Analysis
-
max time kernel
43s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 03:38
Static task
static1
Behavioral task
behavioral1
Sample
Chew7.exe
Resource
win7-20240729-en
Errors
General
-
Target
Chew7.exe
-
Size
4.6MB
-
MD5
7b232997942b2a5c7e4dbe931bb4c67c
-
SHA1
06c6d3b5b66585f03bab25c774baadb575cb1515
-
SHA256
0a88faa27484c7c163bc90fbf806a9dab84226c2f60f3410695278ee76d065f5
-
SHA512
1959f3334af0061fac523e31fb030d77c13696977cc151453ca0546cc624d234b2198d141e61d597e0d3c2ff3068ad8f3d732dd477a5b535ccd56dd953588412
-
SSDEEP
98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p
Malware Config
Signatures
-
Possible privilege escalation attempt 54 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 1996 takeown.exe 2328 icacls.exe 2940 icacls.exe 3068 icacls.exe 2332 icacls.exe 2024 icacls.exe 1920 icacls.exe 3016 icacls.exe 760 icacls.exe 2244 icacls.exe 1880 icacls.exe 1112 icacls.exe 2360 takeown.exe 1744 takeown.exe 2148 icacls.exe 2396 icacls.exe 1440 icacls.exe 1572 icacls.exe 1732 takeown.exe 1164 takeown.exe 1900 icacls.exe 1124 icacls.exe 2936 icacls.exe 756 takeown.exe 756 icacls.exe 1416 takeown.exe 2412 icacls.exe 1152 icacls.exe 2760 takeown.exe 2404 icacls.exe 456 takeown.exe 1724 icacls.exe 1080 icacls.exe 2548 icacls.exe 2288 takeown.exe 2528 icacls.exe 2064 takeown.exe 1040 icacls.exe 1880 icacls.exe 1396 takeown.exe 3056 icacls.exe 744 icacls.exe 1712 icacls.exe 2604 icacls.exe 1252 icacls.exe 1452 icacls.exe 2052 icacls.exe 2704 takeown.exe 948 icacls.exe 2636 icacls.exe 2144 takeown.exe 1760 icacls.exe 2848 icacls.exe 2168 icacls.exe -
Executes dropped EXE 64 IoCs
Processes:
hale.execrc32.execrc32.exeflick.execrc32.execrc32.exeflick.execrc32.exebump.execrc32.exeflick.execrc32.exebump.execrc32.exeflick.execrc32.exebump.exebump.exebump.execrc32.execrc32.exebump.exebump.exebump.execrc32.execrc32.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.execrc32.exeflick.execrc32.exebump.exebump.exebump.execrc32.exeflick.execrc32.execrc32.exeflick.execrc32.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.execrc32.exeflick.execrc32.exebump.exebump.exepid process 2812 hale.exe 916 crc32.exe 2492 crc32.exe 2200 flick.exe 588 crc32.exe 1700 crc32.exe 1544 flick.exe 2600 crc32.exe 2628 bump.exe 2764 crc32.exe 2260 flick.exe 1088 crc32.exe 1276 bump.exe 1076 crc32.exe 2908 flick.exe 852 crc32.exe 3036 bump.exe 888 bump.exe 2416 bump.exe 2176 crc32.exe 1164 crc32.exe 2128 bump.exe 2480 bump.exe 2288 bump.exe 560 crc32.exe 1268 crc32.exe 1988 bump.exe 1112 bump.exe 620 bump.exe 2532 bump.exe 1576 bump.exe 1072 bump.exe 412 bump.exe 2600 bump.exe 2728 bump.exe 1584 bump.exe 2624 bump.exe 2260 bump.exe 2884 crc32.exe 2468 flick.exe 2844 crc32.exe 2660 bump.exe 2264 bump.exe 3016 bump.exe 1676 crc32.exe 2564 flick.exe 2388 crc32.exe 812 crc32.exe 980 flick.exe 560 crc32.exe 1672 bump.exe 2096 bump.exe 2068 bump.exe 1864 bump.exe 1280 bump.exe 2532 bump.exe 2676 bump.exe 2356 bump.exe 2724 bump.exe 2628 crc32.exe 1292 flick.exe 1608 crc32.exe 1996 bump.exe 1060 bump.exe -
Loads dropped DLL 64 IoCs
Processes:
flick.execmd.execrc32.exebump.exefind.exebump.exefind.exebump.exefind.execmd.execrc32.exetakeown.exeflick.execmd.execrc32.execmd.execrc32.exetakeown.exeflick.execmd.execrc32.exebump.exefind.exebump.exefind.exebump.exefind.exebump.exefind.exebump.exefind.exebump.exefind.exebump.exefind.exebump.exefind.exebump.exefind.execmd.execrc32.exetakeown.exeflick.execmd.execrc32.exebump.exefind.exebump.exefind.exebump.exefind.exebump.exefind.exebump.exefind.execmd.execrc32.exetakeown.exeflick.execmd.execrc32.execmd.execrc32.exetakeown.exepid process 2468 flick.exe 1520 cmd.exe 2844 crc32.exe 2660 bump.exe 2692 find.exe 2264 bump.exe 2972 find.exe 3016 bump.exe 2580 find.exe 816 cmd.exe 1676 crc32.exe 756 takeown.exe 2564 flick.exe 2800 cmd.exe 2388 crc32.exe 796 cmd.exe 812 crc32.exe 1164 takeown.exe 980 flick.exe 2292 cmd.exe 560 crc32.exe 1672 bump.exe 1756 find.exe 2096 bump.exe 1456 find.exe 2068 bump.exe 1580 find.exe 1864 bump.exe 1320 find.exe 1280 bump.exe 356 find.exe 2532 bump.exe 2032 find.exe 2676 bump.exe 1760 find.exe 2356 bump.exe 2820 find.exe 2724 bump.exe 2632 find.exe 2784 cmd.exe 2628 crc32.exe 2760 takeown.exe 1292 flick.exe 2772 cmd.exe 1608 crc32.exe 1996 bump.exe 2444 find.exe 1060 bump.exe 2468 find.exe 2904 bump.exe 2856 find.exe 2952 bump.exe 1520 find.exe 2660 bump.exe 1564 find.exe 2908 cmd.exe 2896 crc32.exe 1416 takeown.exe 1168 flick.exe 2408 cmd.exe 1792 crc32.exe 2212 cmd.exe 2156 crc32.exe 2144 takeown.exe -
Modifies file permissions 1 TTPs 54 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 2244 icacls.exe 1416 takeown.exe 756 icacls.exe 760 icacls.exe 2940 icacls.exe 1712 icacls.exe 2848 icacls.exe 948 icacls.exe 1724 icacls.exe 2328 icacls.exe 2144 takeown.exe 2404 icacls.exe 2052 icacls.exe 456 takeown.exe 1880 icacls.exe 2936 icacls.exe 3016 icacls.exe 1040 icacls.exe 2548 icacls.exe 2396 icacls.exe 1112 icacls.exe 1900 icacls.exe 1744 takeown.exe 1080 icacls.exe 744 icacls.exe 1732 takeown.exe 1440 icacls.exe 1152 icacls.exe 2168 icacls.exe 2024 icacls.exe 1572 icacls.exe 1252 icacls.exe 1452 icacls.exe 3056 icacls.exe 2636 icacls.exe 1124 icacls.exe 3068 icacls.exe 2288 takeown.exe 2332 icacls.exe 1396 takeown.exe 2528 icacls.exe 2360 takeown.exe 1760 icacls.exe 1996 takeown.exe 756 takeown.exe 2148 icacls.exe 1164 takeown.exe 1880 icacls.exe 2412 icacls.exe 2064 takeown.exe 2704 takeown.exe 2604 icacls.exe 1920 icacls.exe 2760 takeown.exe -
Processes:
resource yara_rule C:\Windows\System32\hale.exe upx behavioral1/memory/2812-14-0x0000000000400000-0x0000000000BB0000-memory.dmp upx behavioral1/memory/2812-893-0x0000000000400000-0x0000000000BB0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chew7Hale = "\"C:\\Windows\\System32\\hale.exe\" /nolog" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c77351 = "\"C:\\Windows\\System32\\cmd.exe\" /C START /MIN RD /S /Q \"C:\\ProgramData\\Microsoft\\Windows\\Pending\"^&EXIT" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 37 IoCs
Processes:
