bc9fcfe14280b
SHA512c65aed58d09bc0d560b0d9b48eba66e66d35836f9fabd32b8a0ca099ca0830a456bc23cc892c88f5b74c103584c0579367beb991b5b5028f6850750faf3bee47
-
Filesize
99KB
MD518571d6663b7d9ac95f2821c203e471f
SHA13c186018df04e875d6b9f83521028a21f145e3be
SHA2560b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f
SHA512c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21
-
Filesize
84KB
MD5fc0d862a854993e0e51c00dee3eec777
SHA120203332c6f7bd51f6a5acbbc9f677c930d0669d
SHA256e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863
SHA512b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f
-
Filesize
178KB
MD563d215a26af1efa2960d9f20d3f1733e
SHA15fa7245beb5ddf1a6f7ef93c60541877c5332d9d
SHA2566ee661b754b900c6f62b60864b586d564abd6ae70ec178634138ae779672ba16
SHA51235f68881cb1e3cbfed7ca93f7c7268c217df06f845421f52e01e76c60bccc97aeb91a22d741e7b29a660b736729c7b3a8ba1ea052eb9479139480e310855d981
-
Filesize
123KB
MD58adb1345c717e575e6614e163eb62328
SHA1f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3
SHA25665edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8
SHA5120f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae
-
Filesize
260KB
MD549b8cd4d750fe59adfb1cf8252c3efe0
SHA101f6e81b46f417233262df5282e233fdad369686
SHA2560af14298b022d615fc12de4034068985928fe6b7ab6bae3f5be3a8adad379074
SHA512eea62d90d09502eb1ed425dd7c43355356c94f35740b78469db6d74b7c362ecec01806b1e1071bb741d68391996f8960b4642e98831525ee2886867d202cd07c
-
Filesize
173KB
MD54d1c727663b949fa6aba4f9a71693dc9
SHA1fe77deb2b1da2bd30206e50d48d67ac8b9c84fd6
SHA256bcd6f366a7125de7e33ade6f20032cb134e530883c5af9fca74fcdfa2151648a
SHA512df51023da0de97624b354451829b2b2c6bb9d90db5c022dd3d38cdb5e3d4c329c5250e2c34879e95af2e270d454e4bc599a52b4ebaf8ca023f5d60f1a1537ffe
-
Filesize
45KB
MD55fa7c9d5e6068718c6010bbeb18fbeb3
SHA193e8875d6d0f943b4226e25452c2c7d63d22b790
SHA2562e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155
SHA5123104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5
-
Filesize
5KB
MD58373abee9dbbf544ba06d79450ea80c7
SHA177aef8f15649fa7fa6cdcb5db238761ca3f66038
SHA256fb180eec85c32c1cd3674cef4c2fb20ab023de5280c6a06ca14827beef75bd5c
SHA512d0d1b3440e80a3e311bca578290ecc8e4db9a935f510db3cd383af134b7100177032b8a50fa426d94d9d1acbade222646821c5a5195fac80dd56d119a5ed6efc
-
Filesize
158KB
MD560e215bb78fb9a40352980f4de818814
SHA1ff750858c3352081514e2ae0d200f3b8c3d40096
SHA256c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806
SHA512398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230
-
Filesize
27KB
MD51fc2c6b80936efc502bfc30fc24caa56
SHA14e5b26ff3b225906c2b9e39e0f06126cfc43a257
