Resubmissions
09-07-2024 23:29
240709-3gzgzasejn 1009-07-2024 23:27
240709-3fsysssdmp 309-07-2024 14:14
240709-rj642sxfqk 10Analysis
-
max time kernel
669s -
max time network
993s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 23:29
Static task
static1
Behavioral task
behavioral1
Sample
fffddsfdsgfd.png
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fffddsfdsgfd.png
Resource
win10v2004-20240709-en
General
-
Target
fffddsfdsgfd.png
-
Size
82KB
-
MD5
d586f6d0e6532c1e30c420f7167856bd
-
SHA1
2b3cd081d870b29df1f6249f3f50d890321bb983
-
SHA256
21df242a377d7ddea14251178bb29a2300c8535eac6bdde541f910f709472223
-
SHA512
3f3dc9059bc45b0ff79ac586a8440a87879168ea5ba8f5d07279e99a072656a15ec6d4b7037dfdd3a1faafc087c982116085a902e057b064fef908098888bf5f
-
SSDEEP
1536:hpk3C1qszuBnQbxe/xRgGbFBH4dCOPEtp7VpRKYlkUTZMdFsiHyfc0Nz196:A3ASBQbxsfg8Fh4dC4WpXRV1ZiSkS96
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
warzonerat
168.61.222.215:5400
Signatures
-
CrimsonRAT main payload 1 IoCs
Processes:
resource yara_rule C:\ProgramData\Hdlharas\dlrarhsiva.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Modifies WinLogon for persistence 2 TTPs 37 IoCs
Processes:
winupdate.exewinupdate.exewinupdate.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5376 10364 rundll32.exe EXCEL.EXE Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 23872 24068 -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral2/memory/2192-2011-0x00000000056F0000-0x0000000005718000-memory.dmp rezer0 -
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe revengerat -
Warzone RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3588-2017-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral2/memory/3588-2019-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 6472 attrib.exe 9424 attrib.exe 8388 attrib.exe 3400 attrib.exe 13220 attrib.exe 4580 attrib.exe 21956 attrib.exe 644 13340 attrib.exe 45400 10220 attrib.exe 10492 attrib.exe 12932 attrib.exe 36324 15324 attrib.exe 4724 attrib.exe 7500 attrib.exe 2796 attrib.exe 13548 attrib.exe 9176 attrib.exe 14868 attrib.exe 20608 9124 attrib.exe 11932 attrib.exe 14840 attrib.exe 11664 attrib.exe 12088 attrib.exe 15016 attrib.exe 2524 attrib.exe 7288 attrib.exe 19012 12704 attrib.exe 14264 attrib.exe 13492 attrib.exe 8128 attrib.exe 4300 attrib.exe 5196 attrib.exe 4756 attrib.exe 8364 attrib.exe 5788 attrib.exe 7280 attrib.exe 6700 attrib.exe 12108 attrib.exe 16952 2144 attrib.exe 5536 attrib.exe 7028 attrib.exe 45460 1136 41928 6448 attrib.exe 8616 attrib.exe 13092 attrib.exe 14312 attrib.exe 14772 attrib.exe 7648 attrib.exe 12324 attrib.exe 13460 attrib.exe 13212 attrib.exe 8152 attrib.exe 43276 25468 6756 attrib.exe 7384 attrib.exe -
Checks computer location settings 2 TTPs 35 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
winupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation winupdate.exe -
Executes dropped EXE 39 IoCs
Processes:
MEMZ.exe6AdwCleaner.exedlrarhsiva.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exepid process 1892 MEMZ.exe 4316 6AdwCleaner.exe 3004 dlrarhsiva.exe 3800 winupdate.exe 5956 winupdate.exe 5664 winupdate.exe 5312 winupdate.exe 5780 winupdate.exe 2476 winupdate.exe 512 winupdate.exe 5128 winupdate.exe 3600 winupdate.exe 3664 winupdate.exe 5752 winupdate.exe 5708 winupdate.exe 6196 winupdate.exe 6404 winupdate.exe 6612 winupdate.exe 6820 winupdate.exe 7028 winupdate.exe 6152 winupdate.exe 6468 winupdate.exe 6720 winupdate.exe 6968 winupdate.exe 6236 winupdate.exe 6472 winupdate.exe 7164 winupdate.exe 6492 winupdate.exe 4012 winupdate.exe 6972 winupdate.exe 6736 winupdate.exe 7212 winupdate.exe 7420 winupdate.exe 7628 winupdate.exe 7836 winupdate.exe 8044 winupdate.exe 6960 winupdate.exe 7236 winupdate.exe 7800 winupdate.exe -
Processes:
resource yara_rule behavioral2/memory/15812-2971-0x0000000000D10000-0x0000000000F9E000-memory.dmp upx behavioral2/memory/15968-2981-0x0000000000D10000-0x0000000000F9E000-memory.dmp upx behavioral2/memory/15812-30361-0x0000000000D10000-0x0000000000F9E000-memory.dmp upx behavioral2/memory/15968-30692-0x0000000000D10000-0x0000000000F9E000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
winupdate.exewinupdate.exeBlackkomet.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exenotepad.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exewinupdate.exe6AdwCleaner.exewinupdate.exenotepad.exenotepad.exewinupdate.exewinupdate.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exenotepad.exewinupdate.exewinupdate.exewinupdate.exenotepad.exenotepad.exewinupdate.exewinupdate.exenotepad.exenotepad.exewinupdate.exenotepad.exenotepad.exenotepad.exewinupdate.exenotepad.exewinupdate.exenotepad.exenotepad.exenotepad.exewinupdate.exewinupdate.exenotepad.exewinupdate.exewinupdate.exewinupdate.exenotepad.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" 6AdwCleaner.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
Processes:
flow ioc 65 0.tcp.ngrok.io 76 raw.githubusercontent.com 156 raw.githubusercontent.com 183 0.tcp.ngrok.io 199 0.tcp.ngrok.io 240 0.tcp.ngrok.io 298 0.tcp.ngrok.io -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 217 ip-addr.es 219 ip-addr.es 344 ip-addr.es 423 ip-addr.es -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/15812-2971-0x0000000000D10000-0x0000000000F9E000-memory.dmp autoit_exe behavioral2/memory/15968-2981-0x0000000000D10000-0x0000000000F9E000-memory.dmp autoit_exe behavioral2/memory/15812-30361-0x0000000000D10000-0x0000000000F9E000-memory.dmp autoit_exe behavioral2/memory/15968-30692-0x0000000000D10000-0x0000000000F9E000-memory.dmp autoit_exe -
Drops file in System32 directory 64 IoCs
Processes:
notepad.exenotepad.exewinupdate.exenotepad.exewinupdate.exeattrib.exenotepad.exenotepad.exeattrib.exenotepad.exewinupdate.exeBlackkomet.exeattrib.exewinupdate.exenotepad.exeattrib.exewinupdate.exeattrib.exewinupdate.exewinupdate.exeattrib.exenotepad.exewinupdate.exeattrib.exewinupdate.exewinupdate.exeattrib.exeattrib.exenotepad.exenotepad.exewinupdate.exeattrib.exeattrib.exewinupdate.exewinupdate.exeattrib.exewinupdate.exewinupdate.exeattrib.exeattrib.exewinupdate.exeattrib.exewinupdate.exeattrib.exenotepad.exeattrib.exenotepad.exenotepad.exeattrib.exewinupdate.exewinupdate.exeattrib.exeattrib.exenotepad.exeattrib.exewinupdate.exewinupdate.exedescription ioc process File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RevengeRAT.exeRegSvcs.exeWarzoneRAT.exedescription pid process target process PID 5552 set thread context of 5624 5552 RevengeRAT.exe RegSvcs.exe PID 5624 set thread context of 4364 5624 RegSvcs.exe RegSvcs.exe PID 2192 set thread context of 3588 2192 WarzoneRAT.exe MSBuild.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 9824 9900 WerFault.exe notepad.exe 12336 10276 WerFault.exe DanaBot.exe 13924 13416 WerFault.exe notepad.exe 2456 14352 WerFault.exe notepad.exe 13724 7056 WerFault.exe notepad.exe 3064 5580 WerFault.exe notepad.exe 7372 8704 WerFault.exe notepad.exe 2704 6432 WerFault.exe Satana.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEmsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
pid process 40088 43188 16536 -
Modifies registry class 46 IoCs
Processes:
winupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exemsedge.exewinupdate.exewinupdate.exeOpenWith.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exeOpenWith.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exemsedge.exeOpenWith.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exeOpenWith.exewinupdate.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exeOpenWith.exeOpenWith.exewinupdate.exewinupdate.exeOpenWith.exeOpenWith.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{E2F809EF-A397-4851-A9B5-C8D6A51D4D4C} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Blackkomet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe -
Processes:
6AdwCleaner.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA 6AdwCleaner.exe Set value (data) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA\Blob = 0300000001000000140000008ad5c9987e6f190bd6f5416e2de44ccd641d8cda140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8040000000100000010000000ff5fbc4290fa389e798467ebd7ae940b0f0000000100000014000000c45627b5584bf62327df60d6185744a2d2f2bcbf190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28195c00000001000000040000000008000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c4b0000000100000044000000350034003500370041003800430045003400420032004100370034003900390046003800320039003900410030003100330042003600450031004300370043005f000000200000000100000088040000308204843082036ca0030201020210421af2940984191f520a4bc62426a74b300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d8300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101004d422fa6c18aeb07809058468cf81939662a3c5a2c6dcfd4d987558d790b12887b408fd5c7f84b8d551663adb757dc3b2bbdd3c14f1e03874b449be3e2404526f326492b6a84f1547ad442dafcd36abb667eca9eeae9bbdc07c7c3924e833c81499f92d53209ea492ea111719a36d2c54e68b6cb0e1b2516af6cde5d76d81f72b193268617db18deaf45e9dffb98af1418eda45ef6899445f055044addff27dd064a40f6b4bcf1e40f9902bbfd5d0e2e28c1be3b5f1a3f971084bc163ed8a39c631d66cb5c5fda3ef30f0a093522dbdbc03f00f9e60d5d67d1fda01e032bd940f7becc87665480a6a3b8f51962d5d226b19826ee9acb44a7455a8195151af551 6AdwCleaner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 6AdwCleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 6AdwCleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 6AdwCleaner.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 5660 schtasks.exe 14056 schtasks.exe 16368 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1652 WINWORD.EXE 1652 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeWarzoneRAT.exepid process 1964 msedge.exe 1964 msedge.exe 1040 msedge.exe 1040 msedge.exe 2076 identity_helper.exe 2076 identity_helper.exe 4500 msedge.exe 4500 msedge.exe 3344 msedge.exe 3344 msedge.exe 4432 msedge.exe 4432 msedge.exe 3444 msedge.exe 3444 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 684 msedge.exe 684 msedge.exe 5740 msedge.exe 5740 msedge.exe 3640 msedge.exe 3640 msedge.exe 1988 msedge.exe 1988 msedge.exe 2192 WarzoneRAT.exe 2192 WarzoneRAT.exe 2192 WarzoneRAT.exe 2192 WarzoneRAT.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2412 OpenWith.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
Processes:
msedge.exepid process 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
6AdwCleaner.exeRevengeRAT.exeRegSvcs.exeWarzoneRAT.exeBlackkomet.exewinupdate.exewinupdate.exedescription pid process Token: SeDebugPrivilege 4316 6AdwCleaner.exe Token: SeDebugPrivilege 5552 RevengeRAT.exe Token: SeDebugPrivilege 5624 RegSvcs.exe Token: SeDebugPrivilege 2192 WarzoneRAT.exe Token: SeIncreaseQuotaPrivilege 4044 Blackkomet.exe Token: SeSecurityPrivilege 4044 Blackkomet.exe Token: SeTakeOwnershipPrivilege 4044 Blackkomet.exe Token: SeLoadDriverPrivilege 4044 Blackkomet.exe Token: SeSystemProfilePrivilege 4044 Blackkomet.exe Token: SeSystemtimePrivilege 4044 Blackkomet.exe Token: SeProfSingleProcessPrivilege 4044 Blackkomet.exe Token: SeIncBasePriorityPrivilege 4044 Blackkomet.exe Token: SeCreatePagefilePrivilege 4044 Blackkomet.exe Token: SeBackupPrivilege 4044 Blackkomet.exe Token: SeRestorePrivilege 4044 Blackkomet.exe Token: SeShutdownPrivilege 4044 Blackkomet.exe Token: SeDebugPrivilege 4044 Blackkomet.exe Token: SeSystemEnvironmentPrivilege 4044 Blackkomet.exe Token: SeChangeNotifyPrivilege 4044 Blackkomet.exe Token: SeRemoteShutdownPrivilege 4044 Blackkomet.exe Token: SeUndockPrivilege 4044 Blackkomet.exe Token: SeManageVolumePrivilege 4044 Blackkomet.exe Token: SeImpersonatePrivilege 4044 Blackkomet.exe Token: SeCreateGlobalPrivilege 4044 Blackkomet.exe Token: 33 4044 Blackkomet.exe Token: 34 4044 Blackkomet.exe Token: 35 4044 Blackkomet.exe Token: 36 4044 Blackkomet.exe Token: SeIncreaseQuotaPrivilege 3800 winupdate.exe Token: SeSecurityPrivilege 3800 winupdate.exe Token: SeTakeOwnershipPrivilege 3800 winupdate.exe Token: SeLoadDriverPrivilege 3800 winupdate.exe Token: SeSystemProfilePrivilege 3800 winupdate.exe Token: SeSystemtimePrivilege 3800 winupdate.exe Token: SeProfSingleProcessPrivilege 3800 winupdate.exe Token: SeIncBasePriorityPrivilege 3800 winupdate.exe Token: SeCreatePagefilePrivilege 3800 winupdate.exe Token: SeBackupPrivilege 3800 winupdate.exe Token: SeRestorePrivilege 3800 winupdate.exe Token: SeShutdownPrivilege 3800 winupdate.exe Token: SeDebugPrivilege 3800 winupdate.exe Token: SeSystemEnvironmentPrivilege 3800 winupdate.exe Token: SeChangeNotifyPrivilege 3800 winupdate.exe Token: SeRemoteShutdownPrivilege 3800 winupdate.exe Token: SeUndockPrivilege 3800 winupdate.exe Token: SeManageVolumePrivilege 3800 winupdate.exe Token: SeImpersonatePrivilege 3800 winupdate.exe Token: SeCreateGlobalPrivilege 3800 winupdate.exe Token: 33 3800 winupdate.exe Token: 34 3800 winupdate.exe Token: 35 3800 winupdate.exe Token: 36 3800 winupdate.exe Token: SeIncreaseQuotaPrivilege 5956 winupdate.exe Token: SeSecurityPrivilege 5956 winupdate.exe Token: SeTakeOwnershipPrivilege 5956 winupdate.exe Token: SeLoadDriverPrivilege 5956 winupdate.exe Token: SeSystemProfilePrivilege 5956 winupdate.exe Token: SeSystemtimePrivilege 5956 winupdate.exe Token: SeProfSingleProcessPrivilege 5956 winupdate.exe Token: SeIncBasePriorityPrivilege 5956 winupdate.exe Token: SeCreatePagefilePrivilege 5956 winupdate.exe Token: SeBackupPrivilege 5956 winupdate.exe Token: SeRestorePrivilege 5956 winupdate.exe Token: SeShutdownPrivilege 5956 winupdate.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.execscript.exepid process 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 4004 cscript.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe 1040 msedge.exe -