cmd.exeflick.exeChew7.exeflick.exeflick.exeflick.exeflick.exeflick.exeflick.exeflick.exeflick.exedescription ioc process File opened for modification C:\Windows\System32\systemcpl.dll cmd.exe File created C:\Windows\System32\winver.exe cmd.exe File opened for modification C:\Windows\SysWOW64\winver.exe flick.exe File opened for modification C:\Windows\system32\hale.exe Chew7.exe File opened for modification C:\Windows\SysWOW64\slmgr.vbs flick.exe File opened for modification C:\Windows\SysWOW64\slwga.dll flick.exe File opened for modification C:\Windows\SysWOW64\user32.dll flick.exe File opened for modification C:\Windows\System32\slui.exe cmd.exe File created C:\Windows\System32\sppcommdlg.dll cmd.exe File opened for modification C:\Windows\SysWOW64\sppcommdlg.dll flick.exe File created C:\Windows\System32\winlogon.exe cmd.exe File created C:\Windows\SysWOW64\winver.exe cmd.exe File opened for modification C:\Windows\System32\cwlog.dtl cmd.exe File opened for modification C:\Windows\SysWOW64\slwga.dll cmd.exe File opened for modification C:\Windows\SysWOW64\winver.exe flick.exe File created C:\Windows\System32\cwlog.dtl cmd.exe File opened for modification C:\Windows\System32\slmgr.vbs cmd.exe File created C:\Windows\System32\sppuinotify.dll cmd.exe File created C:\Windows\System32\slmgr.vbs cmd.exe File created C:\Windows\System32\slwga.dll cmd.exe File opened for modification C:\Windows\System32\slwga.dll cmd.exe File opened for modification C:\Windows\SysWOW64\slwga.dll flick.exe File created C:\Windows\SysWOW64\slwga.dll cmd.exe File created C:\Windows\System32\systemcpl.dll cmd.exe File opened for modification C:\Windows\System32\winver.exe cmd.exe File opened for modification C:\Windows\SysWOW64\slmgr.vbs cmd.exe File opened for modification C:\Windows\System32\winlogon.exe cmd.exe File opened for modification C:\Windows\SysWOW64\systemcpl.dll flick.exe File opened for modification C:\Windows\SysWOW64\slmgr.vbs flick.exe File created C:\Windows\SysWOW64\slmgr.vbs cmd.exe File created C:\Windows\System32\user32.dll cmd.exe File opened for modification C:\Windows\SysWOW64\winver.exe cmd.exe File created C:\Windows\system32\hale.exe Chew7.exe File created C:\Windows\System32\slui.exe cmd.exe File opened for modification C:\Windows\System32\sppcommdlg.dll cmd.exe File opened for modification C:\Windows\System32\sppuinotify.dll cmd.exe File opened for modification C:\Windows\System32\user32.dll cmd.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exeflick.execmd.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exehale.exebump.exebump.exebump.exebump.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flick.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flick.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flick.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flick.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flick.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flick.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hale.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bump.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2608 timeout.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1740 taskkill.exe 2840 taskkill.exe 3000 taskkill.exe -
Modifies registry key 1 TTPs 5 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exepid process 412 reg.exe 2724 reg.exe 2728 reg.exe 2612 reg.exe 2948 reg.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs
Processes:
crc32.execrc32.exeflick.execrc32.execrc32.exeflick.execrc32.exebump.execrc32.exeflick.execrc32.exebump.execrc32.exeflick.execrc32.exebump.exebump.exebump.execrc32.execrc32.exebump.exebump.exebump.execrc32.execrc32.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.execrc32.exeflick.execrc32.exebump.exebump.exebump.execrc32.exeflick.execrc32.execrc32.exeflick.execrc32.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.execrc32.exeflick.execrc32.exebump.exebump.exebump.exepid process 916 crc32.exe 2492 crc32.exe 2200 flick.exe 588 crc32.exe 1700 crc32.exe 1544 flick.exe 2600 crc32.exe 2628 bump.exe 2764 crc32.exe 2260 flick.exe 1088 crc32.exe 1276 bump.exe 1076 crc32.exe 2908 flick.exe 852 crc32.exe 3036 bump.exe 888 bump.exe 2416 bump.exe 2176 crc32.exe 1164 crc32.exe 2128 bump.exe 2480 bump.exe 2288 bump.exe 560 crc32.exe 1268 crc32.exe 1988 bump.exe 1112 bump.exe 620 bump.exe 2532 bump.exe 1576 bump.exe 1072 bump.exe 412 bump.exe 2600 bump.exe 2728 bump.exe 1584 bump.exe 2624 bump.exe 2260 bump.exe 2884 crc32.exe 2468 flick.exe 2844 crc32.exe 2660 bump.exe 2264 bump.exe 3016 bump.exe 1676 crc32.exe 2564 flick.exe 2388 crc32.exe 812 crc32.exe 980 flick.exe 560 crc32.exe 1672 bump.exe 2096 bump.exe 2068 bump.exe 1864 bump.exe 1280 bump.exe 2532 bump.exe 2676 bump.exe 2356 bump.exe 2724 bump.exe 2628 crc32.exe 1292 flick.exe 1608 crc32.exe 1996 bump.exe 1060 bump.exe 2904 bump.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
taskkill.exetaskkill.exetasklist.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetaskkill.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1740 taskkill.exe Token: SeDebugPrivilege 2840 taskkill.exe Token: SeDebugPrivilege 2844 tasklist.exe Token: SeTakeOwnershipPrivilege 456 takeown.exe Token: SeTakeOwnershipPrivilege 2064 takeown.exe Token: SeTakeOwnershipPrivilege 1732 takeown.exe Token: SeSecurityPrivilege 1440 icacls.exe Token: SeTakeOwnershipPrivilege 2360 takeown.exe Token: SeSecurityPrivilege 1760 icacls.exe Token: SeTakeOwnershipPrivilege 2704 takeown.exe Token: SeSecurityPrivilege 1124 icacls.exe Token: SeTakeOwnershipPrivilege 1744 takeown.exe Token: SeSecurityPrivilege 2936 icacls.exe Token: SeTakeOwnershipPrivilege 1996 takeown.exe Token: SeSecurityPrivilege 2328 icacls.exe Token: SeTakeOwnershipPrivilege 756 takeown.exe Token: SeSecurityPrivilege 3068 icacls.exe Token: SeTakeOwnershipPrivilege 1164 takeown.exe Token: SeSecurityPrivilege 1252 icacls.exe Token: SeTakeOwnershipPrivilege 2760 takeown.exe Token: SeSecurityPrivilege 1040 icacls.exe Token: SeTakeOwnershipPrivilege 1416 takeown.exe Token: SeSecurityPrivilege 1880 icacls.exe Token: SeTakeOwnershipPrivilege 2144 takeown.exe Token: SeSecurityPrivilege 2412 icacls.exe Token: SeTakeOwnershipPrivilege 2288 takeown.exe Token: SeSecurityPrivilege 2052 icacls.exe Token: SeTakeOwnershipPrivilege 1396 takeown.exe Token: SeSecurityPrivilege 2528 icacls.exe Token: SeDebugPrivilege 3000 taskkill.exe Token: SeShutdownPrivilege 864 shutdown.exe Token: SeRemoteShutdownPrivilege 864 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chew7.exehale.