SHA2569c47a3b84012837c60b7feced86ed0a4f12910a85fd259a4483a48cd940e3514
SHA512d07655d78aca969ccc0d7cedf9e337c7b20082d80be1d90d69c42be933fbab1c828316d2eb5461ded2ff35e52762e249fc0c2bccbc2b8436488fb6a270d3d9ee
-
Filesize
45KB
MD533d939568a061c5cfdc928d25a5da029
SHA11699bbf85c54bfc37daffd805f24184c86bb4fea
SHA2566050f1e6451991f88be9f1fdd3bd363293e686965401b115a2b811f45d3b187b
SHA51244b8764990a87b487fcbcdd6ae2746103045b1a1c97d91c572109e026099d967223972552e6cf2b7d3635adeff3aa810d6b60cca8ddcd465668213a0d74bed70
-
Filesize
77KB
MD51d53841bb21acdcc8742828c3aded891
SHA1cdf15d4815820571684c1f720d0cba24129e79c8
SHA256ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b
SHA5120266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9
-
Filesize
150KB
MD584dea8d0acce4a707b094a3627b62eab
SHA1d45dda99466ab08cc922e828729d0840ae2ddc18
SHA256dcf6b3ff84b55c3859d0f176c4ce6904c0d7d4643a657b817c6322933dbf82f6
SHA512fdaa7eb10f8bf7b42a5c9691f600eff48190041a8b28a5dab977170db717fff58dd0f64b02ca30d274552ff30ee02a6577f1465792cf6760366c2588bf373108
-
Filesize
19KB
MD573c9a2034a8445c9645a34fbf7ab2203
SHA17834da9b185576789f55ba983e309d049ec638ab
SHA256def656f69a081f1ed7135da24c23b67903678417a825e8a1ce16cc4ee237b5f9
SHA512bff6c017571978b2a198e3d604f049fab4751e45397a1f9582fffb079901ae5655532e53d04619c554f72e38bcd8ad61bffcdf85e2c5c3daea594aef13511fc2
-
Filesize
44B
MD50584826da7a4673f48cd89e852d26691
SHA1b423744f648cccdf3e210124b230635d4eda4975
SHA2562b76fa9a06248adbdc79c4a5253fa257f1100139af3b24aceba88a248e6ac748
SHA512ca79e3e2211f927e61c39874c19f6c6e3dade609eb1776f51e85262a3d8341a5cf9f1dd13b0f5e7ea6e45322cd58ee3b46c3df5a0239033303a84e46571577b8
-
Filesize
23B
MD58aa5cf05946154bb458837d470900282
SHA1167bb1ca7291bcfc1d881ca364cc966d428ff6ae
SHA25684843b01b2c1b18e1f3d234b54c834752e399ba72364a1538dba7764b878ce3f
SHA512026db05c7a91284b26faa199add32f1c05069b017aede8afd7a3f9b487da74984ddfdfa547af646bb6ebfedd2806d5a606809270a5a18d87d87b317e284eb236
-
Filesize
1KB
MD5a9f3dde6c5e456029a2ebe3de89651cc
SHA15344f7ad65a011ea4acdb6c947e4182f14909222
SHA25623bbb88753057e506f1497a672b2c74a7eee3ab11e0c573b79c586ab00f1185f
SHA512381c046e6c2c567ded302c42f3bbbf03e8c272c9e9a985113c387bdf006011e61cf137704537f694f3db4f3f9f045c5153d86223692b065d76bd0e030bf1d060
-
Filesize
1KB
MD599bf7fd6a0bae78836407f02c6657c8a
SHA10a20b75298f52e9da04cf8056a99cbede7901a48
SHA2568f3444a83c5f220d8a6e63d83a60e86200efcbc9960042b4c3f3661280aa8472
SHA5123c4077e5dac77db12a3afb7b835f31cc2fd1976051113004416bf62b9bbe20730d9a4c45d003aae8952d2ce0fe5e362f2c1698d67c4293dc36e0222724f31106
-
Filesize
275KB
MD5c760591283d5a4a987ad646b35de3717