Suspicious use of SetWindowsHookEx 32 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeWINWORD.EXE6AdwCleaner.exepid process 2412 OpenWith.exe 2412 OpenWith.exe 2412 OpenWith.exe 4644 OpenWith.exe 364 OpenWith.exe 3660 OpenWith.exe 2648 OpenWith.exe 4792 OpenWith.exe 4792 OpenWith.exe 4792 OpenWith.exe 4872 OpenWith.exe 4364 OpenWith.exe 4872 OpenWith.exe 4872 OpenWith.exe 4872 OpenWith.exe 4872 OpenWith.exe 4872 OpenWith.exe 4872 OpenWith.exe 4872 OpenWith.exe 4872 OpenWith.exe 4364 OpenWith.exe 4364 OpenWith.exe 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 1652 WINWORD.EXE 4316 6AdwCleaner.exe 4316 6AdwCleaner.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1040 wrote to memory of 180 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 180 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 2468 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 1964 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 1964 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe PID 1040 wrote to memory of 5040 1040 msedge.exe msedge.exe -
Views/modifies file attributes 1 TTPs 64 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 9500 attrib.exe 10580 attrib.exe 11160 attrib.exe 11464 attrib.exe 14784 attrib.exe 14468 attrib.exe 19012 7920 attrib.exe 7672 attrib.exe 6700 attrib.exe 2144 attrib.exe 2524 attrib.exe 4652 attrib.exe 11432 attrib.exe 13900 attrib.exe 15644 attrib.exe 5852 attrib.exe 4860 attrib.exe 5796 attrib.exe 11688 attrib.exe 3064 attrib.exe 8944 attrib.exe 12380 attrib.exe 2336 attrib.exe 34448 8128 attrib.exe 9572 attrib.exe 2544 attrib.exe 7276 attrib.exe 6952 attrib.exe 10172 attrib.exe 13404 attrib.exe 36324 19768 6304 attrib.exe 8128 attrib.exe 13132 attrib.exe 12932 attrib.exe 21956 attrib.exe 6552 attrib.exe 6284 attrib.exe 8752 attrib.exe 13548 attrib.exe 13444 attrib.exe 45460 20988 45988 6220 attrib.exe 7648 attrib.exe 14300 attrib.exe 18640 7280 attrib.exe 13220 attrib.exe 12704 attrib.exe 13652 attrib.exe 7104 attrib.exe 7288 attrib.exe 6388 attrib.exe 13636 attrib.exe 13460 attrib.exe 6368 attrib.exe 9728 attrib.exe 14688 attrib.exe 15364 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\fffddsfdsgfd.png1⤵PID:2616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff819d046f8,0x7ff819d04708,0x7ff819d047182⤵PID:180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵PID:2468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵PID:448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:3140
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:82⤵PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:4388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:12⤵PID:1000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:12⤵PID:1992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:3000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:4824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:4036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 /prefetch:82⤵PID:4628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4084 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:3920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5428 /prefetch:82⤵PID:2452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵PID:1720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:12⤵PID:4160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6816 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3416 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:12⤵PID:3992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵PID:1984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:12⤵PID:2244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1400 /prefetch:12⤵PID:1188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:12⤵PID:3876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:2972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:12⤵PID:3880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:12⤵PID:624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:12⤵PID:1492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:12⤵PID:5728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:12⤵PID:5980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:12⤵PID:5992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:12⤵PID:5576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1764 /prefetch:82⤵PID:5848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:12⤵PID:2532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13207678763417238873,8733421936244687925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4632
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4972
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2412
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4644
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:364
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3660
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2648
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4792
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4248
-
C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\MEMZ-Clean.exe"C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\MEMZ-Clean.exe"1⤵PID:4152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\MEMZ 4.0 Clean\MEMZ 4.0 Clean\MEMZ-Clean.bat" "1⤵PID:60
-
C:\Windows\system32\cscript.execscript x.js2⤵
- Suspicious use of FindShellTrayWindow
PID:4004 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Executes dropped EXE
PID:1892
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x5001⤵PID:1104
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4872
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4364
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Melissa.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1652
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe"1⤵PID:2756
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\AdwereCleaner.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\AdwereCleaner.exe"1⤵PID:5784
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4316
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵PID:3144
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:3004
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5552 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5624 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:4364
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ob3ev12y.cmdline"3⤵PID:8764
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A492527D474DC7A857448887BDBF18.TMP"4⤵PID:8572
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thpqnvuf.cmdline"3⤵PID:9284
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94A8D62A51ED4FC2A02CE332F77337A.TMP"4⤵PID:9352
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cldpr4pd.cmdline"3⤵PID:9436
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF4997D01E4A45B390E446FDADA369B.TMP"4⤵PID:9660
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1t0pls8j.cmdline"3⤵PID:9700
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9120536A819B4BD0A7E7B4A4ABAE0.TMP"4⤵PID:9796
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cgpkpxlr.cmdline"3⤵PID:9976
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3330.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70A552F0320F4C7788C3799DCC36F4B8.TMP"4⤵PID:10072
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wie2ipua.cmdline"3⤵PID:10112
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3439.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50DB2334B8AB4E6DAE93E793AE824136.TMP"4⤵PID:8420
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plru1p9c.cmdline"3⤵PID:9364
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45F822F0C04D4C8EAE19FEE055FA22C.TMP"4⤵PID:8640
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c358zfrj.cmdline"3⤵PID:9548
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDDC5876822A1452385ED8267C66EC44.TMP"4⤵PID:9404
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dbk5zwv4.cmdline"3⤵PID:9888
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CBB227698984238B0A1ACB2D81D05B.TMP"4⤵PID:9972
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4kzm0kwi.cmdline"3⤵PID:10028
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3850.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91BDE0E92DAA4CB2863D6ABE7D54A8A6.TMP"4⤵PID:8420
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i89gboy5.cmdline"3⤵PID:9272
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES395A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18EF25089AF544B1A864184E841DA7.TMP"4⤵PID:8220
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-cyybv7i.cmdline"3⤵PID:9468
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CEAB8727F244DA4805CB350B5A8C0C1.TMP"4⤵PID:9788
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m97tntv-.cmdline"3⤵PID:9796
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A013D1A8D5443C28BB7DBE737D3F5AC.TMP"4⤵PID:10016
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kzu-ngww.cmdline"3⤵PID:9212
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99FC40AAE4374462A398E1525E439F55.TMP"4⤵PID:9360
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kk0gecnn.cmdline"3⤵PID:10188
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EA9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFFC9524B6964321BBC0E7EC4DDB414.TMP"4⤵PID:9440
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_4oksxmy.cmdline"3⤵PID:8276
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBC1458FBCB44AC9BF38B8BF2D44823.TMP"4⤵PID:10072
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zwribl3y.cmdline"3⤵PID:9732
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc214DC5A5243C40BB89E31BEF2E99F332.TMP"4⤵PID:10148
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p9u76iej.cmdline"3⤵PID:9500
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4214.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A1B1A9296F48AD8ACCCFEDFE931FB2.TMP"4⤵PID:9540
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyvnnkkh.cmdline"3⤵PID:9648
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA00B137A454F485DB29050E1831688B.TMP"4⤵PID:10008
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lygszmyb.cmdline"3⤵PID:5220
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4495.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6CE602A592D459E8E4D23B91B365EFD.TMP"4⤵PID:9624
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqnr-hu2.cmdline"3⤵PID:9628
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE09C594F1EB248FEAF42FBAAC8AB675.TMP"4⤵PID:10236
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵PID:10548
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:10756
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵PID:10784
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8liaobfb.cmdline"5⤵PID:12604
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB948.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9143D8AB6A94507BD91EEF950CA15FF.TMP"6⤵PID:12496
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\apwg6oca.cmdline"5⤵PID:12308
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B02346A8CD940A4BAC972A54BDCCB6F.TMP"6⤵PID:12476
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:14056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pp0gzrcz.cmdline"5⤵PID:14176
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE113.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84039F49CE0F404AB7F35538F3D31ABC.TMP"6⤵PID:12676
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6kki6045.cmdline"5⤵PID:13500
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BAB2741A4CB4A88A478805F36464D62.TMP"6⤵PID:13444
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wgd2pqx_.cmdline"5⤵PID:13320
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE336.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7807ED2F5DA643EF8862FBB6E2B34379.TMP"6⤵PID:12676
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\shrfzl4-.cmdline"5⤵PID:3572
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE46F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C93BB69A57D41F596285B5F9343FE.TMP"6⤵PID:13992
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-pz0s4md.cmdline"5⤵PID:2352
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE588.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A54415FF05F4BC0A9C420512C15B7B6.TMP"6⤵PID:3572
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eem8qggm.cmdline"5⤵PID:14300
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD11056356CD4B428AA7576EE60FFC3.TMP"6⤵PID:1944
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jg75ale6.cmdline"5⤵PID:3344