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2876 wrote to memory of 1740 2876 Chew7.exe taskkill.exe PID 2876 wrote to memory of 1740 2876 Chew7.exe taskkill.exe PID 2876 wrote to memory of 1740 2876 Chew7.exe taskkill.exe PID 2876 wrote to memory of 2840 2876 Chew7.exe taskkill.exe PID 2876 wrote to memory of 2840 2876 Chew7.exe taskkill.exe PID 2876 wrote to memory of 2840 2876 Chew7.exe taskkill.exe PID 2876 wrote to memory of 2812 2876 Chew7.exe hale.exe PID 2876 wrote to memory of 2812 2876 Chew7.exe hale.exe PID 2876 wrote to memory of 2812 2876 Chew7.exe hale.exe PID 2876 wrote to memory of 2812 2876 Chew7.exe hale.exe PID 2812 wrote to memory of 2688 2812 hale.exe cmd.exe PID 2812 wrote to memory of 2688 2812 hale.exe cmd.exe PID 2812 wrote to memory of 2688 2812 hale.exe cmd.exe PID 2812 wrote to memory of 2688 2812 hale.exe cmd.exe PID 2688 wrote to memory of 1844 2688 cmd.exe cmd.exe PID 2688 wrote to memory of 1844 2688 cmd.exe cmd.exe PID 2688 wrote to memory of 1844 2688 cmd.exe cmd.exe PID 2688 wrote to memory of 1844 2688 cmd.exe cmd.exe PID 1844 wrote to memory of 2968 1844 cmd.exe reg.exe PID 1844 wrote to memory of 2968 1844 cmd.exe reg.exe PID 1844 wrote to memory of 2968 1844 cmd.exe reg.exe PID 1844 wrote to memory of 872 1844 cmd.exe find.exe PID 1844 wrote to memory of 872 1844 cmd.exe find.exe PID 1844 wrote to memory of 872 1844 cmd.exe find.exe PID 1844 wrote to memory of 2904 1844 cmd.exe reg.exe PID 1844 wrote to memory of 2904 1844 cmd.exe reg.exe PID 1844 wrote to memory of 2904 1844 cmd.exe reg.exe PID 1844 wrote to memory of 1436 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 1436 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 1436 1844 cmd.exe cmd.exe PID 1436 wrote to memory of 1560 1436 cmd.exe reg.exe PID 1436 wrote to memory of 1560 1436 cmd.exe reg.exe PID 1436 wrote to memory of 1560 1436 cmd.exe reg.exe PID 1844 wrote to memory of 2844 1844 cmd.exe tasklist.exe PID 1844 wrote to memory of 2844 1844 cmd.exe tasklist.exe PID 1844 wrote to memory of 2844 1844 cmd.exe tasklist.exe PID 1844 wrote to memory of 2320 1844 cmd.exe find.exe PID 1844 wrote to memory of 2320 1844 cmd.exe find.exe PID 1844 wrote to memory of 2320 1844 cmd.exe find.exe PID 1844 wrote to memory of 2660 1844 cmd.exe reg.exe PID 1844 wrote to memory of 2660 1844 cmd.exe reg.exe PID 1844 wrote to memory of 2660 1844 cmd.exe reg.exe PID 1844 wrote to memory of 2692 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 2692 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 2692 1844 cmd.exe cmd.exe PID 2692 wrote to memory of 2916 2692 cmd.exe reg.exe PID 2692 wrote to memory of 2916 2692 cmd.exe reg.exe PID 2692 wrote to memory of 2916 2692 cmd.exe reg.exe PID 1844 wrote to memory of 2932 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 2932 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 2932 1844 cmd.exe cmd.exe PID 2932 wrote to memory of 2908 2932 cmd.exe reg.exe PID 2932 wrote to memory of 2908 2932 cmd.exe reg.exe PID 2932 wrote to memory of 2908 2932 cmd.exe reg.exe PID 1844 wrote to memory of 2920 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 2920 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 2920 1844 cmd.exe cmd.exe PID 2920 wrote to memory of 2948 2920 cmd.exe reg.exe PID 2920 wrote to memory of 2948 2920 cmd.exe reg.exe PID 2920 wrote to memory of 2948 2920 cmd.exe reg.exe PID 1844 wrote to memory of 2896 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 2896 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 2896 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 1564 1844 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chew7.exe"C:\Users\Admin\AppData\Local\Temp\Chew7.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im hale.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\hale.exe"C:\Windows\system32\hale.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hale.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\hale.cmd""4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SOFTWARE5⤵PID:2968
-
-
C:\Windows\system32\find.exeFIND /I "HKEY_LOCAL_MACHINE\SOFTWARE\Chew7"5⤵PID:872
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /f5⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled5⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled6⤵PID:1560
-
-
-
C:\Windows\system32\tasklist.exeTASKLIST /FI "IMAGENAME eq Chew7.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\system32\find.exeFIND "Chew7.exe"5⤵PID:2320
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v LastAttempt /t REG_SZ /d install /f5⤵PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName5⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName6⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx5⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx6⤵PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName5⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\reg.exeREG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName6⤵
- Modifies registry key
PID:2948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TIME /T5⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO.Windows 7 Ultimate 7601.17727.amd64fre.win7sp1_gdr.111118-2330"5⤵PID:1564
-
-
C:\Windows\system32\find.exeFIND "64"5⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO.Windows 7 Ultimate 7601.17727.amd64fre.win7sp1_gdr.111118-2330"5⤵PID:3016
-
-
C:\Windows\system32\find.exeFIND "86"5⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO.AMD64"5⤵PID:2792
-
-
C:\Windows\system32\find.exeFIND "64"5⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO.AMD64"5⤵PID:1180
-
-
C:\Windows\system32\find.exeFIND "86"5⤵PID:1452
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\winsxs"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\winsxs" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1880
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\winsxs\Temp\PendingRenames"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\winsxs\Temp\PendingRenames" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:756
