Analysis
-
max time kernel
491s -
max time network
803s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
-
submitted
06-07-2024 18:00
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Score
10/10
Malware Config
Extracted
Family
warzonerat
C2
168.61.222.215:5400
Extracted
Family
revengerat
Botnet
Guest
C2
0.tcp.ngrok.io:19521
Mutex
RV_MUTEX
Extracted
Family
modiloader
C2
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Extracted
Family
crimsonrat
C2
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
UAC bypass 3 TTPs 2 IoCs
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
ModiLoader First Stage 1 IoCs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Renames multiple (561) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable 1 IoCs
-
Warzone RAT payload 2 IoCs
-
Adds policy Run key to start application 2 TTPs 3 IoCs
-
Manipulates Digital Signatures 1 TTPs 12 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Drops startup file 10 IoCs
-
Executes dropped EXE 64 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies system executable filetype association 2 TTPs 36 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
NTFS ADS 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa5a643cb8,0x7ffa5a643cc8,0x7ffa5a643cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6212 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6848 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3892 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15397388221959319328,14767909494081538291,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3924 /prefetch:22⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\85dd80d63f9f472187778ac162b9ad7e /t 34232 /p 342241⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\219778f8a64a4b1e84d00cefca027716 /t 34120 /p 341361⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\82ED8422-AE4F-45FD-AB77-5A37DAB8EDBA\dismhost.exeC:\Users\Admin\AppData\Local\Temp\82ED8422-AE4F-45FD-AB77-5A37DAB8EDBA\dismhost.exe {2EC10E22-375B-4280-8012-83E150DC1680}1⤵
- Drops file in Windows directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Pony\metrofax.doc"2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DC7.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xkmsv1_j.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cn7zwnhm.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA44C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB2B1B3CCA1D432BAAAFC9C59EC5711.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w6vbrbyn.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA575.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4794FEFF4B24367A19C45C66E786D9E.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kapfrffj.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA66F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE83335F0228D4651B6EA7929F0D3E40.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p8aktmhf.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83EBC49559DE4B45973E7A6FBE5BE61B.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lrngiohb.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA825.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAA1DA58A5F3423CAFC5D3F21C55D02.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6xt45skg.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA96D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA65F2803DD814DA780B093B0D8D2B43.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t2qtnj4u.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA7754A8A3764CCDA3902A37AD124C8.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bkvorr39.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F28AABE84E643D5AC69ECA42C23181.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\veh619gz.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7F128B82B3F463FB23874C5CF8122D3.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wqu6w-v.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B47F77AAA73463A8AF226802BBED0AB.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v3x5hwiu.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7C81A298AFC43E5AEB284C79F2E5CFC.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdmnkfvt.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc27425A246C94D1D9CF2D8DCE383DEAD.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vesrdw1r.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE01.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AFC77E511E74BE59432B26665ECB5.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m74zucn7.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc268140DE62604A908A3CACF36920EABF.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c1a6vmhw.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9124DAED6154920BF7823B16731BE37.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\337jgpuu.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B75E5514F44229E55BB9647A760E5.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1g96a4zd.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68A78361FEF245C29314EC115CD9ED13.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qznhcjeq.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BD88B172E454491A2279C6C90AC28F3.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gystkyje.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB331.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A971013143438FA41AEA4852E743E6.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbug0pj2.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB43A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C0AE21DB2C1418CB45CD37B4AC8A18A.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i6t0p6yr.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ao_jubjh.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB600.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD821DF3039A64CD3A6666A4BABDE95ED.TMP"4⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxrhqnjr.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAC8B641D2A46688E442476489363D.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-lbyutpb.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54D9636B40A34C198E92E5683A72C12.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fu3ucrsl.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A9AD6D429E048B7A6D1F2F85E2FC956.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yj4gzj-3.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4417.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE97A38EE8624660A14AF194F9DBFC7A.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pwewvvgo.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7md_hkec.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\og67zchq.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES458E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7C142D193D94D85B568BF9BBA77A33D.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lvmj0rae.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4705.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB59AC59475A748419DFBE288F9DCFDBC.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-tlg-yp.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a7bie47f.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b7okxw3g.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F1013FC53364351A1D0FF81444C4C61.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d0nebdxi.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72A0C10E2032489B893E775EEE9219.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hbpy4p6z.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ADD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4F92AF429B0496ABB5573419F0221A.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-lnxb5_f.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ztn_wvl3.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F2576852E184FB4B59F5405612D27.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h115noco.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE224182587A48FE9C97B839C9E4F5D3.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zivvpdnn.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6412.