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE8FFF9FB84DDDA6FFB97C61DBB649.TMP"6⤵PID:13992
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\japfnyax.cmdline"5⤵PID:14116
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE970.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66479C013DAA49C99BAB7B95F5BF6C36.TMP"6⤵PID:14344
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xp_ng8ni.cmdline"5⤵PID:14396
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc171CC2154634F2293E0DA7F7C281D49.TMP"6⤵PID:14460
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plm7gwuo.cmdline"5⤵PID:14552
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EEA3CE2EC4B48119F2BCC8162D3BF9.TMP"6⤵PID:14768
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kl0r4t1f.cmdline"5⤵PID:29220
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDAB0.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:3588
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4044 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:5388 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h2⤵PID:2300
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h2⤵PID:4756
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
PID:1924 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2336 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h3⤵
- Sets file to hidden
PID:5196 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5956 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
PID:6092 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
PID:5788 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2144 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Drops file in System32 directory
PID:6008 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵PID:2240
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
- Sets file to hidden
PID:4756 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵PID:5020
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:5780 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3796 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵PID:1104
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵PID:3644
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\notepad.exenotepad8⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
- Views/modifies file attributes
PID:4652 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵PID:744
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:512 -
C:\Windows\SysWOW64\notepad.exenotepad9⤵
- Adds Run key to start application
PID:6076 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2524 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\notepad.exenotepad10⤵
- Adds Run key to start application
PID:4484 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:5852 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵PID:4928
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\notepad.exenotepad11⤵
- Adds Run key to start application
PID:3040 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h11⤵PID:2792
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
PID:4724 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\notepad.exenotepad12⤵
- Adds Run key to start application
PID:2300 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h12⤵PID:5204
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h12⤵PID:236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:3644
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\notepad.exenotepad13⤵
- Adds Run key to start application
PID:1980 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h13⤵PID:416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵PID:2240
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h13⤵
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\notepad.exenotepad14⤵
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h14⤵
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h14⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:4860 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6196 -
C:\Windows\SysWOW64\notepad.exenotepad15⤵PID:6244
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h15⤵PID:6264
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h15⤵PID:6272
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6404 -
C:\Windows\SysWOW64\notepad.exenotepad16⤵
- Adds Run key to start application
PID:6456 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h16⤵
- Sets file to hidden
PID:6472 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h16⤵PID:6480
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6612 -
C:\Windows\SysWOW64\notepad.exenotepad17⤵
- Drops file in System32 directory
PID:6672 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h17⤵PID:6688
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h17⤵PID:6696
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6820 -
C:\Windows\SysWOW64\notepad.exenotepad18⤵
- Adds Run key to start application
PID:6868 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h18⤵
- Drops file in System32 directory
PID:6884 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h18⤵PID:6892
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:7028 -
C:\Windows\SysWOW64\notepad.exenotepad19⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:7088 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h19⤵
- Views/modifies file attributes
PID:7104 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h19⤵
- Drops file in System32 directory
PID:7112 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:6152 -
C:\Windows\SysWOW64\notepad.exenotepad20⤵
- Adds Run key to start application
PID:5708 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h20⤵PID:6268
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h20⤵
- Drops file in System32 directory
PID:6396 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:6468 -
C:\Windows\SysWOW64\notepad.exenotepad21⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:6496 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h21⤵
- Drops file in System32 directory
PID:6604 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h21⤵
- Views/modifies file attributes
PID:6552 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:6720 -
C:\Windows\SysWOW64\notepad.exenotepad22⤵
- Adds Run key to start application
PID:6760 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h22⤵PID:6880
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h22⤵
- Drops file in System32 directory
PID:6956 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵PID:6884
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:6968 -
C:\Windows\SysWOW64\notepad.exenotepad23⤵
- Adds Run key to start application
PID:6176 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h23⤵
- Drops file in System32 directory
PID:6188 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h23⤵PID:7128
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6236 -
C:\Windows\SysWOW64\notepad.exenotepad24⤵
- Adds Run key to start application
PID:6336 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h24⤵PID:6424
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h24⤵
- Views/modifies file attributes
PID:6304 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6472 -
C:\Windows\SysWOW64\notepad.exenotepad25⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:6864 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h25⤵PID:6852
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h25⤵PID:6964
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:7164 -
C:\Windows\SysWOW64\notepad.exenotepad26⤵
- Adds Run key to start application
PID:6332 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h26⤵
- Views/modifies file attributes
PID:6284 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵PID:5780
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h26⤵PID:5448
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6492 -
C:\Windows\SysWOW64\notepad.exenotepad27⤵
- Adds Run key to start application
PID:6880 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h27⤵
- Drops file in System32 directory
PID:6972 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h27⤵
- Views/modifies file attributes
PID:6220 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\notepad.exenotepad28⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:6580 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h28⤵
- Sets file to hidden
- Drops file in System32 directory
PID:6448 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h28⤵PID:5856
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6972 -
C:\Windows\SysWOW64\notepad.exenotepad29⤵
- Adds Run key to start application
PID:7128 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h29⤵
- Sets file to hidden
PID:6756 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h29⤵PID:6508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV130⤵PID:6472
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6736 -
C:\Windows\SysWOW64\notepad.exenotepad30⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:7060 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h30⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6700 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h30⤵
- Drops file in System32 directory
PID:6368 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:7212 -
C:\Windows\SysWOW64\notepad.exenotepad31⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:7264 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h31⤵
- Sets file to hidden
PID:7280 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h31⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:7288 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"31⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:7420 -
C:\Windows\SysWOW64\notepad.exenotepad32⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:7472 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h32⤵PID:7492
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h32⤵
- Sets file to hidden
PID:7500 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"32⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:7628 -
C:\Windows\SysWOW64\notepad.exenotepad33⤵
- Drops file in System32 directory
PID:7680 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h33⤵PID:7696
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h33⤵
- Drops file in System32 directory
PID:7704 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:7836 -
C:\Windows\SysWOW64\notepad.exenotepad34⤵
- Adds Run key to start application
PID:7896 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h34⤵PID:7912
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h34⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:7920 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:8044 -
C:\Windows\SysWOW64\notepad.exenotepad35⤵
- Adds Run key to start application
PID:8104 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h35⤵PID:8120
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h35⤵
- Drops file in System32 directory
PID:8128 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"35⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:6960 -
C:\Windows\SysWOW64\notepad.exenotepad36⤵PID:7252
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h36⤵
- Views/modifies file attributes
PID:7276 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h36⤵PID:7284
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:7236 -
C:\Windows\SysWOW64\notepad.exenotepad37⤵PID:7544
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h37⤵PID:7552
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h37⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7648 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"37⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:7800 -
C:\Windows\SysWOW64\notepad.exenotepad38⤵PID:7632
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h38⤵PID:7652
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h38⤵PID:7908
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"38⤵PID:7860
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵PID:8176
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h39⤵
- Views/modifies file attributes
PID:6368 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h39⤵
- Sets file to hidden
- Views/modifies file attributes
PID:8128 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"39⤵PID:7372
-
C:\Windows\SysWOW64\notepad.exenotepad40⤵PID:7380
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h40⤵
- Sets file to hidden
PID:7384 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h40⤵
- Views/modifies file attributes
PID:7280 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"40⤵PID:7620
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵PID:7920
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h41⤵PID:5528
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h41⤵PID:8028
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"41⤵PID:8088
-
C:\Windows\SysWOW64\notepad.exenotepad42⤵PID:8048
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h42⤵PID:8120
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h42⤵PID:8172
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"42⤵PID:7560
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵PID:7960
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h43⤵PID:6220