SHA15d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134
SHA2561a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e
SHA512c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6
-
Filesize
268KB
MD5b9419202514b3b9852b67557e20d3228
SHA18e00b81f2ff2b2623f388194d475c4544f71ac56
SHA25628bdcc082d06c365be3a0e138aad35fc34c991a5a635829e5cf9c8b33f517f03
SHA5124735caebc94bd6bc1af449005df621e45e25a5f791a7ecf11744773336dd6045c958ff681f1c6f32ba5de359af948a7ef87067de187d70950d984979b766efd3
-
Filesize
284KB
MD576d0d9d8e83a77e90199ce1f6f8b5f5a
SHA1b8218fc135fe4a035b5e4fc25d85a0a4d60fcda1
SHA25650881d50b27d297d5bfc1137b53ad54fffc9404aba86ca3e9eca07a9a51aeec4
SHA512ee9c4189dd7afefed94a05e8021089788f5aa148540239764556b0313e4bf4c925e44da8c240913286b1538aebf9a7870acfd33c67c4028b26daf1407a3d2c69
-
Filesize
1KB
MD5942da41600012b292726eb8740e761f1
SHA1351ae82b367cc4681a25d413c8918644b5a3bf01
SHA2569753cd50d1d8586029c2d3d11e42c07418597e75299aa545b5e6cdf15053e559
SHA51233c8d3c1ce6bc864877b23a6690cb31e36909a89b5b101b46e63827ab19e5a933bc45bb48bbb7dffda25fbc86f28ee89ff6b6904fab2e807155a5e2c160df4d3
-
Filesize
258KB
MD51e756842922d3dddb939176942bcf49c
SHA1ceca218d97dfee8415f39cff856419034b884b56
SHA25675a44f1873f9c99568f7cdb47bd2a8fd3b9188fdb7a23d7bc1c97182dbabea50
SHA512f85e67ec2158cd413078d8d125cf36539efc967a4acc19e4a5991a635ecd7ec5301fd2137a103495eda94d814804a92591d33e481afbf8276d790c01c8f8b9cd
-
Filesize
372KB
MD5eb8b459deae552cab848f991407123e5
SHA1e97e400302943af2c9ac92a9e0ac8cdf0424fab3
SHA2566209a70f556d35df256a0e2f6abf6c710b4ea427f7a713160f73bf3854d7c8aa
SHA512853ae42f2a988351db2b81e9752c9dc0c656579ffd23862a618f223c5778179006bd5f6a7db09675574f4dc46cc7210a8b4e41390b775e2dc9f2a3a55e8cd13a
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
396KB
MD5e63391ae07dc3ce8b3655c7cb327a601
SHA1e1a3a8080baf29a7a15cf253858241d352a0d5bb
SHA256c7572cc74706cc52ecf95905a38b0dc5064014c9ef1a30b2205968d90d540688
SHA5121300664f2bf1c31cc340724b9b28f301be35ec9052832b065f0d814eb03d9c402e5fcb6dd68a3063b2662c506ec34f359ae6aadcdaea037c5f36faf45c1ece8f
-
Filesize
505KB
MD58eff2c03faad21dd88cca960020c26e4
SHA16d070a751d51e2f176dd52a60bf0321dc75d9263
SHA256cc1451dd2bc9b8b705488964205b6d467d1d96dc6c3429e8c105808c50422510
SHA512210ecb01e540e45c651e0e9167285c231b80497fd46776e4b5959a03fa9c89d7b1d43f128388b272227d247043f8fdc8f4cadb2e3a6f6130b5641c6eaff4b396
-
Filesize
184KB
MD511a886189eb726d5786926cc09f9e116
SHA1d94295368a1285681fb03bac0553eb1495d43805
SHA256dc38bdbe10cfaa99799e0c87aa8444fc062d445b87686d6593ffca46cc938031
SHA512405c56487a91ad1209029ca6ea125642076251f0a8c069eef0e30ce484381db7bf24d2f5cd74b83d1c8c1358f92f35fa6ed7b75601ace611cf36bb2331588684