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5ECEFC3391A749DAA91648FCB64E99B3.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qq77-css.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\emvqoxmg.cmdline"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-qjfwcgl.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6839.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFF0DF1D7BB84F8396D23991FBADF573.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\22fpnya-.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6990.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA9F6C8E9D684CB4B7A0D74A147DC621.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1ocrvlzf.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29E7CABD98E948F48EF73CEA42206CE8.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ijjytue4.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B65.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8278263C34B4870A74B3BD5647DA45.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9vwsnnbz.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C6F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72A8B9A25947689A630A367B76473.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uqjyrpfv.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ob6ilzpl.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1D23F5545DB4CE38F1E5898F82D2F7B.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f6qlpruj.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc241BE467B46B45E58538D6324C292385.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\keu8ad4x.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BA85FB0695148DE81141BF46B2FCC6B.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3n_vv5c_.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\crlalasg.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc477AB4A642504A2DBB74A419AB7915EB.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhymnpuk.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d2flonpf.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES750A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C99263B7684D4E94374B708A8E074.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nnlx8n8c.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE67C25993EE34DDAB813FF38638A3433.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hpvkfkfu.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc963C9650BBB04D388EC4694043C3A4EF.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gys58qw2.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7875.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7D0C3C722584B788C3FE251CA7F65B.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fsavzkbz.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f3cjwga6.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\miw4efxp.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE76083F3BB254EBBB05342F8A69687F3.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ioe565ah.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xqtzbyrx.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5CF7FC266394CE682C8D41B72CDD63.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tw-57w8f.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15F16787AA224948BA5B61159F1CCC6E.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5kd8o3eh.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3umv9nar.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98B0262DEBF421A8CC8D653199B90EC.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rrxdynyp.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD34D09E310CE42F98FC7E4787E41649.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a1l9zrl2.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfcculik.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc666481EB507D49D09FEFA746A4DB9A3.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o4ra0gqg.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3CD0841A69FB4B52B7DD3F9EF9CBDB42.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mxd7nl8a.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8611.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA66C4DEEEA6421C8EAAB3AB88D2C029.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4bv8df3x.cmdline"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ukmslld.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m3lg8ana.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2B35535E34944CA9692A57556876B40.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x3zcztn_.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7zjogvgc.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB682A452C51549D9863E4D8C8EE096BB.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r5wjm_xf.cmdline"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xt_boxfd.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2sdy_c_r.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF5DC83BAFE24467AF1D9488A4D09D42.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnchd3_2.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB68F1A11CA104D2BBB12BF68F67DF1A9.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qnsjyzih.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFA5574E6305441187BDDC631B461F7F.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bcqx2ljh.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jo-keuvy.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7F59A8DBC1F4B81B6E3E09AC7A0F8BA.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8e4fbjwa.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9208.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B62DA45C7C745A698722D99A5B902D.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u59b4wyk.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9321.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc908AF483E8D94CAC8D88B284AD24A51.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d7ou_due.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES941B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CD73158D4CB462EABC375CA27C87F1.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qwshp1gx.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F1E8C9DAA414BFDB5FDB3F5DA43C9E.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ghylstq3.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xwire7fu.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1q_np32z.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nzhobcxh.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i8kic7ze.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF199E1AF77644A7489857CDE4AFF2850.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6g876qw_.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7E67FFBB4194F7591C065D620816731.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cx26csui.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t7epskf_.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdzknqqw.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytpb7qgq.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2870ACB5DB4C67A3F74B709BD3F696.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\onmw6grl.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB7DEEE99264F349B889171FE62B029.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4wurmkiv.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ish5ef00.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\viz4oxum.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s-rekch7.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4wxzluhe.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9vkkjfrh.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA419.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc64FD9212E9E47818AA3F2AA6DFBD1B3.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i0wcmrdy.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA551.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E40D31620A64CE1BF11B530A61B20A4.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d6hfpr8e.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ics46-yw.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qg_5fvcp.