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew75⤵PID:1916
-
-
C:\Windows\system32\find.exeFIND /I "IntervalSeconds"5⤵PID:2020
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds /t REG_DWORD /d 30 /f5⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds5⤵PID:3068
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds6⤵PID:2416
-
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds /t REG_DWORD /d 1e /f5⤵PID:2212
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\slmgr.vbs5⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\slmgr.vbs6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\slmgr.vbs5⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\slmgr.vbs6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2492
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\slmgr.vbs"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slmgr.vbs" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\27931.lck" "C:\Windows\System32\slmgr.vbs"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2200
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 32\slmgr.vbs5⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 32\slmgr.vbs6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 32\slmgr.vbs5⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 32\slmgr.vbs6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1700
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\SysWOW64\slmgr.vbs"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\slmgr.vbs" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\31111.lck" "C:\Windows\SysWOW64\slmgr.vbs"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1544
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\slwga.dll5⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\slwga.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x89:x06:x85:xDB:x79 -r:x2B:xC0:x89:x06:xEB -o 64\slwga.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2628
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:1156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\slwga.dll5⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\slwga.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2764
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\slwga.dll"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slwga.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\2314.lck" "C:\Windows\System32\slwga.dll"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2260
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 32\slwga.dll5⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 32\slwga.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1088
-
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x0C:x8B:x4D:x10 -r:x0C:x2B:xC9:x90 -o 32\slwga.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1276
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 32\slwga.dll5⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 32\slwga.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1076
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\SysWOW64\slwga.dll"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\slwga.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\16862.lck" "C:\Windows\SysWOW64\slwga.dll"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2908
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\sppwmi.dll5⤵PID:284
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\sppwmi.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:852
-
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xF4:xFF:xFF:x8B:xF8:x85:xC0 -r:xF4:xFF:xFF:x29:xFF:xFF:xC7 -o 64\sppwmi.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3036
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x41:x8B:x50:x10:x85:xD2 -r:x48:x31:xD2:x48:xFF:xC2 -o 64\sppwmi.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:888
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x8B:x79:x14 -r:x83:xE7:x00 -o 64\sppwmi.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2416
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\sppwmi.dll5⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\sppwmi.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2176
-
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 32\sppwmi.dll5⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 32\sppwmi.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1164
-
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x89:x45:x10:x85:xC0:x7C:x66 -r:xC7:x45:x10:x01:x00:x00:x00 -o 32\sppwmi.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2128
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:744
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x8B:x41:x10:x83:xE8:x00 -r:x2B:xC0:x40:x90:x90:x90 -o 32\sppwmi.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2480
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:952
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x7C:x29:x8B:x45:x0C:x8B:x78:x14 -r:x90:x90:x8B:x45:x0C:x2B:xFF:x90 -o 32\sppwmi.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2288
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 32\sppwmi.dll5⤵PID:304
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 32\sppwmi.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:560
-
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\user32.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\user32.dll5⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\user32.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1268
-
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE9:xBA:xCC -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1988
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE9:xBA:xE3 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1112
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xBA:xE4:x02 -r:xBA:xE9:x02 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:620
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE9:xBA:xE5 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2532
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE9:xBA:xE7 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1576
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE9:xBA:xE6 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1072