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h43⤵
- Views/modifies file attributes
PID:7672 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"43⤵PID:7696
-
C:\Windows\SysWOW64\notepad.exenotepad44⤵PID:7280
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h44⤵PID:7576
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h44⤵PID:7532
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"44⤵PID:7972
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵PID:7768
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h45⤵PID:7368
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h45⤵
- Views/modifies file attributes
PID:6952 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"45⤵PID:7924
-
C:\Windows\SysWOW64\notepad.exenotepad46⤵PID:8040
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h46⤵PID:7368
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h46⤵PID:7440
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"46⤵PID:8252
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵PID:8300
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h47⤵PID:8320
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h47⤵PID:8328
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"47⤵PID:8460
-
C:\Windows\SysWOW64\notepad.exenotepad48⤵PID:8508
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h48⤵PID:8528
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h48⤵PID:8536
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"48⤵PID:8668
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵PID:8728
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h49⤵PID:8744
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h49⤵
- Views/modifies file attributes
PID:8752 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"49⤵PID:8876
-
C:\Windows\SysWOW64\notepad.exenotepad50⤵PID:8928
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h50⤵
- Views/modifies file attributes
PID:8944 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h50⤵PID:8952
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"50⤵PID:9084
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵PID:9144
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h51⤵PID:9160
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h51⤵PID:9168
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"51⤵PID:7440
-
C:\Windows\SysWOW64\notepad.exenotepad52⤵PID:7660
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h52⤵PID:8356
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h52⤵
- Sets file to hidden
PID:8388 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"52⤵PID:8556
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵PID:8596
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h53⤵PID:8592
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h53⤵PID:8640
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"53⤵PID:8784
-
C:\Windows\SysWOW64\notepad.exenotepad54⤵PID:8844
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h54⤵PID:8668
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h54⤵PID:8996
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"54⤵PID:8900
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵PID:7828
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h55⤵PID:7212
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h55⤵PID:8248
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"55⤵PID:8564
-
C:\Windows\SysWOW64\notepad.exenotepad56⤵PID:8272
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h56⤵
- Views/modifies file attributes
PID:8128 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h56⤵
- Sets file to hidden
PID:8616 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"56⤵PID:8756
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵PID:9004
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h57⤵
- Sets file to hidden
PID:9124 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h57⤵PID:9040
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"57⤵PID:8520
-
C:\Windows\SysWOW64\notepad.exenotepad58⤵PID:8088
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h58⤵PID:8876
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h58⤵
- Sets file to hidden
PID:9176 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"58⤵PID:8804
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵PID:8340
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h59⤵PID:9048
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h59⤵PID:8404
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"59⤵PID:9204
-
C:\Windows\SysWOW64\notepad.exenotepad60⤵PID:8864
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h60⤵PID:8780
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h60⤵PID:2580
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"60⤵PID:8276
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵PID:8128
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h61⤵PID:8780
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h61⤵PID:684
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"61⤵PID:9372
-
C:\Windows\SysWOW64\notepad.exenotepad62⤵PID:9476
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h62⤵PID:9492
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h62⤵
- Views/modifies file attributes
PID:9500 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"62⤵PID:9756
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵PID:9832
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h63⤵PID:9848
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h63⤵PID:9856
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"63⤵PID:10124
-
C:\Windows\SysWOW64\notepad.exenotepad64⤵PID:10192
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h64⤵PID:10208
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h64⤵
- Sets file to hidden
PID:10220 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"64⤵PID:9080
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵PID:9640
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h65⤵PID:9636
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h65⤵PID:9572
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"65⤵PID:9984
-
C:\Windows\SysWOW64\notepad.exenotepad66⤵PID:9856
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h66⤵PID:9884
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h66⤵PID:10068
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"66⤵PID:10184
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵PID:8748
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h67⤵PID:9444
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h67⤵
- Sets file to hidden
PID:9424 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"67⤵PID:9544
-
C:\Windows\SysWOW64\notepad.exenotepad68⤵PID:9972
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h68⤵PID:9736
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h68⤵PID:9744
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"68⤵PID:9928
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵PID:8768
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h69⤵PID:8872
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h69⤵PID:9708
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"69⤵PID:9996
-
C:\Windows\SysWOW64\notepad.exenotepad70⤵PID:9900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9900 -s 25271⤵
- Program crash
PID:9824 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h70⤵
- Views/modifies file attributes
PID:10172 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h70⤵PID:9884
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"70⤵PID:9396
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵PID:9660
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h71⤵PID:9876
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h71⤵PID:9644
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"71⤵PID:9896
-
C:\Windows\SysWOW64\notepad.exenotepad72⤵PID:9368
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h72⤵PID:5596
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h72⤵PID:9928
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"72⤵PID:9376
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵PID:9544
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h73⤵PID:9404
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h73⤵PID:9748
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"73⤵PID:10236
-
C:\Windows\SysWOW64\notepad.exenotepad74⤵PID:9556
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h74⤵PID:10056
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h74⤵PID:10156
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"74⤵PID:10148
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵PID:9748
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h75⤵PID:5536
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h75⤵
- Views/modifies file attributes
PID:9728 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"75⤵PID:9212
-
C:\Windows\SysWOW64\notepad.exenotepad76⤵PID:10000
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h76⤵PID:10236
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h76⤵PID:10124
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"76⤵PID:9572
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵PID:9844
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h77⤵PID:10112
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h77⤵PID:8872
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"77⤵PID:10272
-
C:\Windows\SysWOW64\notepad.exenotepad78⤵PID:10332
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h78⤵PID:10348
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h78⤵PID:10356
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"78⤵PID:10496
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵PID:10564
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h79⤵
- Views/modifies file attributes
PID:10580 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h79⤵PID:10588
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"79⤵PID:10820
-
C:\Windows\SysWOW64\notepad.exenotepad80⤵PID:10912
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h80⤵PID:10928
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h80⤵PID:10936
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"80⤵PID:11084
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵PID:11144
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h81⤵
- Views/modifies file attributes
PID:11160 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h81⤵PID:11168
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"81⤵PID:8212
-
C:\Windows\SysWOW64\notepad.exenotepad82⤵PID:5612
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h82⤵
- Sets file to hidden
PID:5536 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h82⤵PID:10300
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"82⤵PID:10600
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵PID:3448
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h83⤵PID:10484
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h83⤵PID:4824
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"83⤵PID:11240
-
C:\Windows\SysWOW64\notepad.exenotepad84⤵PID:11088
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h84⤵PID:10344
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h84⤵PID:11084
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"84⤵PID:10616
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵PID:10352
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h85⤵PID:10472
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h85⤵
- Views/modifies file attributes
PID:9572 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"85⤵PID:11368
-
C:\Windows\SysWOW64\notepad.exenotepad86⤵PID:11416
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h86⤵
- Views/modifies file attributes
PID:11432 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h86⤵PID:11440
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"86⤵PID:11592
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵PID:11640
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h87⤵PID:11656
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h87⤵
- Sets file to hidden
PID:11664 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"87⤵PID:11800
-
C:\Windows\SysWOW64\notepad.exenotepad88⤵PID:11852
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h88⤵PID:11868
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h88⤵PID:11876
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"88⤵PID:12020
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵PID:12072
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h89⤵
- Sets file to hidden
PID:12088 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h89⤵PID:12096
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"89⤵PID:12228
-
C:\Windows\SysWOW64\notepad.exenotepad90⤵PID:12280
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h90⤵PID:10300
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h90⤵PID:11296
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"90⤵PID:10412
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵PID:10616
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h91⤵
- Views/modifies file attributes
PID:11464 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h91⤵PID:11268
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"91⤵PID:11408