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u2ccki6j.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C9B8579D4548D78AF15302F94BF8.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cn1rqkjw.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FB2A89A16BA461B8058AA9EBCD12D6.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l80n4ng0.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zprxf_jd.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F7ACC994D7E4A3CA042B53968E78A5E.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wdvnwzev.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC75.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD5928E2BADD49FC8D44E47C563F7B8.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1wyf5qa-.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5359261C85AA4A8C8E8AE0CF2C58BE8D.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wrapw_kc.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9AFBA4CAC39459D94D7555597E9730.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yd7qldvn.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC631E36FEA42B8AA55DB5C4585C5F.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6ptkpz4k.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB03E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D333D4B35DC439387EDBBCE1DBF773D.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sqlyp-s3.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u4ximkrz.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pr597xnd.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\encsbnk7.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB32C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD53531E79FE4BA290D7D792B671341C.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vmf0sa6l.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tf1jsztn.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\itavewtl.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d_tdzwuo.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9nmgupop.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ilrjlfea.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zwyg_117.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i3u7o2xe.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB947.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF574D2C596794B948BAAF51E3C3B29CA.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ako64ltv.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD10A514B5F747C497F81339DD6A8FEC.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z6shn5eq.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qs1q5bu_.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hskzk_6g.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D9CC55F2B26447A8AD27BECF6461D74.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sbensy90.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wpanp-y.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wwzkt2mu.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC126.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA4727362EE0409E924469B8A24CF78E.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\utlezg_u.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC397.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7D0061D3A3DE4B2D8AABBA59BD9A2F.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2yixox2q.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ewkulcyp.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\du3tax4o.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84FAF2A6E41D4AABB476FD5D5ACA94.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qnzvkget.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dytqowpu.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fllvr1u_.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24C37168E59845C4915E2016FD1273E0.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b8-vfmab.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3220.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2745588ED4114AFAAE74E21E61A57A9A.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\duxm4ksk.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES353D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4413B8262B7C47F284DAB27CBCEC47D8.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bnxywaht.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D6154D64894B70A8968D288DC1DC33.TMP"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Userdata\Userdata.exe"C:\Windows\SysWOW64\Userdata\Userdata.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe"2⤵
- Adds Run key to start application
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x0000000000000470 0x00000000000004BC1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT" +s +h2⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h3⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h11⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h13⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h13⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h14⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h15⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h16⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h17⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"17⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h18⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h18⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h19⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h20⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h20⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h21⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h22⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h23⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h24⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h24⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"24⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h25⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h25⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h26⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h26⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h27⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h27⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h28⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h28⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h29⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h29⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"29⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h30⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h30⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"30⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h31⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h32⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h32⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h33⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h33⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h34⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h34⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h35⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h35⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h36⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h36⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"36⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h37⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"37⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h38⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h39⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h39⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"39⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad40⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h40⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h40⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h41⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h42⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h43⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"43⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h44⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