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE9:xBA:xE1 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:412
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE9:xBA:xE8 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2600
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x00:xBA:xCE -r:x00:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2728
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x20:xBA:xE2 -r:x20:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1584
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE9:xBA:xCB -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2624
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xBA:xCD -r:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2260
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\user32.dll5⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\user32.dll6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2884
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\user32.dll"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\user32.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\4151.lck" "C:\Windows\System32\user32.dll"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2468
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\systemcpl.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\systemcpl.dll5⤵
- Loads dropped DLL
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\systemcpl.dll6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2844
-
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x0F:x84:xFD -r:x90:xE9:xFD -o 64\systemcpl.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2660
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x0F:x84:xAD:x00:x00:x00 -r:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2264
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x48:x8D:x0D:x93:xAE:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3016
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\systemcpl.dll5⤵
- Loads dropped DLL
PID:816 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\systemcpl.dll6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1676
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\systemcpl.dll"5⤵
- Possible privilege escalation attempt
- Loads dropped DLL
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\systemcpl.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\28129.lck" "C:\Windows\System32\systemcpl.dll"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2564
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slui.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\slui.exe5⤵
- Loads dropped DLL
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\slui.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\slui.exe5⤵
- Loads dropped DLL
PID:796 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\slui.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:812
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\slui.exe"5⤵
- Possible privilege escalation attempt
- Loads dropped DLL
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slui.exe" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\8495.lck" "C:\Windows\System32\slui.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:980
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppcommdlg.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\sppcommdlg.dll5⤵
- Loads dropped DLL
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\sppcommdlg.dll6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:560
-
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xFE:x4E:x75 -r:xFE:x4E:xEB -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1672
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x4A:x7A -r:x4A:x65 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2096
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x41:xB8:x2E -r:x41:xB8:x2C -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2068
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xE8:x1A:x7E -r:xE8:x46:x91 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1864
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:1320
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x8D:x4A:x7C -r:x8D:x4A:x65 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1280
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:356
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xB8:x39 -r:xB8:x2C -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2532
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xC7:x7D -r:xF3:x90 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2676
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x4C:x8B:x44:x24:x60:x4C:x8D:x4C:x24:x48:x8B:xD6:x48:x8B:xCB:xE8:x37:xFA:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2356
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:xBF:x00:x00:x75 -r:xBF:x00:x00:xEB -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2724
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\sppcommdlg.dll5⤵
- Loads dropped DLL
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\sppcommdlg.dll6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2628
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\sppcommdlg.dll"5⤵
- Possible privilege escalation attempt
- Loads dropped DLL
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppcommdlg.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\28435.lck" "C:\Windows\System32\sppcommdlg.dll"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1292
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppuinotify.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\sppuinotify.dll5⤵
- Loads dropped DLL
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\sppuinotify.dll6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1608
-
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x78:x65 -r:xEB:x65 -o 64\sppuinotify.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1996
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x83:xBC:x24:xB0:x00:x00:x00:x01:x0F:x95:xC0 -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1060
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x81:x7F:x1C:x35:xF0:x04:xC0 -r:x3B:xC4:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2904