-
Filesize
40KB
MD59f5b499fd36601db2f6cf1471288dc22
SHA177f3d11748ca99c46aaed959d687a9d1ac5d75f7
SHA256d09b202e9b3cadbe4e0b8803525e49d766e984ab5e593d30bbf408729fab1325
SHA51203b9b5bb6f8253e7f2893cd824e8151f8dadc29be0309f70b6e02b340528baec9e1371cf5493fd6edd2d40f17d06a5ed0647be0cb7b958e380e79017a4e39142
-
Filesize
57KB
MD59779c701be8e17867d1d92d470607948
SHA16aae834541ccc73d1c87c9f1a12df4ac0cf9001f
SHA25659e6421802d30326c1704f15acc2b2888097241e291aba4860d1e1fc3d26d4bf
SHA5124e34bcdd2093347d2b4e5c0f8c25f5d36d54097283faf5b2be1c75d717f716d459a45336647d3360457f25417952e62f8f21f5a720204fe5b894d5513e43e782
-
Filesize
538KB
MD522d34cba39c80b72b24d9bbed87b96c9
SHA160cd3edb14b55d64c31f67dc0f2c2db9c334d6f9
SHA2567ab4894b018c3c6e7b7d1e56a44961342d118541b14cc9c5a5735fa9d7a8b1ec
SHA51218e283786a401d46eda285d933e78b9798b618a8ee8ce05e5167f40d08763682d622dc7c0657478dd8d281b49fe0270dd836bbbbc9d9d3226ed0d24a23c22757
-
Filesize
355KB
MD5f2fddcd031a67e1b7c3515354539fec6
SHA1e587db2d127a47b590bca1e9774a43246b848177
SHA25660dafe7cebd310c7092667aab8cbae0496f79bbf293af95fde73f67913eaf052
SHA512895c248aff668a75addf017510e5fd1cb5512e1cf8f9a2fce62f9cb294250fef9faa61e0c5f4520d54f978baacec9f0d569ef00b566321d4b85c4d483089ef7e
-
Filesize
148B
MD509a9397080948b96d97819d636775e33
SHA15cc9b028b5bd2222200e20091a18868ea62c4f18
SHA256d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997
SHA5122eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799
-
Filesize
251B
MD59953f5fda89eba25650d5e42adda36cd
SHA1cc8958cc687a1f8169316cd7a93764403e935740
SHA25652e9bc212ce945a0e1f37d223647d1bdaf919fa353bae1873568e28390b6f59a
SHA51261b92a1a9978a58597f2fec6949605ee0fbcd7e4a4e31861a0647c20d1ebbdefb01c72a9f24a77807a1129c6720f3a1fc0e7fc9ab83789caebfc69a9540ce763
-
Filesize
149B
MD5b77fb20b4917d76b65c3450a7117023c
SHA1b99f3115100292d9884a22ed9aef9a9c43b31ccd
SHA25693f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682
SHA512a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df
-
Filesize
149B
MD53b4db0742fa8267a2d7efa548a30f9a2
SHA1cdca88d4a729d78b572a5d3cc84f3e99989e4f46
SHA256c6a2cd1aa6e31d9d49b881ec1173fdb6d5d26f7bfe196a7df12275e292fab14c
SHA512fa356585caa8325d3f74251256c3ca2b894904dcdb7ad5f2ed6bb7ec12c98fdf3d69a080a0af413ef7ca101f9ccbc2fb28fb6d5d6a6d2f84281ccbd798fbb6da
-
Filesize
148B
MD5ea7e528e528955259af3e65d86ba8e49
SHA18ee1b0d3b895b4195e0b580b67c0b2ee1010d29d
SHA256d7b813d9e39530528917fb32a700cfb9d905c061228eb45f90153e68adc52fad
SHA51295996a13576f1b9b6a58c4636dd56ce44e5c702416ad83d59cbaa588962c9a5865ff1c5f3769a475eaf9994d2baaa429eb99869fd4110b93679d94f81cbb1304