h45⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"45⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h46⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h46⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"46⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h47⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h48⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h48⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h49⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h49⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"49⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h50⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h50⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"50⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h51⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h51⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h52⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h53⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h53⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"53⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h54⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h54⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h55⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h55⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h56⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h56⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h57⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h57⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h58⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"58⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h59⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h59⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"59⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h60⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h60⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h61⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"61⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h62⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"62⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h63⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h63⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"63⤵
-
C:\Windows\SysWOW64\notepad.exenotepad64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h64⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h64⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"64⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h65⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"65⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h66⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"66⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h67⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h67⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"67⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h68⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h68⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"68⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h69⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"69⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h70⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"70⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h71⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h71⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"71⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h72⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h72⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"72⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h73⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"73⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h74⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h74⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"74⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h75⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"75⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h76⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h76⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"76⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h77⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h78⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h78⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"78⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h79⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h79⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"79⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h80⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h80⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"80⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h81⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h81⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"81⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h82⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h82⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"82⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h83⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"83⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h84⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h85⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"85⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h86⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h86⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"86⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h87⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h87⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"87⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h88⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h88⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"88⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h89⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"89⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h90⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h90⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"90⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h91⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"91⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h92⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h92⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"92⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h93⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"93⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h94⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h94⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"94⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h95⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"95⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h96⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h96⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"96⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h97⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h98⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h98⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"98⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h99⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"99⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h100⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h100⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"100⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h101⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"101⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h102⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h102⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"102⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h103⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h103⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h104⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h104⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"104⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h105⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"105⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h106⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h106⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"106⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h107⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"107⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h108⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h108⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"108⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h109⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h110⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h110⤵