-
C:\Windows\SysWOW64\notepad.exenotepad92⤵PID:11660
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h92⤵PID:11720
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h92⤵PID:11740
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"92⤵PID:11992
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵PID:10432
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h93⤵PID:12016
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h93⤵
- Sets file to hidden
PID:11932 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"93⤵PID:12184
-
C:\Windows\SysWOW64\notepad.exenotepad94⤵PID:6640
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h94⤵PID:12248
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h94⤵
- Sets file to hidden
PID:12108 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"94⤵PID:10472
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵PID:11240
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h95⤵PID:512
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h95⤵
- Views/modifies file attributes
PID:6388 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"95⤵PID:11732
-
C:\Windows\SysWOW64\notepad.exenotepad96⤵PID:11664
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h96⤵PID:11728
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h96⤵
- Views/modifies file attributes
PID:5796 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"96⤵PID:11892
-
C:\Windows\SysWOW64\notepad.exenotepad97⤵PID:11244
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h97⤵PID:756
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h97⤵
- Sets file to hidden
PID:10492 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"97⤵PID:11568
-
C:\Windows\SysWOW64\notepad.exenotepad98⤵PID:11528
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h98⤵
- Views/modifies file attributes
PID:11688 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h98⤵PID:11548
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"98⤵PID:11756
-
C:\Windows\SysWOW64\notepad.exenotepad99⤵PID:2044
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h99⤵PID:7132
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h99⤵PID:11400
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"99⤵PID:9676
-
C:\Windows\SysWOW64\notepad.exenotepad100⤵PID:11432
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h100⤵
- Views/modifies file attributes
PID:2544 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h100⤵PID:6136
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"100⤵PID:11532
-
C:\Windows\SysWOW64\notepad.exenotepad101⤵PID:6112
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h101⤵PID:7052
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h101⤵PID:2796
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"101⤵PID:11440
-
C:\Windows\SysWOW64\notepad.exenotepad102⤵PID:6136
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h102⤵
- Sets file to hidden
PID:2796 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h102⤵PID:10980
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"102⤵PID:11628
-
C:\Windows\SysWOW64\notepad.exenotepad103⤵PID:11912
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h103⤵PID:10980
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h103⤵PID:11548
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"103⤵PID:12304
-
C:\Windows\SysWOW64\notepad.exenotepad104⤵PID:12356
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h104⤵PID:12372
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h104⤵
- Views/modifies file attributes
PID:12380 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"104⤵PID:12520
-
C:\Windows\SysWOW64\notepad.exenotepad105⤵PID:12572
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h105⤵PID:12588
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h105⤵PID:12596
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"105⤵PID:12728
-
C:\Windows\SysWOW64\notepad.exenotepad106⤵PID:12780
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h106⤵PID:12796
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h106⤵PID:12804
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"106⤵PID:12936
-
C:\Windows\SysWOW64\notepad.exenotepad107⤵PID:12996
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h107⤵PID:13012
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h107⤵PID:13020
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"107⤵PID:13144
-
C:\Windows\SysWOW64\notepad.exenotepad108⤵PID:13196
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h108⤵
- Sets file to hidden
PID:13212 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h108⤵
- Sets file to hidden
- Views/modifies file attributes
PID:13220 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"108⤵PID:2544
-
C:\Windows\SysWOW64\notepad.exenotepad109⤵PID:3020
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h109⤵PID:11532
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h109⤵PID:11804
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"109⤵PID:12604
-
C:\Windows\SysWOW64\notepad.exenotepad110⤵PID:12720
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h110⤵PID:12600
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h110⤵PID:12680
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"110⤵PID:12956
-
C:\Windows\SysWOW64\notepad.exenotepad111⤵PID:12868
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h111⤵PID:13016
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h111⤵
- Views/modifies file attributes
PID:13132 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"111⤵PID:13264
-
C:\Windows\SysWOW64\notepad.exenotepad112⤵PID:13280
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h112⤵PID:13212
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h112⤵PID:11440
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"112⤵PID:12396
-
C:\Windows\SysWOW64\notepad.exenotepad113⤵PID:12628
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h113⤵
- Sets file to hidden
PID:12324 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h113⤵PID:12448
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"113⤵PID:12764
-
C:\Windows\SysWOW64\notepad.exenotepad114⤵PID:12880
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h114⤵
- Sets file to hidden
- Views/modifies file attributes
PID:12704 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h114⤵PID:12596
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"114⤵PID:12920
-
C:\Windows\SysWOW64\notepad.exenotepad115⤵PID:12540
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h115⤵PID:11704
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h115⤵PID:11440
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"115⤵PID:12372
-
C:\Windows\SysWOW64\notepad.exenotepad116⤵PID:11768
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h116⤵PID:12476
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h116⤵PID:12512
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"116⤵PID:12956
-
C:\Windows\SysWOW64\notepad.exenotepad117⤵PID:13044
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h117⤵
- Sets file to hidden
PID:13092 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h117⤵PID:12808
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"117⤵PID:12676
-
C:\Windows\SysWOW64\notepad.exenotepad118⤵PID:13132
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h118⤵PID:13012
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h118⤵
- Sets file to hidden
- Views/modifies file attributes
PID:12932 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"118⤵PID:13260
-
C:\Windows\SysWOW64\notepad.exenotepad119⤵PID:12700
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h119⤵PID:12448
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h119⤵PID:13068
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"119⤵PID:13340
-
C:\Windows\SysWOW64\notepad.exenotepad120⤵PID:13388
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h120⤵
- Views/modifies file attributes
PID:13404 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h120⤵PID:13412
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"120⤵PID:13552
-
C:\Windows\SysWOW64\notepad.exenotepad121⤵PID:13604
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h121⤵PID:13628
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h121⤵
- Views/modifies file attributes
PID:13636 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"121⤵PID:13760
-
C:\Windows\SysWOW64\notepad.exenotepad122⤵PID:13808
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h122⤵PID:13824
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h122⤵PID:13832
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"122⤵PID:13972
-
C:\Windows\SysWOW64\notepad.exenotepad123⤵PID:14020
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h123⤵PID:14036
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h123⤵PID:14044
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"123⤵PID:14192
-
C:\Windows\SysWOW64\notepad.exenotepad124⤵PID:14240
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h124⤵PID:14256
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h124⤵
- Sets file to hidden
PID:14264 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"124⤵PID:12232
-
C:\Windows\SysWOW64\notepad.exenotepad125⤵PID:12016
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h125⤵
- Sets file to hidden
- Views/modifies file attributes
PID:13460 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h125⤵
- Sets file to hidden
- Views/modifies file attributes
PID:13548 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"125⤵PID:13624
-
C:\Windows\SysWOW64\notepad.exenotepad126⤵PID:13628
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h126⤵PID:13684
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h126⤵PID:13712
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"126⤵PID:13916
-
C:\Windows\SysWOW64\notepad.exenotepad127⤵PID:13844
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h127⤵
- Views/modifies file attributes
PID:13900 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h127⤵PID:13908
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"127⤵PID:14056
-
C:\Windows\SysWOW64\notepad.exenotepad128⤵PID:14288
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h128⤵PID:13328
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h128⤵
- Sets file to hidden
PID:14312 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"128⤵PID:13500
-
C:\Windows\SysWOW64\notepad.exenotepad129⤵PID:13480
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h129⤵PID:13508
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h129⤵
- Sets file to hidden
PID:13492 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"129⤵PID:13952
-
C:\Windows\SysWOW64\notepad.exenotepad130⤵PID:13868
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h130⤵PID:13764
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h130⤵PID:14108
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"130⤵PID:13864
-
C:\Windows\SysWOW64\notepad.exenotepad131⤵PID:3444
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h131⤵
- Views/modifies file attributes
PID:14300 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h131⤵PID:13544
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"131⤵PID:13720
-
C:\Windows\SysWOW64\notepad.exenotepad132⤵PID:13344
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h132⤵
- Views/modifies file attributes
PID:13652 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h132⤵
- Views/modifies file attributes
PID:13444 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"132⤵PID:13596
-
C:\Windows\SysWOW64\notepad.exenotepad133⤵PID:11924
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h133⤵
- Sets file to hidden
PID:13340 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h133⤵PID:14080
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"133⤵PID:14300
-
C:\Windows\SysWOW64\notepad.exenotepad134⤵PID:13712
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h134⤵
- Sets file to hidden
PID:4300 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h134⤵PID:14088
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"134⤵PID:14176
-
C:\Windows\SysWOW64\notepad.exenotepad135⤵PID:14164
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h135⤵PID:13360
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h135⤵
- Sets file to hidden
PID:3400 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"135⤵PID:14108
-
C:\Windows\SysWOW64\notepad.exenotepad136⤵PID:3400
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h136⤵PID:14080
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h136⤵PID:14172
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"136⤵PID:1944
-
C:\Windows\SysWOW64\notepad.exenotepad137⤵PID:14172
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h137⤵PID:3844
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h137⤵PID:5520
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"137⤵PID:14472
-
C:\Windows\SysWOW64\notepad.exenotepad138⤵PID:14564
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h138⤵PID:14584
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h138⤵PID:14592
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"138⤵PID:14796
-
C:\Windows\SysWOW64\notepad.exenotepad139⤵PID:14844
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h139⤵PID:14860