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x78:x0B -r:x90:x90 -o 64\sppuinotify.dll5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\bump.exebump -s:x39:x7C:x24:x58:x0F:x94:xC0 -r:x40:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\system32\find.exeFIND "changed"5⤵
- Loads dropped DLL
PID:1564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\sppuinotify.dll5⤵
- Loads dropped DLL
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\sppuinotify.dll6⤵
- Loads dropped DLL
PID:2896
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\sppuinotify.dll"5⤵
- Possible privilege escalation attempt
- Loads dropped DLL
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppuinotify.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\10221.lck" "C:\Windows\System32\sppuinotify.dll"5⤵
- Loads dropped DLL
PID:1168
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\winlogon.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\winlogon.exe5⤵
- Loads dropped DLL
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\winlogon.exe6⤵
- Loads dropped DLL
PID:1792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\winlogon.exe5⤵
- Loads dropped DLL
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\winlogon.exe6⤵
- Loads dropped DLL
PID:2156
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\winlogon.exe"5⤵
- Possible privilege escalation attempt
- Loads dropped DLL
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\winlogon.exe" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\18428.lck" "C:\Windows\System32\winlogon.exe"5⤵PID:2304
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\winver.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\winver.exe5⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\winver.exe6⤵PID:1932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 64\winver.exe5⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 64\winver.exe6⤵PID:2492
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\winver.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\winver.exe" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\12651.lck" "C:\Windows\System32\winver.exe"5⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2508
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\winver.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 32\winver.exe5⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 32\winver.exe6⤵PID:1580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crc32.exe 32\winver.exe5⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\crc32.execrc32.exe 32\winver.exe6⤵PID:1864
-
-
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\SysWOW64\winver.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\winver.exe" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1712
-
-
C:\Users\Admin\AppData\Local\Temp\E9A4.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\23544.lck" "C:\Windows\SysWOW64\winver.exe"5⤵
- Drops file in System32 directory
PID:2520
-
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\system32\sfc.exeSFC /scanfile="C:\Windows\System32\wlms\wlms.exe"5⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Users\Admin\AppData\Local\Temp\chewlog.txt""5⤵PID:628
-
-
C:\Windows\system32\find.exeFIND "FAIL:"5⤵PID:2684
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled /t REG_SZ /d TRUE /f5⤵PID:2820
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /d "\"C:\Windows\System32\hale.exe\" /nolog" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:412
-
-
C:\Windows\system32\reg.exeREG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce5⤵
- Modifies registry key
PID:2724
-
-
C:\Windows\system32\find.exeFIND "c77351"5⤵PID:2300
-
-
C:\Windows\system32\reg.exeREG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce5⤵
- Modifies registry key
PID:2728
-
-
C:\Windows\system32\find.exeFIND /I "/C START /MIN RD /S /Q"5⤵PID:1156
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v "c77351" /d "\"C:\Windows\System32\cmd.exe\" /C START /MIN RD /S /Q \"C:\ProgramData\Microsoft\Windows\Pending\"^&EXIT" /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:2612
-
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1e /NOBREAK5⤵
- Delays execution with timeout.exe
PID:2608
-
-
-
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /f /t 0 /d p:2:182⤵
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2380
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2984
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296B
MD57a3b8ec21ac9956ed258f5b397d281ab
SHA163cc8f5ca73640fa5fae2d20e69ce393a07a873d
SHA256bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683
SHA512ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c
-
Filesize
296B
MD561975a8f1f2b5a9685c3aa2d921fbf8a
SHA15870879badbe315599676e138e06b7cccdcab03c
SHA256113fe46916078dab361a7b96660179ef62694440bbed56436b63a43de6d29d80
SHA5123820004d05a25d6094543d1b323dcbda0cb633c2f6873f8e12c455315a5d5567882a3ca6d3226dfbbcd3ee584ad9346228e32b1ef7ac3bed97c29f73e551f236
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
14KB
MD5788a402d0fcc43662ba8b73c85c63c7f
SHA1d5cec0d57a7516db6cdecbdc3d335db24444037b
SHA25679950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60
SHA5128c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e
-
Filesize
116KB
MD50f97e6414569172cf3762b1b49427609
SHA132d1b503ac8b1d85e3097a3a80ea6e6204cfabc2
SHA25646ee9e7a4cc656f5907031439ce11b5f189b8cfde60102b5a9f1786eba10558c
SHA512288007562c9ce851826a036880f4007e37f51c4975113123ad4e08296808c22bf08cff30b53efaa3c0be5ca66e043cb85ce34a75d09021ea80dbd06633362f31
-
Filesize
14KB
MD519f75d71e4256f5113d64ce2bb66b838
SHA1d3b46cf10ccb0aaff8153c20c6aa2dc2627dee79
SHA256da54cd8811bc71fafdd0d0b12b901747da752f49507edcc740cbbcc2ac3a340f
SHA512a48e0759911f3b0e59736b2654e13c685aa1f2c058ddc2307f050ea6f891bb9382f2aae2cc7611e8a11b2b4c2635a53c52fd19597f932455ca2608998d9bc75c
-
Filesize
116KB
MD55f5bb7c391d0e98338bf64b19c81f1ff
SHA18c275b466c4076d3c6fd9f62cf9e4a9f1342987a
SHA256d8db4892ca7d736b1f51d96d1656ecce2361ee72308e7c2d0c2f9fe8725e464a
SHA512e475a04f6379126f8289ee3360babe53ba62ae0345e51a22239cf8351abeb9b834c4912a69df57c5816a8ff9000bc41eba55121222c654d10b0386bbcac22aa0
-