- Sets file to hidden
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"110⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h111⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h111⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"111⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h112⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h112⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"112⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h113⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"113⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h114⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h114⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"114⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h115⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h115⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"115⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\notepad.exenotepad116⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h116⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h116⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"116⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h117⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h117⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"117⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h118⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h118⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"118⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h119⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h119⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"119⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h120⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h120⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"120⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad121⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h121⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h121⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"121⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h122⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h122⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"122⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h123⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h123⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"123⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h124⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h124⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"124⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h125⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h125⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"125⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h126⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h126⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"126⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h127⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h127⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"127⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h128⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h128⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"128⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\notepad.exenotepad129⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h129⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h129⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"129⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h130⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h130⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"130⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h131⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h131⤵
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"131⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h132⤵
- Sets file to hidden
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h132⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe129⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe121⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe116⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe95⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe93⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe91⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe84⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe81⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe77⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe73⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe69⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe64⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe59⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe55⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe54⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe44⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe41⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe40⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe37⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe35⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe27⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe22⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe15⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe13⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe9⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\rogues\SpySheriff.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\rogues\SpySheriff.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Nople.exe"C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Nople.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Netres.a.exe"C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Netres.a.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Mantas.exe"C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Mantas.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Heap41A.exe"C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Heap41A.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txt2⤵
- Adds policy Run key to start application
- Drops autorun.inf file
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\std.txt3⤵
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\script1.txt4⤵
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\reproduce.txt4⤵
- Enumerates connected drives
-
C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Fagot.a.exe"C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Fagot.a.exe"1⤵
- Modifies WinLogon for persistence
- Manipulates Digital Signatures
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Bumerang.exe"C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Bumerang.exe"1⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ddraw32.dllC:\Windows\system32\ddraw32.dll2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10784 -s 3443⤵
- Program crash
-