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h139⤵
- Sets file to hidden
PID:14868 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"139⤵PID:15256
-
C:\Windows\SysWOW64\notepad.exenotepad140⤵PID:15308
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h140⤵PID:15324
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h140⤵PID:15332
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"140⤵PID:13864
-
C:\Windows\SysWOW64\notepad.exenotepad141⤵PID:14384
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h141⤵
- Sets file to hidden
PID:4580 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h141⤵PID:14420
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"141⤵PID:14656
-
C:\Windows\SysWOW64\notepad.exenotepad142⤵PID:14708
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h142⤵PID:14784
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h142⤵
- Sets file to hidden
PID:14772 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"142⤵PID:14624
-
C:\Windows\SysWOW64\notepad.exenotepad143⤵PID:1564
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h143⤵PID:1880
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h143⤵PID:6920
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"143⤵PID:14900
-
C:\Windows\SysWOW64\notepad.exenotepad144⤵PID:15320
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h144⤵PID:6632
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h144⤵PID:15336
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"144⤵PID:1616
-
C:\Windows\SysWOW64\notepad.exenotepad145⤵PID:14424
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h145⤵
- Views/modifies file attributes
PID:14468 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h145⤵PID:5580
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"145⤵PID:14776
-
C:\Windows\SysWOW64\notepad.exenotepad146⤵PID:14792
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h146⤵
- Views/modifies file attributes
PID:14688 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h146⤵PID:14752
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"146⤵PID:14972
-
C:\Windows\SysWOW64\notepad.exenotepad147⤵PID:13432
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h147⤵PID:15184
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h147⤵PID:1728
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"147⤵PID:7240
-
C:\Windows\SysWOW64\notepad.exenotepad148⤵PID:7448
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h148⤵PID:6956
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h148⤵
- Sets file to hidden
PID:7028 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"148⤵PID:1616
-
C:\Windows\SysWOW64\notepad.exenotepad149⤵PID:14648
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h149⤵PID:14652
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h149⤵PID:14656
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"149⤵PID:6528
-
C:\Windows\SysWOW64\notepad.exenotepad150⤵PID:4212
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h150⤵
- Sets file to hidden
PID:15324 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h150⤵PID:15172
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"150⤵PID:8036
-
C:\Windows\SysWOW64\notepad.exenotepad151⤵PID:6692
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h151⤵PID:14748
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h151⤵PID:8184
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"151⤵PID:15200
-
C:\Windows\SysWOW64\notepad.exenotepad152⤵PID:15212
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h152⤵PID:15232
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h152⤵
- Sets file to hidden
PID:15016 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"152⤵PID:1728
-
C:\Windows\SysWOW64\notepad.exenotepad153⤵PID:7744
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h153⤵PID:14900
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h153⤵PID:14416
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"153⤵PID:8544
-
C:\Windows\SysWOW64\notepad.exenotepad154⤵PID:7712
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h154⤵PID:14672
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h154⤵
- Views/modifies file attributes
PID:3064 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"154⤵PID:14540
-
C:\Windows\SysWOW64\notepad.exenotepad155⤵PID:9192
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h155⤵PID:8324
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h155⤵
- Views/modifies file attributes
PID:14784 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"155⤵PID:8464
-
C:\Windows\SysWOW64\notepad.exenotepad156⤵PID:7300
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h156⤵PID:14124
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h156⤵PID:5644
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"156⤵PID:14868
-
C:\Windows\SysWOW64\notepad.exenotepad157⤵PID:8704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8704 -s 420158⤵
- Program crash
PID:7372 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h157⤵PID:5516
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h157⤵PID:8976
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"157⤵PID:9112
-
C:\Windows\SysWOW64\notepad.exenotepad158⤵PID:3844
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h158⤵PID:6744
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h158⤵
- Sets file to hidden
PID:8364 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"158⤵PID:14540
-
C:\Windows\SysWOW64\notepad.exenotepad159⤵PID:9412
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h159⤵PID:14984
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h159⤵PID:7528
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"159⤵PID:8796
-
C:\Windows\SysWOW64\notepad.exenotepad160⤵PID:3204
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h160⤵
- Sets file to hidden
PID:14840 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h160⤵PID:6196
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"160⤵PID:15224
-
C:\Windows\SysWOW64\notepad.exenotepad161⤵PID:6920
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h161⤵PID:7872
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h161⤵PID:13092
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"161⤵PID:7528
-
C:\Windows\SysWOW64\notepad.exenotepad162⤵PID:7508
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h162⤵PID:9436
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h162⤵PID:10012
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"162⤵PID:7872
-
C:\Windows\SysWOW64\notepad.exenotepad163⤵PID:3492
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h163⤵
- Sets file to hidden
PID:8152 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h163⤵PID:14784
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"163⤵PID:15540
-
C:\Windows\SysWOW64\notepad.exenotepad164⤵PID:15620
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h164⤵PID:15636
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h164⤵
- Views/modifies file attributes
PID:15644 -
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"164⤵PID:16380
-
C:\Windows\SysWOW64\notepad.exenotepad165⤵PID:15368
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h165⤵
- Views/modifies file attributes
PID:15364 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h165⤵PID:15012
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"165⤵PID:24180
-
C:\Windows\SysWOW64\notepad.exenotepad166⤵PID:21920
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h166⤵
- Sets file to hidden
- Views/modifies file attributes
PID:21956 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h166⤵PID:21964
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"166⤵PID:23832
-
C:\Windows\SysWOW64\notepad.exenotepad167⤵PID:28780
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe166⤵PID:23888
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe165⤵PID:24164
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe164⤵PID:15408
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe163⤵PID:15548
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe162⤵PID:7532
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe161⤵PID:8640
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe160⤵PID:13416
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe159⤵PID:8364
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe158⤵PID:8184
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe157⤵PID:9084
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe156⤵PID:14512
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe155⤵PID:15232
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe154⤵PID:4996
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe153⤵PID:8696
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe152⤵PID:7384
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe151⤵PID:5448
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe150⤵PID:5580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 364151⤵
- Program crash
PID:3064 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe149⤵PID:14820
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe148⤵PID:6596
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe147⤵PID:5292
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe146⤵PID:7056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 188147⤵
- Program crash
PID:13724 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe145⤵PID:14828
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe144⤵PID:14352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 14352 -s 140145⤵
- Program crash
PID:2456 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe143⤵PID:15276
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe142⤵PID:14504
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe141⤵PID:416
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe140⤵PID:13992
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe139⤵PID:15264
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe138⤵PID:14804
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe137⤵PID:14480
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe136⤵PID:11036
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe135⤵PID:2716
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe134⤵PID:3832
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe133⤵PID:3376
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe132⤵PID:13900
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe131⤵PID:13416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13416 -s 76132⤵
- Program crash
PID:13924 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe130⤵PID:14252
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe129⤵PID:13708
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe128⤵PID:13464
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe127⤵PID:14008
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe126⤵PID:13932
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe125⤵PID:13672
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe124⤵PID:12680
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe123⤵PID:14200
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe122⤵PID:13980
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe121⤵PID:13768
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe120⤵PID:13560
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe119⤵PID:13348
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe118⤵PID:12464
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe117⤵PID:12796
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe116⤵PID:12900
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe115⤵PID:12772
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe114⤵PID:12728
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe113⤵PID:12600
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe112⤵PID:11804
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe111⤵PID:12248
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe110⤵PID:12968
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe109⤵PID:12564
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe108⤵PID:11444
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe107⤵PID:13152
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe106⤵PID:12944
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe105⤵PID:12736
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe104⤵PID:12528
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe103⤵PID:12312
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe102⤵PID:11304
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe101⤵PID:11292
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe100⤵PID:6608
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe99⤵PID:9524
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe98⤵PID:12164
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe97⤵PID:10416
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe96⤵PID:11968
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe95⤵PID:11616
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe94⤵PID:11396
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe93⤵PID:12112
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe92⤵PID:11944
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe91⤵PID:11412