Filesize
139KB
MD5d745f0b3bfa805ccf82a6a883dd3e441
SHA1e6807f4e035f25dc649fc9222252546b9d5512ca
SHA2562b5de3ee2b03580f5f09cae530a9f92e6063727405e9906278badec0b6644450
SHA512e6af029017a4ee84ceb724b00009fa18336c581941b4609b8ad011a46286394f22c9e410a08c876add1170b462db6d6504674d35243874cd0df427527c099259
-
Filesize
410KB
MD53201181b38256a815b911314c3871a9c
SHA11adfb13690a8c43f78fa300e2672e62d13febd9d
SHA256c043d077818b2862f959c4c20888e6ef920d9509542f5140de0bc7d5d7beea1f
SHA512882374a99ad570768ddb2426070804bb7765376c126fa9a6c29249f01a24a1b70315fb405a456a09fbaf46de1a630e3984c5d67338f6b5c61fde5a51dc71c8aa
-
Filesize
373KB
MD5b798f38be4180a30248c9892ea9957e4
SHA12f31351a29d36dd87cb7463f869d6075588c0142
SHA256c2ac36912654e2e6845c5308693611b754b0440cfb8ea5fc1ac03346fb4d08af
SHA5125e61823127062861f9caa495ec4c4d11e3bf7687d3d2df5450c68faff2e311d369497e2d687e2e78994856b532856c03c84f9d20003ff2186223e2bd4d335796
-
Filesize
64KB
MD53540689ec7512dbb54e0a516e3b13467
SHA16593eb5196196c42dbe77403cafd3ac9559d58fa
SHA256556184133b2d6e2fd37d86e63bfac35932cb95c21ebcb03770977a445ddc0668
SHA51277b04d09889f11c0e94d7412405f5cc24e87d2128c50a73ac1134f589097280b7588b095a141f82a88a6f03e78133a1d89484b53ecfd7cde6f627b1a1a53a4c4
-
Filesize
110KB
MD538482a5013d8ab40df0fb15eae022c57
SHA15a4a7f261307721656c11b5cc097cde1cf791073
SHA256ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8
SHA51229c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331
-
Filesize
15KB
MD5b6d6886149573278cba6abd44c4317f5
SHA12b309f9046bd884b63ecb418fe3ae56c2c82dd6f
SHA256273c05c8504ca050fe6c50b50d15f32064ec6672ae85cde038976027ca4b14d3
SHA51256352f53e5c88d9c22188480a5cf4d744857774f56e08b53898cda00a235a6be9b3134dc5b58ae2531b06664f6f09c3ec242e227b3dd2235299290805428ff40
-
Filesize
15KB
MD57edc3c01ffe76fbe4f88ed6cf7e93d2a
SHA128f447f52c3601f5771d1d6af8177acc5d18dfc4
SHA256a55cf293afe484a4831bf1921bf8a8a60f27cb83f7b5660859f48cb5fe64dbb7
SHA512003a1531aa00623db7bc17a4b5aeff66255c427b1b7f2577ac6893336395807e8c06dc61fafb5bab187999f71d807ab5beacd1ebdd4690a1a32b54e15c84dfe8
-
Filesize
139KB
MD585eebb24b18781a3d4a8558d8c294a6e
SHA103a6659983cf14e9b2334df9fd32e49079998364
SHA25685d17a0a081907c2c5c0eb856a8639704af47bb7bba508101b3a1c23f742a885
SHA5124fc93cd158891b356eca4b2e719fb825e0aa0b55d705bfddbcad256727a3099c8cc79e4292656b57364f2495b0937241715946b815c4bf61bfd00f6df65b956b
-
Filesize
558B
MD5379f17168f80eb977a0ae103dac9de98
SHA15cd7f4ec26366e2777fc5d5059009f7872fbb8de
SHA2567257349f727d176425f3854bbb7624ec3ec4422e872fbdd025420e9791f99897
SHA512543b8fa7aa3fc95a01568348f3c0ce22cf804cf4451af38858e0b5e3691f7d9a1ea1bcd51a9e3edd1e9a187224861c9cb49fd23c0e9737ad5a78b2dcf4c89c83
-
Filesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
Filesize
3KB
MD5682ac7bb084c88e73d628cdf57dff336
SHA1652fb5d2fd9467f1ebf5bb3ba7a5daee87b62e0f
SHA256d9c72a8ceccb6d73dad98ef44495738286286e85102e033fe7f09069bc02fba2
SHA5122c599a1b11f476bb0e1c9bc2b4b30125ebe1e819fbd41c30c10c6770177f2d6ddc4dd91d1ee813a9223e6879accd4fa99dd5a46c8f1723acb7e63b2831e2ae9d
-
Filesize
38KB
MD52e2827ba66bfe75bc2fe2d0a02eecc73
SHA197e85467a9a24a89ab9d2969d5cb7275083c04f2
SHA2564cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb
SHA512006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734
-
Filesize
1KB
MD592ce8cbf009cea52544956d2cc6a810f
SHA11ab78049064fd7b6c4b775c2edf70ec58486c563
SHA25689f1e56537b38e367a79c33d75d3a2913ff249d7623363dc48f373eb1b8b14ad
SHA5124de7c8a79fc7c89dce59ec5071ef214af84d5c9e9a3a82956e13c5e2df0a2759a1413970d47cc156d98134992ff6ce43d4d862840190629fa24eed42f4f6dbc8
-
Filesize
423B
MD56ce66570bfab35a20d280d9833049e97
SHA1fc9e4248551156ba80e515e78d3496429754aae2
SHA256c755237b5c58134ff21520f7d2d401e5c9ad40d05dc76fe317ffd238ecafecf2
SHA5121870e653f7132e23b9a1c078b6a6931e6bff6682e8da7325eed20ffef800dbc21e71ff28e5447fc871715c07cc4e8986196a637d855550515feac168c72984b3
-
Filesize
96B
MD5467b51f35949c5a3f722ba736ce920e4
SHA1525638ae64c3d2e3518c7b1debc661a251b8d285
SHA2566c28fa6bf656b77085b464485fd085d4d6eeb7e3a0ff2dff690dc813b492580c
SHA51293d6c5a3eaaecd4d461654c09d4771217570139d39d0dbd06b1593965c7f4196e94594f8156b50ce58830e0694abf5e0e30d6c2ed63e5f482c5c797f22bc4c59
-
Filesize
402B
MD53ab983628da0fd9f8afd497d07f33d76
SHA11d85342e56d1e5d90a10aeb9bde0232250187169
SHA25697754ba105cd61128ebef8aab5272f669a72b64f44b6d861c8d507c088410a27
SHA51265da3d80645d943d4717e8b340bb9ce3e26f07e63b9db7c1d27f68ddf9f3696ba9e0475301e13e93f841558834e4b8fee5452ef220503fe41d70057c5f55da8e
-
Filesize
659B
MD534670db25d9afd4f3912f77f2e5c7d08
SHA1a59646f18b9a365067f9163f2319e219883334d2
SHA256a4761b5a5f5e6542867ba1caa87676410b7aedccd762826359046167771659ff
SHA512069204ff649adec9a4b5029bf8b99c3cb324da3306f9bd9bb350883576efbda65fea445b5d7a1cb3bdcffa66b11be22415d5def1ecca25af19839a22360d5a29
-
Filesize
106B
MD502d7ebad35b5624a751243d101a540ce
SHA14f9f0e0d47c78511ca88776fc86ece16055df66e
SHA2567686c1b97d3f80d042aac35d82b5e5b558a494ae3e0e35de81a47c413d9020ac
SHA51204fc1f935dd996ed1528c9bdf33e783a14a327e4f4477caa1fd5b9312cd3c37792c99b7364e7142284a161fc8c1ff146ca338aea2f1981b27aacf5b95d9e1387
-
Filesize
568B
MD5f16f9a87e6a9f18921a30ac379b81995
SHA13e02237a1b2640138a14d47e2781b8bf8051ad08
SHA2569177bac8288a592264dd90d2c956433a8818f1a34a5d864bd626df3fde0e0cfa
SHA512e60013c4bd894d7426680653653599e335fcfe70a3f5da8b54b443134250853a9755acd3a49aa46ec4b017fe3db403e5c7ddbb4bcfa320825c2067a77fc6760f
-
Filesize
450B
MD518e656cb3dd56af78ac3c58c7018145a
SHA18d6ce19ea492834e65949a7299ebc8e87ff4e484
SHA256a18f490dfe451f8c14eaf07951292cc45318073ddbac65b18831668f48d811b2
SHA5122292eaa0ac027c5b8bb1a5c838d40ace1b723f2962284b26087c52817b2b7db3ef05cbecfe1899d9a2f226292f3bb4409633c9d007facfef8673135b8ae4c148
-
Filesize
145B
MD5d638644c3bb80f1e98ae06fa85680eb1
SHA196d95338be3be4a24d999b82d1e00ccfd797614b
SHA256e8a990623424631496704087d29f05300bc5efabb47c94ffe7f6bd46d803b587
SHA5121349049890363c7ff3a5213e063a1dbc898cf8c85933066c34b0d88b33b6b1964751e9b470af504a62898c870f4dfeee9858aadc336c1f33485e81e89ef1de1a
-
Filesize
113B
MD50ca0566671854f45d316877cb3b9563b
SHA175ea44bb67f797281703030b2989e91c2723ddb6
SHA256048e766ffd49a6ea2fe280dc3f949c1173b439b0367137972fb6f8196c6ad8f3
SHA51212c6e3b76dbf2ea7c631a86010f77467e173cd497af0ce2e8f8fe95986ad4558c950928d4a3fe7fe28d82ca4d29f1c79aeddd0096b1792b6b015264b1a70a51f