C:\Windows\SysWOW64\ddraw32.dllC:\Windows\system32\ddraw32.dll :C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Bumerang.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 10784 -ip 107841⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Bezilom.exe"C:\Users\Admin\AppData\Local\Temp\Temp3_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Worm\Bezilom.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3816855 /state1:0x41c64e6d1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa315e055 /state1:0x41c64e6d1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa299a055 /state1:0x41c64e6d1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000130 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000118 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000130 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000130 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000118 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa2265855 /state1:0x41c64e6d1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000154 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000118 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000154 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa1b3f855 /state1:0x41c64e6d1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000154 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000154 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000154 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000154 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000154 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000154 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000134 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa11d3055 /state1:0x41c64e6d1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000014c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000014c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000014c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000120 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f8 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000184 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000014c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000010c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000010c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000010c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000014c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000013c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000144 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000158 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000128 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000011c 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 0000008c1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Windows Management Instrumentation
1Scripting
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
8Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
1Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Hide Artifacts
2Hidden Files and Directories
2Scripting
1Direct Volume Access
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-D124E4C3.[[email protected]].ncovFilesize
3.2MB
MD5bebed6929d426bb04e83985d0881bbd5
SHA14f987a2967a573ff5884e44ce0de83f597c3cb25
SHA2569131d963df68de237ec064b6baf031c9cc2a155642a41dde45d7b176abf0f689
SHA5121d3dcafb78524d07f43c278c8bccf1d5ea54075c91edff163810658f3b3ddd4b4876b9e4110e4441393c17709ac098379937a1e7fb9efa6396ea2b325672602f
-
C:\ProgramData\Hdlharas\dlrarhsiva.exeFilesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
C:\ProgramData\Hdlharas\mdkhm.zipFilesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
C:\ProgramData\svchost\Alcohol120-Install.icoFilesize
4KB
MD53773038c945383e700d295168aba3458
SHA1b9837f8173f133bb134d1943e0fd3242ca257af7
SHA25601beaaa5de6cb70ca6af5bf5744fb9219ed3cf91bc1722e235d0bb8e3c26f7a2
SHA512f3b600e2a6440783380d6f1e022da532df6d8a1a5ed1fc7b1ef2da12c867c8a86d2197e14d68e79531ac95870ae5e14c4f706a4742a1313b7957bfabd9673e84
-
C:\ProgramData\svchost\broken.icoFilesize
4KB
MD5dd68ff57e11504a1f1e7635295b11a53
SHA1cbcfc463c4b11f5fe0c5f9edb44f4e4b80619d4d
SHA256bc7ba85b667290994896a837014e2a7a5e1121fbdccf267aea74f81a49e10826
SHA512c4f081a5b6594109401e009890f14b906a11148bf0ab2553387892514af64be981bc7637d60540ff5182915ec9e9621ac348c3f38a8f660313970e06c33f2bcb
-
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.id-D124E4C3.[[email protected]].icoFilesize
4KB
MD528d98fecf9351c6a31c9c37a738f7c15
SHA1c449dee100d5219a28019537472edc6a42a87db2
SHA25639445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0
SHA512f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c00182578404b4b6fcfde21669962dd4
SHA125e096b73941797b77cfb40dfc84e5d38102b1ee
SHA2566b4b411180d903dcee076619b1b6af71d0e35569e68f0d330f8050a94e5c521e
SHA51206a13324b95603357abbc051ec4fd083148bb28da731f8b83d4066bd47d73a7383a58d4dba52ecd63f28ff46070669dee07ce8e8f87fa07207af122264e95e9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b8739e9507ed3529c450eb5b6ac83e21
SHA10f933f32c39a0af112fbe0a58e5d7a9edc617965
SHA2562b35918fecd0a80628088d9069436558b2dde8eb14de4162abf9c2e4538eaa13
SHA512e852a75b3505554fc690faa3720b2889c884602b724210533c608649e1a1a58ebb33975ee0acfe9767ab09ddac120e934bc9662a9949750665a3a350ba9acb67
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD50cd5475da77c8fd0bec9bb8e79dec269
SHA142457d0cb7bb706c3e0848a5b9365578377a36a3
SHA256447a1dc4d0da122a31e5e4ce7b1e6bf3394a7fe4e706e6759f8282d854432016
SHA512b723d907236ab5efbd5bf0917834b89a4041f0f4aea6f1a4886daa9b788cb482289f84801759de034c333caee93681b521dc346242514efae365d84e9a4c4c65
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD507882345c6dfe5cd454f182b2be6e401
SHA1945f7534fc24cc1d8077cd8f6fcc330a0d440a3e
SHA256920b0fb97c3e4b772df1375b2dbac17e0c22d155c63f65007b38e255d159b45a
SHA5121d89d126be0db234f00a8d853e8bea4e670a655cfcbf80f3f8a1a4f9658d7b3c30e337cd97205526c7a9d0bf09beaca662456d9e9e6ce97189a16579d09700c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
573B
MD5a6d346f58cbec0a6e4015327b25f1537
SHA1750056e65a8b1c20b1a6051f5adcdf35821a6ac1
SHA2561a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56
SHA51274e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a30c05177d0487add8ef78c8b7232754
SHA16849d021b0088aee19e39b435ae1856c62378dd9
SHA2564d50d9feb02ed7c99e367808e9c7bf9ad498f5a3c052453b348f125174b233c7
SHA51214bd54134a6f32c5d61339e6e188ba02089f97473d48916b143b0467f516f3ed2f8e31bb222aa5b09cbce7f74bc893ee0454ab191c01338bbe26474f79cbfe57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5584ed2be3fea5f36cf637b244f375042
SHA1f3cdfac6fcb560a68f355fe2e93c5be108fbeeff
SHA2562fc9048132babfaf7791c778ed3e459df1276bac8fa67595af70f5d9a92847a1
SHA5122735171205c52af5a02ac8ccae7df93d0ef49adbc4948ba509e9d239bb5e3efbc1a287e36b0533f1e752d157f6a47bc47d3f1fa03ce283229efde53ba252146f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD512a1241a436a9a38d4cb5263cac2dd61
SHA1f7456647c5bd5fb2203df98ba23a1dd93fccaa96
SHA2560b419326e5b042e94e23e807f7d63fa9c95d9f4e9dfc4f401508ef7a0f05fd00
SHA51246bc7629484ef9c36d09a301eb401415e4ec0dbe804b4293d8988a057bfbe504595242cd1221fa24ea025b9801ecfabaf1b772b78cc2ed94d1f910a59c67da63
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5aa5ce389c993af83133b81820f3bf98f
SHA16fc5db1b4f817504e10f3a63237775551721b18a
SHA25695bf5f61aaf89246ea69eca881aea99f41e67e49a17d94d0c19825d363d8fac5
SHA512584730408c081e4efa11645e24ad96d1c432828b0a5b64fd9bad64a1aefb38a726ce81ffd451f124efdcfb3bf2d43ed63726a02a064506f3683e3173f049750b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD528b6794377371500a3c0b7919bb170d8
SHA1a99b8d840bceeb7d50375e6a4bebefeb69844a6c
SHA2561f243468a3f9423badbcf49cb11123bfb70f87b9500cce58d2d97837f05f8c9a
SHA51285393d3a4ff671ce41c1ceb6c85817ff7020a8de841e98e7d3ee4fc0f141b42b392ef4737d0821bfb67bdd998d4c6f920abffc7272c9b932e543f4d55bb27fb4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c526d.TMPFilesize
1KB
MD5dc9198c7179760e4d87224cd2309e5f7
SHA19cfc65676a64bd513b5859aab2305f743b43f207
SHA256387dd2f88e8150bc556f8539ad43c1f9665273d2aa6bc573d20416c4b21e8aa6
SHA51216eb5d87cdd5a480bb1dec2ba873150fe33551ae7c85a63f62ee173b9f2352e7532b882800949287766c44670c68d892c81ee01ecc15d794ebd2683266eeb060
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3Filesize
4.0MB
MD506021fae092af0e17cc9e569dfe5c09a
SHA1177525b7e998b6533feb84ca6fd137d18abfc745
SHA256ab4361ee9ec80b68829a1282e762d8e3db0b2151621812db57ef8a2c7025f04a
SHA512b0e3637c83708af3b02660a35b44af3b7fd4e864a51e70e583a799ddf369b9f9dac9f39ccdee3789c245b7bea1d7561abdd2cfa94ff9123ba5016d3555b5e2a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5453ca9b4f72c78fb8d9f66078c12a2c5