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe90⤵PID:5624
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe89⤵PID:12236
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe88⤵PID:12028
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe87⤵PID:11808
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe86⤵PID:11600
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe85⤵PID:11376
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe84⤵PID:10624
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe83⤵PID:11180
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe82⤵PID:10272
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe81⤵PID:10108
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe80⤵PID:11092
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe79⤵PID:10828
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe78⤵PID:10508
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe77⤵PID:10280
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe76⤵PID:10056
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe75⤵PID:9724
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe74⤵PID:10204
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe73⤵PID:9736
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe72⤵PID:9860
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe71⤵PID:9424
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe70⤵PID:10184
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe69⤵PID:10068
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe68⤵PID:9952
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe67⤵PID:9932
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe66⤵PID:9344
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe65⤵PID:9852
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe64⤵PID:9296
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe63⤵PID:10132
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe62⤵PID:9764
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe61⤵PID:9384
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe60⤵PID:8940
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe59⤵PID:9176
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe58⤵PID:8376
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe57⤵PID:8352
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe56⤵PID:8528
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe55⤵PID:8252
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe54⤵PID:9156
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe53⤵PID:8788
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe52⤵PID:8600
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe51⤵PID:8076
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe50⤵PID:9092
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe49⤵PID:8884
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe48⤵PID:8676
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe47⤵PID:8468
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe46⤵PID:8260
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe45⤵PID:8156
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe44⤵PID:7580
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe43⤵PID:7552
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe42⤵PID:7308
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe41⤵PID:7320
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe40⤵PID:7420
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe39⤵PID:7336
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe38⤵PID:8084
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe37⤵PID:7728
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe36⤵PID:7460
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe35⤵PID:7164
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe34⤵PID:8052
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe33⤵PID:7844
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe32⤵PID:7636
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe31⤵PID:7428
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe30⤵PID:7220
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe29⤵PID:2992
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe28⤵PID:6860
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe27⤵PID:6784
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe26⤵PID:6152
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe25⤵PID:7156
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe24⤵PID:6500
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe23⤵PID:6268
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe22⤵PID:6820
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe21⤵PID:6764
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe20⤵PID:6512
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe19⤵PID:2792
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe18⤵PID:7036
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe17⤵PID:6828
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe16⤵PID:6620
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe15⤵PID:6412
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe14⤵PID:6204
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe13⤵PID:5204
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe12⤵PID:4544
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe11⤵PID:1912
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe10⤵PID:5956
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe9⤵PID:4748
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe8⤵PID:5492
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe7⤵PID:5680
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe6⤵PID:5812
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵PID:5200
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵PID:5232
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:3096
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe2⤵PID:3400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 9900 -ip 99001⤵PID:9544
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm"1⤵PID:10364
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer2⤵
- Process spawned unexpected child process
PID:5376
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"1⤵PID:10276
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@102762⤵PID:12512
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f03⤵PID:12328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10276 -s 4922⤵
- Program crash
PID:12336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 10276 -ip 102761⤵PID:12456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 13416 -ip 134161⤵PID:13712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 14352 -ip 143521⤵PID:4912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7056 -ip 70561⤵PID:14832
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Satana.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Satana.exe"1⤵PID:14840
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Satana.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Satana.exe"2⤵PID:6432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 3963⤵
- Program crash
PID:2704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5580 -ip 55801⤵PID:14468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8704 -ip 87041⤵PID:14748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6432 -ip 64321⤵PID:5876
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵PID:8540
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:15480
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:37404
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵PID:7752
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"1⤵PID:6196
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵PID:8368
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵PID:15392
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Krotten.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Krotten.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe1⤵PID:5644
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NotPetya.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NotPetya.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe1⤵PID:15476
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #12⤵PID:15564
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 00:453⤵PID:15772
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 00:454⤵
- Scheduled Task/Job: Scheduled Task
PID:16368 -
C:\Users\Admin\AppData\Local\Temp\3212.tmp"C:\Users\Admin\AppData\Local\Temp\3212.tmp" \\.\pipe\{DBDC5AC4-25B1-4DFD-84E9-1F723268DFA9}3⤵PID:15800
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedBoot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedBoot.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\PowerPoint.exe1⤵PID:15812
-
C:\Users\Admin\65373049\protect.exe"C:\Users\Admin\65373049\protect.exe"2⤵PID:16136
-
C:\Users\Admin\65373049\assembler.exe"C:\Users\Admin\65373049\assembler.exe" -f bin "C:\Users\Admin\65373049\boot.asm" -o "C:\Users\Admin\65373049\boot.bin"2⤵PID:16160
-
C:\Users\Admin\65373049\overwrite.exe"C:\Users\Admin\65373049\overwrite.exe" "C:\Users\Admin\65373049\boot.bin"2⤵PID:16336
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedBoot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedBoot.exe"1⤵PID:15968
-
C:\Users\Admin\65373049\protect.exe"C:\Users\Admin\65373049\protect.exe"2⤵PID:16232
-
C:\Users\Admin\65373049\assembler.exe"C:\Users\Admin\65373049\assembler.exe" -f bin "C:\Users\Admin\65373049\boot.asm" -o "C:\Users\Admin\65373049\boot.bin"2⤵PID:16240
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\SporaRansomware.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\SporaRansomware.exe"1⤵PID:43892
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵PID:34896
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Scheduled Task/Job
1Scheduled Task
1Scripting
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7z.dll.id-F9B9ACFC.[[email protected]].ncov
Filesize2.5MB
MD5bd90dd0ebd658fe26ccc59fd056de984
SHA18f761b4b349efa9b3487a6454a514d44d5d3cb47
SHA2565b5fb188b51bbd6552868cfc7af07f766e04ddf8208160ba2158c88171aa8f6a
SHA512d404cc719e40955dbb2709258be2ceda29adc7ff83f9fb8fb75c9a45ff05379d24bfbc68db04c6200f0d1e5260db0a886f129c1ba66bfdd863a37ac374a1f557
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
C:\ProgramData\svchost\PerfLogs.exe.id-F9B9ACFC.[[email protected]].ico
Filesize4KB
MD59430abf1376e53c0e5cf57b89725e992
SHA187d11177ee1baa392c6cca84cf4930074ad535c5
SHA25621f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78
-
Filesize
4KB
MD5fde1b01ca49aa70922404cdfcf32a643
SHA1b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
Filesize
12KB
MD514779cc27dffd2b8ebab93a132cfb91a
SHA15256a096529a496ecc9bb1f27b1c69b62fbc52e9
SHA25638ac7346eb6afd8c52cfa9902df5d489255835dc006596c1dcfad54584b35dc2
SHA512e6ccbfecb439ee42cfe81ba2c066c9e4bf43a8b263a61761ff44cee7652034f8d05128d7c27924b18ac8970bb8c79f0e6542877e1498abae466335407d9284b9
-
Filesize
152B
MD5bafce9e4c53a0cb85310891b6b21791b
SHA15d70027cc137a7cbb38f5801b15fd97b05e89ee2
SHA25671fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00
SHA512c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c
-
Filesize
152B
MD5a499254d6b5d91f97eb7a86e5f8ca573
SHA103dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1
SHA256fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499
SHA512d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c
-
Filesize
152B
MD51a4618f46a9d7abbea11faba7bb63bee
SHA18d810cd8937235a7863761e8b72fe399aaab43d6
SHA25676c636722eb24f4dc00674e77c585d79c59b1e7d1eedbb71bf8a0418ce7916b1
SHA512a1ef762873d976c881926b89b1625e525fbd8d1fd8bb14f657a8020dbda153b0095612e3de4197b08a5045d5f4d17eb56c5ec592c5afef8e4e4bd89760384496
-
Filesize
152B
MD5db1d2e7c8822854e3910f16c8b65c70c
SHA1a0a51be24543c6f0534202b69bee1725d2d12a96
SHA256a6cf6475a12ab59914de170c03fcb1fbbce5d5ae989c4e908b4f0565d5ac0549
SHA51258d7c9b23030431b65a12679081cbd160fc481d0278598055dca0733f14e5de790603f997c6c26d5790fcc92f196c48d3b6c650a29e9660884334b5021789c22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4c21a88d-9e44-4b71-bf72-31e716ba0b54.tmp
Filesize70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\86e443c9-7b28-4fbb-9f0b-74bd5510e35c.tmp
Filesize4KB
MD5efafbd3d34dcf233e3e0cb9473d71c90
SHA197fdbfb202eab942527624db02b290b070c96177
SHA2563d382c4bebb95c920c0724e3ba2500ea9e9d47689a45388fe849d53f3f6d560c
SHA512a110c3610af056cf713c7851fe0a6f22947d6904d408748dbc460e107de387e4c4151ecb723632e99f69fbede5a1e76a5a189987f60d185fb03a47f4152a9ac2
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
69KB
MD57d5e1b1b9e9321b9e89504f2c2153b10
SHA137847cc4c1d46d16265e0e4659e6b5611d62b935
SHA256adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af
SHA5126f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989
-
Filesize
41KB
MD5970d0e20692b74e97203d5cf9358350f
SHA13e45b858a775b05d117b26a317ceef16d3320ad1
SHA2562c2ba720b00b5ea91083f203eba58347373081ef53201695e5b2de96405945a3
SHA51275cd3e41d4094aad759b315eb56eefa1f2b3a4111899ad0da733b12ceef8157ad44d507a01705f9b1ac77c53866355a08edef8663608ec2d7753425c203ba507
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5620dd00003f691e6bda9ff44e1fc313f
SHA1aaf106bb2767308c1056dee17ab2e92b9374fb00