-
Filesize
114B
MD59cd2aef183c064f630dfcf6018551374
SHA12a8483df5c2809f1dfe0c595102c474874338379
SHA2566d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d
SHA512dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92
-
Filesize
3KB
MD53d9add8c0dd4f406b8a9ad6f1219fb95
SHA1c0b30d0940f65b8819cd6628d0670784dcb6b344
SHA256c69d3cc15e384d932601d06aa69b6d0c285001bf2d44dd3719c121b7df5162d6
SHA5129c82987fa7919fc333f3f04b309345b91240fa60d205a144b6ca10fcb586fddc3e9725e71da5a588eddd21bf99265dfe1495bb16df4367a82df57e103a324c78
-
Filesize
1KB
MD56213fc0a706f93af6ff6a831fecbc095
SHA1961a2223fd1573ab344930109fbd905336175c5f
SHA2563a95adb06156044fd2fa662841c0268c2b5af47c1b19000d9d299563d387093a
SHA5128149de3fd09f8e0f5a388f546ffe8823bdcda662d3e285b5cebc92738f0c6548ccb6ed2a5d086fd738cb3edc8e9e1f81c5e2e48edb0571e7ea7f131675b99327
-
Filesize
561B
MD509dd479d2f22832ce98c27c4db7ab97c
SHA179360e38e040eaa15b6e880296c1d1531f537b6f
SHA25664ffc2e43a94435a043c040d1d3af7e92d031adc78e7737af1861baa4eeef3e6
SHA512f88ae25f3f04c7d5d5f98aafecc03cc7e4e56f1cd4c8deba6afd043f0fb7fe67b4d50e4df5493e77c6b34ba183e019442e736a13f784ba8c2847c06fd74ff200
-
Filesize
114B
MD538bb24ba4d742dd6f50c1cba29cd966a
SHA1d0b8991654116e9395714102c41d858c1454b3bd
SHA2568b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2
SHA512194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac
-
Filesize
26KB
MD5a2ab334e18222738dcb05bf820725938
SHA12f75455a471f95ac814b8e4560a023034480b7b5
SHA2567ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7
SHA51272e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679
-
Filesize
305KB
MD5ab37e7c3ce672418bdbc5318b8d8998d
SHA10c45bfa46aa8ec5c5832dd3406a3755be3321674
SHA256a74c6def39ab9000a82a558dc4f4af0e00e21ce782cc5bfe6f7d0856e7d022ef
SHA5127ac7bf6b7c0b810174fb82d91b77c672cdb07db2e3bec579063f8087b8ef99b97dad65d963ac5533ca5968b642f023ac2cd57e75290ba8cae19d7f838879762a
-
Filesize
305KB
MD507561b1b4ef603f4e49af11728cb01ba
SHA1fe43d34937c9950183580314b93ffd16b122ff8a
SHA25600460393c75a89e64204f81d2df2dd5a9af2505685e3364be9bd27c319f10836
SHA51221635f0b2e1bc0b51984b286ecb8634e5c6e7e6d000897e1ef5495c235cfa29b2a2dd37e4e3b4cb0a8e1b7bedfa05236394cb61516fbcffd3b8f26d5c0166073
-
Filesize
207B
MD5eab25ce2b10b8136df839e9473596a90
SHA1f0938044fed9cc484722163dd57e0ccbb1ff627e
SHA2563294f26d399f3e8ee9913827de5340ff47efc4118f530a6548761ebd6110b383
SHA5127c991009e104d3d91b9809b0928e2add17cfb16b9742e11324e20132297a7002f0a40f60daa16176b753aea19bfd5511fd6014047c3034b2fa69fc6b90532d00
-
Filesize
207B
MD53222b38abf14f5abab4c6f931d4fdbef
SHA1c83ee22db6f54acc0cf5f83e858945264647f176