SHA1681a8c8254c04170b8f9139277f95c32f015e8b3
SHA256b27220759def9be4a18ea8ed79067ad44c4d2800de018ae26d7e7e65ed5fbe57
SHA512b4d7fdb6b71735b8b24114a5d71d9ec081723ef15eedd07d68ad36eca9755501fe2048418cfac93c510bae8295236e1433b0519050f4322d7fe635a58f641f84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59cbd22ec4ff84d2217dc20238264a1fe
SHA15232c2112cdda87462d618150b0d5120c076ae4e
SHA25646deb4e991a5cd257818d862e372053ad2462eb226285d30cca9049ba648d99e
SHA5128fb33044ad32c53ebf6a07485a9d224c15b359e469f925162d53c546a385dd5cac34e07ea5da366569e5dc8a743db6e248965243330bcc5a194bedc3fd409200
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD54d5cc88a9eea26e319b4cabd097e16c6
SHA1fc1e935f8e846db27cad5fbc2f6994ae8d6a9061
SHA25644b9862d88ab9fea46ba5e6edd56bd79557ed460dbbedbcb2f841718fb213695
SHA5128584d93a01007d45033d9c8930f88bc2e67320b3605d5476462e16f011524c193de57a4bb8b9b38cb8a77ac9ef44098696a5d816e6d89e22f42771663ff59b48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD56e16354c6676c3f4a977da5227f12ba5
SHA102f1347e6d7e9e02d72892d436a822714c429e51
SHA2566f265b897093c46ea0debbdb0e4195226432057300dc00c39db1341a4dce34e0
SHA51241cfc725934b309e54a8f8ac471255493f595001f63b477929649ba145ec34ec6bcefefae38a9ed6c4c283a423119cf742aafb24694b97fe026b99ed5d5a2dcd
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
64KB
MD5e9d353ef33ac02dce670d4d65dc5a8ca
SHA12de30afa36d6ae44229bcb16d14f3a294e84fdfa
SHA256a577951038e03786ae3e6d9a6b09ec50d1782219af7c8529a2f6b087ef5f151e
SHA51292051a27b770b99f57bfda932baa163073a6f5639a2c9def4be3480f71dc663ac51211d4e5bc1fbff4de3515eaf33c96b5881a3f46bd342f6e06e0e373994665
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bakFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\14178ff2-54e2-4a42-89f0-ba614b25b77c.down_dataFilesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exeFilesize
233KB
MD5155e389a330dd7d7e1b274b8e46cdda7
SHA16445697a6db02e1a0e76efe69a3c87959ce2a0d8
SHA2566390a4374f8d00c8dd4247e271137b2fa6259e0678b7b8bd29ce957058fd8f05
SHA512df8d78cf27e4a384371f755e6d0d7333c736067aeeb619e44cbc5d88381bdcbc09a9b8eeb8aafb764fc1aaf39680e387b3bca73021c6af5452c0b2e03f0e8091
-
C:\Users\Admin\AppData\Local\Temp\vbc5D6154D64894B70A8968D288DC1DC33.TMPFilesize
4KB
MD5ab09814a02b9c3fd37583014ca09238d
SHA117b878e03bb7063d37eae3562e2a0c0e2baab835
SHA2566ddf59909e7d26fd0e6614d163d9171e2e241ee95b2afff2b9cb4ad4a49e7ab9
SHA51249d5a76429e2aac70483af9e548444b00dc7e1f237cabb4bad29a98893b77cb14dbbec0bb251baf18cc14587ee645eb94b99f5af78f9faf22c1fe2b34aff2e4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-msFilesize
934B
MD54c968d6116b5097ede12db505f478631
SHA13a7b770160e5e7d89ffcd7a36454a555174d007e
SHA2563dd4be322ccff5b847cf0c30633cc2f6d48374aeaf2da5dc5530a226ed5e929b
SHA5120cdb047f40240561a5177046fc6b6bfb07696cfb3c80742e92e50b2a6d2cb1c16cd44a37c5cc8bb04bb8b6f3c3e33bcbe0d1c75f45064bbd7ffc84acb63ee3b4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-msFilesize
2KB
MD5a5da270b9bec210b3f35265b4ce08d14
SHA146ed2df6ffe35e9e7b6cb091cd58bcecd099bec7
SHA256c9d76537d108fcf58773644690131d7a8a1fd89d4f2eac7df05d73ec7ebb4a1e
SHA512a2506e242d596a2f11dd1a08ca4919781437cbbf89ea5ca1fc90f648688ec141f61947909bc9f85f82d078949ebc58419b6408efcfefa53e6355e34336b64a99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-msFilesize
946B
MD5020513bd05cf822a696635b8e2177966
SHA1f83f356d7d1ef8ba3fe1ccecd37eac26c07a25a1
SHA256976bd478030f5a2cfda905786ae7b506b23ef08ded0f288168d11cd3e18cb220
SHA5123e570abd6be18650b8ec76590ba13a03e657d6b46a5f523a7ea9d36bab89f5d2e6801281e5e9ac1fe183841bfb02d051950ccc728467272337c6679cfc3acdc5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-msFilesize
2KB
MD59014625b6834fafc03036332c18bdb7b
SHA1540989c093b28d348fb3a40abbf36b519d59d442
SHA256ca71b2f347e61774eb78be1461fde828f991ff4bcec062cfa6b511aa64f3c814
SHA5128af2873cb8762ea4d96c27b791f3227421627a8c6677cc300226014540adafe0d3ea9d27c64c9abf3768c9db3628100d9797f72ce11d96e5e384ef65edd8ba5c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-msFilesize
939B
MD5969d2a170304ed57ab03c64c3723af2a
SHA1d73421f1678157eeb090319ae24c5f9b621d0aa8
SHA256245303f9f7aafea4ea36e76a49548a06c2ff399d4000a957c041d447b8c4706e
SHA512770c524284022c9104886aeb7d3f9ddf725118d205831a1429f78f31e156c6ca12ba0d255ea4360ee08ad5f76a0b619a6475f7cc1065870ab92b762d25614a51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-msFilesize
2KB
MD5dfbdbf75459204c56515ced31a879353
SHA1d8a3a66789ee3b34d69395254b3f81e914f07413
SHA256673686b559af46c9a232ea1e6a29a73f7a0d56b6782da14016647e3eff9c8f70
SHA51227c8ca3ceed3c8bf6b1ca67d79397d4fc443d460950e67de41df4a7ec4b3cb86b10b58a2bc295fcd42e36abc8029ed54bccb337a9abc57a268bc370a696b7ba4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniFilesize
159B
MD596823652ae433bd8c810217e99ac4889
SHA1ec60a2434e153bae74081d57882c3b9f98c232a7
SHA256981a0e52a5c9182fbdd42d088074670436c8be4074a0ce83bc78f537ed64bd5f
SHA51265c953f7ed754952f55fb37c944e54c0f4875fa20070cbc7f5b210d3dda5faefe5dae4e89684b58c16fd933aa3e5ccc78b9f626500e6f8dc0f9cb3d801e20b62
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniFilesize
230B
MD52973c4bb4346b95769ec1e2fb44068b6
SHA187d5f489a7bef093ff4fbd2f28af32bc130132b0
SHA256df3a3ecaaf0841b772e14357f75346b7dff1f13658881ffa02d07a46d8c8e1aa
SHA512e5252feb1c7bc955885256005815063ee955711b033010facf74b09633e59c489698a7a1c2a4ca8925847368a005de22e0d5190574cc7e75618c1d070a4ef928
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFilesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
C:\Users\Admin\Documents\install.exeFilesize
40KB
MD553f25f98742c5114eec23c6487af624c
SHA1671af46401450d6ed9c0904402391640a1bddcc2
SHA2567b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705
SHA512f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048
-
C:\Users\Admin\Documents\sweet.jpgFilesize
23KB
MD558b1840b979ae31f23aa8eb3594d5c17
SHA16b28b8e047cee70c7fa42715c552ea13a5671bbb
SHA256b2bb460aa299c6064e7fc947bff314e0f915c6ee6f8f700007129e3b6a314f47
SHA51213548e5900bddc6797d573fcca24cec1f1eefa0662e9d07c4055a3899460f4e135e1c76197b57a49b452e61e201cb86d1960f3e8b00828a2d0031dc9aa78666a
-
C:\Users\Admin\Downloads\95d4e974-5b5d-4d9e-bd3e-c54933803ad0.tmpFilesize
9.6MB
MD597ccde78510fbc9c049e473867e7d6e5
SHA1a22a54d87874c9faa118605d895c987ab6f3605e
SHA2560cbe5390b766268c9809aa33117a02a85920d8bd7f32ab046bd3b9b548364c06
SHA512326b677732a6856f3ddd655428f5975fe64098568a272460be07041a6a46177336876029fffbd820f9d76a413e53adf19320754e969a08e9340189567327d100
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Music\desktop.iniFilesize
520B
MD5af5909700768a888173cbd32998cf3da
SHA1194ed60ed8923749078816fc2c69614d975ba325
SHA2567edc1c721b5402e489554f848f85ccc8e190852a0ddcac22a6123c8263841340
SHA512d436b95a509f759269fda3ff398d2fe402306f88624e6a15256dc663f2709173f4d503e203ca3184e2a3f6e47ec11e8712ee2c1708932b89edf753aa9aee5c6d
-
C:\Users\Admin\Pictures\desktop.iniFilesize
520B
MD57a985a80859ee46e35031543cf0d142f
SHA1b331daec4b97bfb9c6133baaad17477509630cd6
SHA2563d643252d2ab50d0e5078aced4cb1ab19b5e8d1ff0bedf03f3243ebf3caa5884
SHA512d400143911f23f9b7c457847fdd1a1619943065c237917a1478eadc6d6befee63c2f9e37afa43a57319965b56605505bfc32f71f3a687483a60cbabab1f2d01d
-
C:\Users\Admin\Videos\desktop.iniFilesize
520B
MD5a882cf89da04eb72950e65080a5cf857
SHA1fa359f8d2e4502e5944bdadf46f05f9bf380a1cf
SHA256b41bdfe903bf4ab529adf9a2624c5733f5e044d42a6cd6fed18fd2c281f7fcc5
SHA512c5de397435424ea9f807f00f44ee1d57d87e71d8afebbfcea6f5a365bf20c1b971cfbb50e40e29430672b022634f8bc8bded25ae9061f0dc6407f3f44d5cc990
-
C:\Users\Public\Libraries\RecordedTV.library-msFilesize
936B
MD54a423318616d715c2c4194df1c2a76a9
SHA146811189c5ec837cbd87d56f45058c6dec50b898
SHA256f377f579c60a6669237f28ff1526ad8e08365df7e1aefed1d19815639e8200e0
SHA512a4c94de4162240b69a00d0a8ba09a1bcf2f0fb5bcd5b9cb9d7c7b6ebe1be852d07f911774ef4b059709903e79407b9e484867563b8e38de4cfa633c2bd76ae21
-
C:\Users\Public\Libraries\RecordedTV.library-msFilesize
999B
MD5e82838fff7c5ab5fc7d753b3dee5c017
SHA101e831ad569e79a4cde85ae15d9e775fd70b878a
SHA2568d418896f5a3390a1f49e714f407995d8504c638f45ed606138656787ad2b250
SHA512f061e030f563ba69e2c5d8db79fcb6122996ed6c011c3e66e0caf337d5696137b2200b54a38162927f4874e73ebccf9cea1eec9af7a92448f2b4a47f6d0aa720