-
Filesize
2KB
MD5adbb4c4121d770efc7154f06fe476a42
SHA12ca33c200eb09e8619936997211d8894dadc3694
SHA2566a8233f58dcdffd51292b753688848198982c5de11945651f165d1174e570372
SHA512380c291625ee88a1a7dca67b6a27d393cdf1fc4a60349f413071f584f86372c420bc46467251147ef766c92349751db1cea594a69b6dd6fc0fb67e0d13630697
-
Filesize
8KB
MD5d32c42e48ddee14fddd78bae6866cfc2
SHA1350a4c21e021c6fd3393793f22158e5c73deb2c1
SHA2567ba5af7f29496e9c5eb780cd484623ecaf0443299ea9693261516dfb60401266
SHA512615c7f837e1588b709f19570a5a6f43554133df67de950367152230626f303da5cdd0359b888eb3febb80ac1321a91256e1c61d5eb2aabfc3c5ab3c1cfa94996
-
Filesize
309B
MD5574958530816e546394dbc025d8a08eb
SHA1dbdfb40357f60bb6bc4575806f1f924a11302205
SHA25681ebb38c6e13f2b695cc1cf42ff6f6a1a836270325c2b14a76d4ed5d7ee718da
SHA512088c2bb7b8de936bcc9118ce993bda38344556d8bbd2c0737321042751cf3d0edb730c2fb9fe0bb745694205c68fefcc303907bde02a8b58ae15de23f7dc09c1
-
Filesize
1KB
MD58ff2a0df0d5a63f3a7061ec919ba6344
SHA1f70cabc248d4ec9849657d39dda784717e355c70
SHA256c0cd5f9fc6d23442bc1b81e9e6efb3e2abbeb744863bbb2106e2dd679bf039d7
SHA51296cb5a166da63e1d8b92f5a205c0c0ef616288d242f7c173f20015dde1d56e6a60e948ad32e5f3242e2fe6ae2e0659cf9e6e999748d7afd3003abd66abe15913
-
Filesize
105KB
MD52ba3a706f9e5b8a30dd84f53b022a8ee
SHA13aa34c784f16a4f8a5f2b58265f926660b3317f4
SHA256fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55
SHA512ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8
-
Filesize
1KB
MD5517a63ea2af1a35de43b9677e197d3e2
SHA175cce1d13e9f008fd18046d49cc4997b65092cde
SHA2567f034a0a09d38bf561cd22b8064b18e0b70970a471c0b3a5517324916802407d
SHA5126f29840690bb456192581e001dcaaf10f3f9b6ca986c3936994ddde1d623129c6dbeecae3a2e26720c20ef8f6ce1662debc04fc06fa17139f8ceb9e34c6b3dea
-
Filesize
72B
MD5c8c5679bef306d697cb41059120db0af
SHA1f96628021383fc9789949802bca3156a38e78e52
SHA256d693f31e544041ab9d914ff177e341013f076e98768cedda2826f67b3a0d18bd
SHA51201fc88fe94f3553b7c0fb25e5e0fea294ee2333aaa0eaaebf42479955babba786a9472da0ff92b22a6bfa3b51a0755a937e5bc4b70357975de6d6371d5e145d0
-
Filesize
138B
MD5c7bea4fbf5891b26260127afb7533ca2
SHA11e0e98c226fac9e3e876bae454441209c4ba8ab0
SHA256cc0bd093b79708af3c2dad5f57920961c180692dc35f9cb39dde22b69f7d5616
SHA512ac99234b0f353b19c487d122ea53a168ffeddc1a49bf65b05a1582185ba250976df06ff889a8db5ef16fab830c02c3f0526acd47104bf5aa1ddaa87dc143950b
-
Filesize
552B
MD5f2d504a607de292f182d60a5d9e4999e
SHA191f7994209cb2b60b514066b5d0a42776a395709
SHA2564950dfae742ecab9d8e89be47354abef3acabe5a55ec91187cd572f4a5f15872
SHA512376411b8360dac5282c18d6dfbb66e75f61376b39ba05df970520ecffcf05d9a3ee69c55c4c71300f9877c43f9a7086c68a4eb4921359aa3f3e39940b818e151
-
Filesize
2KB
MD51c33249d6c150a09afb8087002f52074
SHA1b409fa9092b830bf9c605adabc17bc91f70dcf8c
SHA256c62d520f26c02d8c3dc0cb264fe9094491b83ca7c1c7270872ddf30ee88fb1da
SHA512b7683716d506c4ff9f31c6011c938fa6fc7e749be7d737e903c696b95254b3b65d4a68c9af405da3f03190d371c4e11a6faa95ee53613d3d2bb72541d52d0c8d
-
Filesize
2KB
MD5c8b99ad44da7a89087ce7422d8f8247e
SHA1eec118f0b9097642dd0ba227abca7e128a21b126
SHA256fbb9890f72efcf8ffa8f2d576da522c630b59384a55dd64f279014b8c533c3b1
SHA512439ff954fb44c7e245fffca2312f5ecb1496176f14f6b679fb633d766634ca15507bece3458333eceb43068c7f8852d24ff6c9df880d4243a7b5bed57c9fdecf
-
Filesize
2KB
MD51bda73b95a26eac4c772151f3c7e6884
SHA1d9fa7a57e47ae338d1967eca06a609264d267080
SHA2569a73ca98fe5393663ccec7a2a6708ba98086d6e363afa056e5fa28bfbc44020b
SHA512ae3daa430e431799d22f15f85fd2686b6bec89b5b5d03c680350ede217562a9434989291a16039a86b40610abf98e7d3f6c66873aeb25232b2718fc4d2748a40
-
Filesize
3KB
MD5c5284c7d2f7b432917d9d4438bc5b36b
SHA10d512150d3199045efe79afe72da6dde58007dd7
SHA2569c5befb32014629130498d6d634c94f6b075527e9b1e2308b09fbc53baf3eae7
SHA512f21a88d32b22b2517abca0586ea123a1104ae4b3d1d553412602571afa46213068873b5374ac844822ed15bc52ced3bf853321c479e3a92c2bbd475d4415f18e
-
Filesize
3KB
MD5d6ba2d246d194416b3eec380d4a0c83b
SHA1923fd60b4692a031ee2ff88969de7ce7bc210c7c
SHA2569eb3d5d9d91eaeb1fc56d3a36d142515ac629d03d44eec6918232c5a2c5a6d87
SHA5128dcc5dab9d8787cd243d41815d34fd30686355ca2a1a114cee4219a6dbe245392b0c10178d1802e74c15b286fcf6696bfd2e7d0f845633135d84a921b464d91a
-
Filesize
4KB
MD51720bd5ab05a4a5ca4e4a7d87aa9c295
SHA1925eaaa3eefd25c12c65144a55798e0c90627c4f
SHA25664556f0df4467d77cab8ee411986a8fb911cf4cc05543d5a9d6be57302eb4d9d
SHA51224a497611ff047da753c1ffbe378752b2628cb3e7cdaf858e3683b56d5f6f7a4f343b18f8eadd8eaa17e6535888c76044915086cbd6484de7460c59e8e5762cc
-
Filesize
28B
MD538c983879e5d98fef44e8e0538fc7c21
SHA11117731974d46d5a8cc25364e0b05f7e2a3ec11c
SHA2564c447aafb91fce5872a5e2cd1cc86e7557f1765314fa2ed1a7aa0cb98054c81b
SHA512d1a38ca9bad5f24d590e351c0fd59703d8c5508eeca127dca4a1ccc852e4be92ce4add9fa31ca140cd2701498e9f5635f5465958059efe53d90ce80c09c95431
-
Filesize
2.1MB
MD52469decec0e28cb3c83e7fc47cb4ad12
SHA16409fce7b0f64b3297346a5c82a632ce61d7fe8a
SHA256e4d7bb65281a62e905eb2e7aef466525a24403079d4579029847d75142b48282
SHA5122a00232f62b13e6678068cbd9ba2621a4157c0a0baa70dc19349623c21fab770b897db003811ef83a27c45fd988d04637baad54c63d22b1c4bcbc08fb208d1eb
-
Filesize
341KB
MD54a70dc889e9b792b83c68348709d3edd
SHA1826791f1b69bb85b5f6155982e03bccdb7c22eed
SHA2563c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f
SHA512a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a
-
Filesize
984KB
MD5d186babdfae7c0d93c9f6ae63957ee96
SHA13bae058e194bab58eb0da58ac4189f8594294388
SHA25674e5f9e83d89c0bd78dbd2873455ef1c9fdd6110d274c82ed82259fd51acb893
SHA51226c7c2305183079dcd12074f4c405ba37ca60fe507db7d363b11c70b7fe9337bee4dff6a3cb5f58f5d8f025a360627e1285a20e75937527ebd131234b6e04c75
-
Filesize
380KB
MD587a00ed70fec36d0dd968e5058c29aa1
SHA19d9e8c4f35b0b5d6077d71eb279bb3195c71979b
SHA256c64c7af3688e9557e7b115375c3c3a41fd2e469ff9ac39eb549b3fe9bcba3315
SHA512f5e5c7fe4a4f40e747aeacd12290a9b841486560566a0a70821b39cb60501e88c7acf8427128a02c088a43ccbec609ba09fa84e2b8ac3bb15be4ceae69e7a4a8
-
Filesize
2KB
MD5b6d47606cc11ba2c58f12fe01983f77c
SHA1a7046870240beb9555991020981d398af7ac56e8
SHA256e6746e6f90d311bb769394ea1247f04f669184a08ecb2a8b237aa5185414dc1b
SHA512729962ac9d8cc2bdfc8f1d2f66e9aeddaef819d9d6b6e4aa235196045558c0ff0ffa0925e7e0a1ebf608ee886d58e1dea91fda82456da25ee1fde65547fbee11