SHA256df58b06333246906d50444b8714ab06e4d91c6bcb02a3aae75ce28730e4e4353
SHA512aaf0213c842820f89d04caa06e612988193a729f1435021cdd53bea2c4c983775399f0ad704ecba0ffd34cfb811af66b3167f51a833b666d9a161dc1c16b97a1
-
Filesize
224B
MD5ffd207a9a3dc0fef5f3e4d81958d085f
SHA1ec507bf503acf319d0acb770b954ed7e85cc675f
SHA25607245e03dbb3880ee39c11249f47af001b1fd59f8e01c1fb3e6dfd13f40eb333
SHA512c140b88cf7fbb9a1b5f5f689a14b3fc587786fa8d9bec707d4ae963e1636d4820160df2d6825c7f0dd9355ab76fb0b4fb012439051fe5114a632d8391a46ee26
-
Filesize
321KB
MD5dc5943c20e0b5a9a16db42853e01cc4f
SHA146828308f24e3e05a10258a7bf716fffb265a719
SHA2565e1194c8307c8274ab25764dddc2f0aad769e41b81ede74124af9702f0539d92
SHA5122cd88c3c3f1407968136fd0f258b0adfd8dccc8d21a9fb9467980e62b7d072253ab23328998f67308469d2e4bda9c455ed75c1443e4be9b5a457ea202a750e17
-
Filesize
190KB
MD535f204fb6a25a93fa14cc64ad329caaf
SHA102f457c2e815e26acfbe177ad94813faa4f818e5
SHA2560ebafd9e929269f50562ce78275b1d17b72622628cfec24f5b1fbb47b36923f5
SHA5127712bf2bee856c972789798696112d8790360362fed06712727b2195874695300e108037076f68f1593c209154b538b25d82e16320b51176fb1f412ba565a04a
-
Filesize
71KB
MD5eb80f14101f1b1e70999410ba29838f1
SHA136ef68ff0484b2f01dab2db082199a674e9e9cea
SHA2562bf79f0ae0de5c48bcac3dad23604343a48e7d9fd1ffe34e66edb0c5e3617855
SHA512d8720eed515f8b9949b0a707bc260f0430fd7574143c781a51ca5a8dc3174dadd41491f1a5955cff78d86ebe76db190231e196572fe07d79b85695fb89edc912
-
Filesize
242KB
MD5959f9e996dfa23be4a39e75238d51264
SHA15654681346088c8b625b75660d9473d49a91a09e
SHA2564a0308af521568341e494b5ca19a353914fae635f65b26f294754b5e11715b62
SHA512fb29965bddcae20905250349b7270ca5832c59dc9722b0bf35504e523572acf2c41189e0b3d89cf622923fe89407444a3599c196c6aa5797f4c11d598d13092a
-
Filesize
30B
MD5cafa545650045f5722a53684cc176191
SHA1a220b3c32488f94c4b119646dadf5f1d310a8509
SHA256190e36a174f727cb4807e525f556ec7d522723540d12cb637d2e0e88e009da9f
SHA512cd3eeddf6bf358521b98563f4086566383c08b7cdbf6b67deb211766f76b1546253cf08408e8fed156fc2a9a9391ac371cfcd2df9f6b50f3b6efa6ee7cf443e2
-
Filesize
472KB
MD5381c1c899bb6a556b4acbf2fb82f3e7e
SHA144f9a1eea4444dfa844178ea4cff7fd189396aea
SHA256a8b2a61a60d9a484a21291ac7c289abc4c623bd726ed1f7ae70f7623b02f8380
SHA5126227fc4f40534d3aa3165565004fbb4e7176f2fffd378df203a875dd66cccead2bd3926773aab9bba97333b238b298332c5c99d05d33889101b206350310530d
-
Filesize
259KB
MD5ea1c8c8fffa2b7859160fba478ce31c5
SHA1382115209ae078d4ddaabafc29d1b39842990442
SHA256104dd104f626d0c57d0d3d31f77fe647dacc1addd90a1dfd950bc78a2f05f739
SHA5129cd04e2675d56781b169bb44fbe053b00734891a92d9c1c34804d6dad236bc0c51c0fc984dd13ac4c3f2b11b105a7d1c09a310738bd28b5bc40a6d9825bb96b9