-
C:\Users\Public\Music\desktop.iniFilesize
380B
MD548f5ac70aaedafe403b362e41da1e1d6
SHA1d40e48c5d0ba5f764c2b8d064a4ff3c6b85d7719
SHA256f09a1312cd41aadc809249dc3a6f5d5318266b40fd74b9e714571419810131de
SHA512d2a2d5db0fcc41dcde5b0797f1c917d050b75e5ffdac5a09cefef3aa386ced22f94f2719d76eeb03d063d0d199b8cd1705b563b70f4334c4de01d1264b1a5dd2
-
C:\Users\Public\Pictures\desktop.iniFilesize
380B
MD52f145cca0196fb928ee5656f2cfc2934
SHA11e90a311b867131811fe6faafd75aa17c3af64e9
SHA25673671d1ba8a835e74033f7e62afb9371c98f01efdd760a2d7093abbfcab7fafa
SHA51230c434daf25be9c1f2b6f972b7f0d47e5ee2495feff5982cf8ff0cea96765d505e112a2132cd00b24bf42ec5eb4e0e8b92cef387f9a3fe2ffa5478c0b85ab525
-
C:\Users\Public\Videos\desktop.iniFilesize
380B
MD5582bd0facb013808c1c4804d894cd9fd
SHA1110a526a7a56b6df5bfc547b33cb852e590bb893
SHA256d719c6796022f1e7c94a3208b6a488191e83c135067b6640dc5f7fcb872604e8
SHA512f65f6015b14149b8b5da1ec4b5c84151b3e3146fe9020e237b9e727393636b64448da4600156e0b930ae85d52da7cfea1ef2ef744ce754d9d71d3699f0193073
-
C:\Users\Public\desktop.iniFilesize
174B
MD57220fad57a4b3d9d9755c51198cc0386
SHA1bd2d52d62d3e9810e1072cc5ca6285da5e5c3853
SHA2566de1a716b5c49541ebc9692b16efa6fdb75b18c2a210974f94f83dcfdf8800d7
SHA512e46df475a3e52535913ae369fe56a1230fa11656b6fe31cfd160302a56f599cde45841d10f5faa53ac4c7f2da4a1de34d362153c35dc47cf87a4a8358625b9bf
-
C:\Windows\Maria.doc .exeFilesize
28KB
MD58e9d7feb3b955e6def8365fd83007080
SHA1df7522e270506b1a2c874700a9beeb9d3d233e23
SHA25694d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022
SHA5124157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536
-
C:\Windows\SysWOW64\Windupdt\winupdate.exeFilesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
C:\Windows\SysWOW64\ntkrnlpa.exeFilesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
C:\Windows\SysWOW64\remcos\logs.datFilesize
402B
MD5adb23b9e1d914f39c3429da3eeda5abb
SHA106da2de367032ccd82986088b61db163701c621d
SHA256fd0e9dc8c768d9a4e30ef837d453c679af068a9405064943907d76d016e14988
SHA512e70faea9001e10061ab7d359cb6bbac70ed5f138308c148dc3c1719f38409b112e89003b94fd81eb2718c9a8f398af69dbc02d0a6d937c911288b4d41b17f5b9
-
C:\Windows\SysWOW64\remcos\logs.datFilesize
553B
MD51b2f28be5ede7097fde46ad173a6e987
SHA1a8eea44422805c858637bc3bbda5df26ca83e21a
SHA256e7b20a15056235715e847c7253e0ce3b40d2e8fdfa1473e3ad4f35eb5d3006c2
SHA512055f5adb0d80d0d6a59cf0677205a25e06e58ecc15c384928c8225e85de6358dceb6326cde2c18d3534f602dab232c33c6385e4e64cacae6c57b095ade8c407a
-
C:\Windows\SysWOW64\remcos\logs.datFilesize
686B
MD5e078a0dc7c6e42961e6c2199f6173f62
SHA1dec59c595b229f2443e0629b8725494770fb4d25
SHA2561c6a45640fed2a4dd626db1ec28b544405552d937def977b8612c329cd3d29a3
SHA512cfab119e483183b124dcd5f592c2aa6e80c55364722b494f90cb1f0f06a25969f35d06c553ef0fb9ef3b038ec80cee813fcba8fd526503b93225fcdec7006895
-
C:\Windows\SysWOW64\remcos\logs.datFilesize
780B
MD53256f06a110da9510d0527ca026539ef
SHA17e6a31d76e803f3ef8128fe0ec5f0a4cdfb1f0d5
SHA2560dbe1cf020fd5785b70072459210d4e88b18fa2806d109dbedb8dbe0c16024d1
SHA512d3ad753bc25279eb44b69593363978000ccee82e8fb799feb4d02b00e921dffafdaf500ecb611003212574e345d3dd6f544ffc4c34c1f4ea9f8eee721ea4c04f
-
C:\Windows\SysWOW64\remcos\logs.datFilesize
971B
MD58539974ec8e971f715eea5a94eb36cdf
SHA1cc0a5913b184f0b022a03f8dd57e6fe184137806
SHA25670c321c811cd021c55399da98d7699faa980e914c73fa8819e2b9c9aeaea6227
SHA512269f2cd125b519cb2b2e1bb29d090951e8ad57b03944e03ea7cbd4e7e0b55a0cf6e8865b93c76a0f8f5a02a93d49cc51db503c437e28be31b5b0ca677eb7cd27
-
C:\Windows\SysWOW64\remcos\logs.datFilesize
1KB
MD5ef0bc1c68b3acc0a4b9435756a5977a3
SHA110fef129873c2c45ffb161c74147b340445c6236
SHA256d930467859048ccb870de6583edfd249afdbaaeb33cfd389d6b974ec4d54ae6a
SHA512472e8e186dff3c178325fc5510477dfbb8b1f00d0e371496621ae06e5385e8ba8c78596b3d59c433d56793d247947ca141adb5c9a8a586370ff75b52911f4018
-
C:\svchost\svchost.exe:Zone.IdentifierFilesize
92B
MD5c6c7806bab4e3c932bb5acb3280b793e
SHA1a2a90b8008e5b27bdc53a15dc345be1d8bd5386b
SHA2565ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a
SHA512c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93
-
C:\v1.logFilesize
636B
MD50180bf7ef624504fc1de5f619fa00185
SHA10aeb0df80703f6cd9347b6eddf11371a71104cbd
SHA256d7080c25d791ce7ef12f3a5d485ea23774081e14d08d4fd1023cfce1c66ed0b4
SHA5122c970c6bcc40976324db9c9cb7bed8da9fc698d32f5445ac4ef0614512b797b709c254f6801ef3d3c03dad1644855f8126d87948571bf6f3ed1a8d0e87de7b72
-
C:\v1.logFilesize
844B
MD5fee0a43afc77de7d69f6c05e95a7cd49
SHA1a5fc6040246e98a01d5cc811f1babdf727a3a940
SHA2567731f3c40219a191fbeb77deda17be91366ed997e305a68b0fc025f5f224357b
SHA512cb3650af52b98d1be6b2321f9536b6ca2c58e8f4c05fb88db690391d9230c198347e17b5168938f7d14cef510ef4d7ef22a361142792ee330def1c46c6b9c85e
-
\??\pipe\LOCAL\crashpad_2924_XEBAPUTNGKWGLBEPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1512-28955-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1512-29115-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1512-27787-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2820-4684-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2820-274-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2820-273-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3144-27781-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4208-27786-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4208-28954-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4208-29118-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/5164-25623-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/5164-25621-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/5240-25627-0x000000001CA60000-0x000000001CAC2000-memory.dmpFilesize
392KB
-
memory/5240-25625-0x000000001C470000-0x000000001C93E000-memory.dmpFilesize
4.8MB
-
memory/5240-25626-0x000000001C940000-0x000000001C9E6000-memory.dmpFilesize
664KB
-
memory/5272-25629-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/7804-25640-0x0000000010410000-0x000000001047E000-memory.dmpFilesize
440KB
-
memory/7920-27779-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/8680-25641-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/8680-25642-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/10172-27956-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/10172-28986-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/10264-27953-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/10784-27984-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/10784-27955-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/13124-26487-0x000001C1BE720000-0x000001C1BE73E000-memory.dmpFilesize
120KB
-
memory/13480-26520-0x0000018057D00000-0x0000018058614000-memory.dmpFilesize
9.1MB
-
memory/15772-25392-0x0000000009AB0000-0x0000000009AC0000-memory.dmpFilesize
64KB
-
memory/15772-25405-0x0000000009AB0000-0x0000000009AC0000-memory.dmpFilesize
64KB
-
memory/15772-25388-0x00000000074B0000-0x00000000074C0000-memory.dmpFilesize
64KB
-
memory/15772-25389-0x0000000009AB0000-0x0000000009AC0000-memory.dmpFilesize
64KB
-
memory/15772-25394-0x0000000009AB0000-0x0000000009AC0000-memory.dmpFilesize
64KB
-
memory/15772-25393-0x0000000009AB0000-0x0000000009AC0000-memory.dmpFilesize
64KB
-
memory/15772-25391-0x0000000009AB0000-0x0000000009AC0000-memory.dmpFilesize
64KB
-
memory/15772-25390-0x0000000009AB0000-0x0000000009AC0000-memory.dmpFilesize
64KB
-
memory/15772-25404-0x0000000009AB0000-0x0000000009AC0000-memory.dmpFilesize
64KB
-
memory/19100-25614-0x0000000005DD0000-0x0000000005E6C000-memory.dmpFilesize
624KB
-
memory/19100-25610-0x0000000000B00000-0x0000000000B56000-memory.dmpFilesize
344KB
-
memory/19100-25611-0x0000000005F40000-0x00000000064E6000-memory.dmpFilesize
5.6MB
-
memory/19100-25612-0x0000000005A30000-0x0000000005AC2000-memory.dmpFilesize
584KB
-
memory/19100-25613-0x0000000005990000-0x0000000005998000-memory.dmpFilesize
32KB
-
memory/19100-25615-0x0000000005D40000-0x0000000005D68000-memory.dmpFilesize
160KB
-
memory/32664-27738-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/32664-27032-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/36104-26874-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/36104-26911-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