SHA256eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586
SHA5123e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006
-
Filesize
37KB
MD5f31a1ab9f483d9db21349522e39dd16e
SHA101a275d7fc1c4f578fa506c8e0bf9b7787dd4806
SHA256463800c9ec072ae72a4f6fdc1f2f779c792cb7ceb6f57c7d1231eabefad2bd9d
SHA512cab9bf13c36b854bef939e1d09c8d896caf1d7c20f6948f70f27eaf2869e49c8b9be728b4c95926ba869a987516a79d3193d416b0582b7570a58269c8caa7603
-
Filesize
37KB
MD5838ff1c9432529e8767cb82eedd81504
SHA1b19d6bf6d966c59592600097d27bc4dcbdd20bdb
SHA256eb231ce985c270c3f38016ec8095b7f350952f971452fe6500d8c62bb886a97b
SHA512f1239ceb6d557b06867e5cc487dde32d72e035154de3855e52b4e66d2aea1582b07c0fb0b0a1a1369caea3e58a876fdf24255fd774e9b4417376844abe1574d4
-
Filesize
20KB
MD5628ba8d31375849e0943894669cd033c
SHA14fa6d50a37fa2dadec892474d3e713ef9de2d8a1
SHA25680e3440c312f921afe33a7d4a3d11d1d2dc7162f8f50b748b796f424441d10d6
SHA512d4406493dc8767c479460f3039b038866549feebf392280384da08adbcad2e871720d046220cb67ebe3ab75c14e06a31df2fa7c0f2c17f91eda26ba0a709d27f
-
Filesize
25KB
MD56f0d8c2d86b40b21934ff819a3961667
SHA12e411280d2191d0f9732fe01ebc522aa87363b34
SHA2568ef59cad09decea1d3b42a9ddd4a9b25a6c7d7bdac03d0621b4bef1448276c88
SHA512b9406b8e4f3ca0fb1a45d3ce677d12a84c83c9c1039be109b0002c4a42435d68107cacaec2e07474b7e9d48e6e00df1734e33d1b18d6aac7a604ea6500e01024
-
Filesize
20KB
MD50f3de113dc536643a187f641efae47f4
SHA1729e48891d13fb7581697f5fee8175f60519615e
SHA2569bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8
SHA5128332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f
-
Filesize
17KB
MD5d7580dce32412dc9d53e8911beeac7e4
SHA1fb93b2d7546f30ded645e40c4ad2ae962bced731
SHA256136b2c40697b50198694dcf1ccae005f9a5dcd15b3d67bb48745df477a49df06
SHA5122440ddd41e5d17fae4ff5e261d2d4694937f27d94292f1424c398585471f71cd20131f2babdf3332176ca2aa191bde920aeadb15705843fed3d4183fbfbe6e43
-
Filesize
19KB
MD50e9598f50db3875804b5cae6c9dca79b
SHA18337e55cde8ab625a187449b5cf3e814e183bba8
SHA256f3f29a6f56ab6a7576981cdb058c75f952f970002ee9e855c5f65e5736446cb4
SHA512b9e90dbb3d62226300c1cf017cd839e50b0a9372784279190be12bd95c3d1b2c6e3cb03b71faf4ca7ff2f2e33d89d359d4594c1f412fd54fc0c5b73dd90205df
-
Filesize
56KB
MD51c1d217fb96a2f08696c928339539e32
SHA15921a4ba778aa41f84ac5eb590a9b2b1b2bc1301
SHA256c3c237d6752a083449cf8e67764d2ad13501e291339bfc1ccafb4c338cbcd78e
SHA512e0095b1ff5404cdd049b00d9aec0ce29291afa407a5cdd1092cabd1fafbd478441c6ade141f3c6428d61003b79393b99613638432ca1130a1330348239a8cefa
-
Filesize
53KB
MD58fcb818bc23425964d10ac53464bf075
SHA1396f40d25a7d38eed9730d97177cd0362f5af5d7
SHA2568b56333cda4211c50ada778d598348b8a846d557ed9117d8b265e004db31e9f7
SHA5126ec7588257bd1261f9b2876c3aa57fba2b6bdc33a2a68830c8d8d539f449c552cf6923a5e8afb5e665d12cad253a10d68ad665d9eb74ff8250c6daf2f61e6da8
-
Filesize
132KB
MD501088b35a7144b96e1c65db9ecf5aeab
SHA13d5b4a4fafdc3867adca4a4a640d6296bba06f82
SHA25666616d0b8be2030b1f40d1da2a80bdf930172335226111b7965a4480bb584f1f
SHA512bf639e6539792c3ebab0ddb646b795a1cb14e4359fe97726db69ba2e082debdb920c15d5eb96a552613ead61ee4320de0331c02aaba3f14dd83956cc7affba89
-
Filesize
22KB
MD5f2b3b5ae31aad5857de6b472b4b33502
SHA194b2968bcd37264d68fbd1189eea5271bf0399ff
SHA256afb3b56c3fb32ea5657cfe81ed543e4f216ae5496476f567a1c800084ec6cb03
SHA512bdb04854ca0a9cae61cf4c3e3a48ae40776a19da50d95ad54486c0c07a083328105739d8dc0235185f3d86d5f5a3104dfbe92c31357550803946402949e73b70
-
Filesize
43KB
MD5209af4da7e0c3b2a6471a968ba1fc992
SHA12240c2da3eba4f30b0c3ef2205ce7848ecff9e3f
SHA256ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403
SHA51209201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35
-
Filesize
73KB
MD57322a4b055089c74d35641df8ed19efa
SHA1b9130bf21364c84ac5ed20d58577f5213ec957a1
SHA256c27e6cbe88590ba6a04271b99d56aa22212ccf811a5d17a544ee816530d5fd44
SHA512bad26b076fa0888bf7680f416b39417abe0c76c6366b87e5a420f7bc5a881cc81f65b3ef4af4ba792aa6030bcf08bdc56b462775f38c4dbf48ff4d842c971bea
-
Filesize
40KB
MD53051c1e179d84292d3f84a1a0a112c80
SHA1c11a63236373abfe574f2935a0e7024688b71ccb
SHA256992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3
SHA512df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff
-
Filesize
53KB
MD568f0a51fa86985999964ee43de12cdd5
SHA1bbfc7666be00c560b7394fa0b82b864237a99d8c
SHA256f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f
SHA5123049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7
-
Filesize
22KB
MD5db96514a70774d0da058373034c3ed65
SHA162187775c092076418fa3fa31ad2945b4a1ddaa6
SHA2566054dd3ff37ee624d740c7c890795c91326079526334e1554ba1b2b63cf7d7e5
SHA51212e903bee10e3a23a6cbc421e8a1475e07da29ae4bb14518cfd9a922b7dd83866563cffe48317b42a0e8b4413d9c8fe63a1d62ba8e3462a7975bffa6d433b616
-
Filesize
18KB
MD52cc7627d0d778c0fd67a3cb4d4677579
SHA12651992eb2fa8c30a6563a72ef8871cd79cb155f
SHA256121c4f7b74e12f9977a2690e55bd4c904091c61d745a79720169f4ae6491b0e6
SHA512ebb5d41ca1c8fb22eb7293a210d8f8a0e3d86cfdf3ac95bffafc44452205c495fde0b223aaead2dc2aca99772fd991891038040296398df3d9d3291525d9e1c1
-
Filesize
1KB
MD5d2cc43927c3f9ac2af554f4063704a7c
SHA1c2acef1b6372951df50044d7cc4a8e1692c8a5e6
SHA256f856fef79f7d2afc7213bbf04959d3fe9653c537d1139274d7b35be8f35870a9
SHA512b2ccca56aa17ad0da98181612fa2f78b9de8cd77c0c1d5d7e8acc97ff33cc59cffaba817f9642fbe09188d012a391a50180767273b74ddb1145d6558853b499e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD57b26ea07d5f4ba3099a792691c0eb093
SHA109ffbc224c7f5f481e96562cbcd355ac7b51679c
SHA25611eff30e24af64619f5a47540a26a051f98c88cebb8a1dc5e39a818a5aee29e3
SHA512003e5c59aeab855c75474351fe6e933c72988effa9ebc9c3fc4ccd8de2869d28c28e42c6bc95476b2a3bd7d229a073caf6e05aeacc20f3ac1d941c34657e2a59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD50c38bc2331cc172a762e3610a52e0f19
SHA17510cba783adaae551e5197d7133922f0ec0f8e1
SHA2567cfc59c2cb4e1ccb8fb5b01c6066df10466ea241d63a736a0b9837aa788435fe
SHA5121acbc879d03df4e2b1ebb993c7eeb68391df8f4168287c3942036a6f05f4c61e90a4b8b5f8823f8b876e2f5f17afd177b041c087f1676d0fe0f04c71fdc95bb5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5b9a9b36621e87e822d396cc1f9fe9699
SHA16bc393eb7015ae57fbd7999050005e56b08fcb28
SHA256a6a345182115bbf230ef00d4583a43e77ce083f21ad32a45d91056b7e57d25b4
SHA512b42698d7459741626f4666f805f372f402248a27328b634217fc2bae34d344401534e70d175f553bb2e7f5e09ceee039cf51ef8bbc56836da6ab0283ba1473b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD517b9d97ebb639f522044912a7ebc9eec
SHA14df8027dae149e69b5be2723f903cd77638f191e
SHA25629ff35aa8197573c1bb3ef3139210ad387619fb8cd90b985a27c040b781ce2a9
SHA512ad13fa0cfb8a3a12407a676448be0c528c54978da421b7668550a42c0689bd2e546191426a79c9e6cfcbe67e85f8dbbff441eebfd70fcca8f07fd8f1a65d106a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD594b79ce9103302fc99845692fb1dae49
SHA17c0a8f66ad7b63a524d77eef900a9c920b6efbdf
SHA2565e4f680083fda017c5f3b9d8b6b6c436e04fe3caa6317cb0260f46b5559e8b40
SHA512c738784e3d67540549234d487902b802043f34519a385ec7ae8990cd2ebde495d81ab9e1fe9aa8814af1fc8111ab13881b4a94c9d20fc1314eeaa8f040e4bcf9
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD51e99c28933481758e40642eb10205074
SHA122c958138e3bf0c03ebf5b8742481c9d4d456fe9
SHA2568eac44c0360b753ddb82ef5b7bcb9ac84b4d228a5d72e5e8d6b848a78bbe2e57
SHA512a70ab175ef3dedc4c2d4d7047c26b71549fbdfdaada685812dbf8fad717ee482d3863d9718f121ec998218d387f6581148fe897e066ac913f38676e494bb310b
-
Filesize
713B
MD5ab09471a812da06e33ddd0f6a172542a
SHA11c0ece098b6711897bc741c72f138ff4bb1ad0a6
SHA25661ba45785935d593cbbcf7463aec648eb01aea29614ea4cf6ba27294a7d426c3
SHA512f4d1328932c1e0e8b2f2c8fa0d4ef6ba1894e4d5565dde9af7eb120730170c2fc155d5a5d15c46333018b205e9e6cedf2f3e739a6af94651a0b340a3bdb1b438
-
Filesize
1KB
MD5202afa1d3c6d36c27d339ef1499ecf4d
SHA11faeb5a4b9049d7e308c616d66f50237fb0271a2
SHA25654de07f27bfc7c329556fbf28b3df26f3cc073c0cd737c5540e469a431e1f1b8
SHA512722140665ac878cc5bf3ccaae9baa06a93d7d5f45ed58b52e8ca47aca58d4fcc0952853c56a625b29b7ee824b90bbac832f95580c894433fc04bd0ee8bfd3093
-
Filesize
1KB
MD56e84f6de5b1a0f18695cdd9c72c23b66
SHA1ae47ee8fa7c27dd27d1148f3e238a8a49a7e3622
SHA2568dea83c8dec1532c265ddbd2ddb1f48bc254bfca8f853f922edff772f476c32d
SHA512482758b181cdb7bc5312bee1165e86995fc13db925b8bc34b941421e3cd286d0dd832e930c2c1ed79f9f80870c0eadfebae1fadbc0f712b0e79d2791550f70b9
-
Filesize
6KB
MD55f300e9cc01fdc1bb95c6cf605d1ac2d
SHA14621f1465321fad0f261e96df96c08c942dc64b6
SHA25623760670bf603659756f8496c1f3f2324e60cc78af527482530d5259eb0804ec
SHA512e468adbfe8a268e96b38185b07bbcedf3213dc65f279a5ef1f5837f35c956ec5e6ed7afd2e3e6470df744dd0cb537452d2394f46f60b56147f76cf1c76abe0c4
-
Filesize
8KB
MD5bd016b8f0c879181db23856608c57c33
SHA16603dd15a6114c5258c6c6b9de36aa41ad81725d
SHA25603bd15691c8a93dbe9040dc0b3d05766d979c5b68046cbe3885ba8f0f61e663d
SHA512aadc4e7a62c07d91ba6f954bffc1d40865be91622b078df3efcbbaa9893ca8928282858ee6dc1cca352372bc6cb9aab18b6a362f3ddaf11c1e34cdaddf8d32c4
-
Filesize
6KB
MD5b145135d2aa727edec363851084ae8e2
SHA1c2fc96dc263f4306c8415d5d7eef273a3b9e335a
SHA25685441bb9c7fa07c1906b6922ceba88d1029778580040fa99d8ec0b7a9afc6564
SHA512b03c0e2dffa6bfc5772dde03e00ab4c0f172808158a3e0e1fdac755c2e1a7babc3d062cd3bd89ab126aa10fb70037ae6ac10fcd5bddf98151e2b45dbe6f990b4
-
Filesize
6KB
MD53fe4885308c8fad0fab286f5039ccbf6
SHA19f88dc21f73a029ffeb75bedd8328566f4ae7531
SHA25657977323ac94df645dde5b2e2bab7f8bc25c18ee65110960c1a893a487944847
SHA512837a4b4012aa5ccf86803a048732561543861ac22ad6802389be62e8c2f7fca5054b77036caf78d167df0c1dd9c6905e70a9643760016e40d66166cf25e925ac
-
Filesize
7KB
MD58510b54f29d655ed64a6df0536f4af8d
SHA13445ebbcecb50b68dce3cfc90fb7f0202a79152d
SHA256adfa4507e99960e2f657667c1bf782f245150fff35eae36e1c3bd6d6bfaa7927
SHA5121f4437e625eefc1034eca9523eea4599989b8f0633328572791e677f17c12bf7c2fcfdc9ed873f82829eef32e7c527c76a76da64bdaffe9f3a231f347dd101a1
-
Filesize
7KB
MD52b8ab20817138e6f3a71fc3a45c55f30
SHA1f8e718fde10d2a9119e298120de94666f1b2dc16
SHA256e1937e845dc722f5668e428d51ac527c5abe671d57fb282836c60b86e7be41d5
SHA51248da1cf23f782ecdea4647745f5858d79b9e97e4079bf313e436788eb8c765422de039a4a548bae936fc1779ca4229fb1929a9394513958513b95105a4e67769
-
Filesize
7KB
MD5eab779c7a3e408653a2d8a8cb7c22868
SHA1bd557044529ffbe731df1c5a952dc7604fcb2493
SHA2567ec529715a0d8d9dc2f0a206ad255782f6baa73f66908df21217267bb7bfa071
SHA5122eeb675673ea00567ae422af80f976b616d1e84170411ef89082f809c3dea18d72fea04b16c21b3e939b448968f00a01f98d20b0e45aca95f4d3a9dc88ff8b53
-
Filesize
6KB
MD5ff3a895246827ddf9affd944af95e283
SHA15520c5a09b879ced702dac6c15f245557d1254ac
SHA256b80c257d85daf1d0f287c5f2ac4076fbcb670738683f26a6c68f2c36dd8a5ca8
SHA512008d73f2bd66d55ccbec00a2bc9b28a8f460a05db5a8fe14f906aa8783f57a7a4f84799cbc919ce3dba8bdf4d8222590a145588574ce2876e5b85e5c10188370
-
Filesize
7KB
MD5d58220d58c8c5967732dbb44cb2ad9d0
SHA19181eb9c37c16381ea1a2def385d2840c80daf7b
SHA256676948f348e04abd5a91b32a21366235fada02e73bf31caa4b8478cea2f8a572
SHA512ab989e6e6d5a3603adbb720aa89302f891186dc7ff4e16246a4ed040e12b7b4b9c307c9ce3a3b7f66b060478e96e9d2df53dbaece3f86848f0ff2849defa1694
-
Filesize
5KB
MD5bf3a74352835964aa8ead18bf41709c4
SHA1810ef32ac5350a9aa11c23637ac4579d8078f208
SHA2569529766396699f71dbfec7ab0936885e256d6cea15b817a0521042f0809b726a
SHA51281e11ae5085510007ac9b32f167dd537fe0d43486960286c80fda6adb77e910e96b943d0d6361b1ea889f0d421241487619d4511c91170c65faa7a2a725c0d69
-
Filesize
7KB
MD504adb9b3a65db032c147b97ff28c7e77
SHA1761e9560249b94e83c5b03e4d1a0cdce53fe9246
SHA2562db334e66100f359836902dc2926a398afa2f0b9b8d908ab93cfd4807209d276
SHA51240913cebc5e8edf4233c5ff8c94a809ecea45f3102ba4d8c1bcd3465579fd37185e8af3f06f58cb24560c91e608ad37c21dbe1efb7503f3cdcff7d8d3a3f43bb
-
Filesize
5KB
MD5ab137ef68f20b89ac1d7c0b375ade0ee
SHA1015ab3df0c98c943a61a39db87bfdef432345a61
SHA25667b4e588c5ef09865c7928610441a56781dc02154f64a54ad37b60802c330a0c
SHA51254630a32cc48a2da7a26ef2b9d9816c42f86ce136e3801f39016dd70964fa684a3775dfbd98b69ecd609c4de07e62ccb425526e9726049a31e29a9534a8a877e
-
Filesize
5KB
MD5f78317b1409cc1959f2f4b389c2bec74
SHA160f705b80524357b23ad8d73e0012f722957c6bd
SHA256d99c2a04cc5233f2559969328cfe8457efe97a60338368779a2035ad32c4089b
SHA5128437677ab7eda4595d16888a2f94976a0c499da46dace36c3c1bd0a2e837465a5811d71a8f1c60328703550b939fdc538bb99d6edd3f22e7bd48957527147e25
-
Filesize
5KB
MD5a2a6e42d0a1c3f52617de4d67543d07c
SHA1fe49d16cf4090c096b1468da91a65329c0996b1a
SHA25671f584d2c450a85cb87b7b9e7620a2ce0e069c836150c0b68c4c1c58666d40a1
SHA5121e9b7d3c32d33e69af1ab38ef3deec74ec6acef026eef3059556f8a07c1842bd9c2365d42d4eb0299586a352b537dcdf79e59a78734249466599748fc1d9691d
-
Filesize
8KB
MD5dd4b2f58e4f139a34aeea3c15bcd6dbb
SHA19ad9c73693401ce0cd94d4877866f706eab7c1d5
SHA256c821b9ccf07d1652dc5e5fefbb21568879e56d6fde5f3d7902433ff5bb7a8e08
SHA5128bbfd5ca3edab7ebf7d2d7d89a819487a04326388166ead5e0f72552dcc4ac65c7d63d4d90bac9699735013167c03b374de6512812aa6d9ac22a00330e9be731
-
Filesize
24KB
MD5acfe29af3a84fd025fd0b0dbaa36191b
SHA129a10e91f064cf5179d4149f3fe228b78057eb7c
SHA2562d8e7f4d38b1bf540fd34b0073d5b3b5956d11d5283eaad69fab5d1d366a0e5a
SHA512d141d3bdb04a3597dc58e3ee73dfbc529b6b0d8fa9d2f4307f18dab13b9053f96f359a654fd8ef897d3be6b8a006df717a7b256dd0bd12898535e2d44f79f372
-
Filesize
24KB
MD527cdb5ed6a61ae1546f87aae1ef3fff2
SHA1a8153aa4fb0a32e4f9a3902415b0759a357e3850
SHA2569f340f4b50ac302811cf970d22e6c806eae7c3718d7259331b8d926cf366ddc4
SHA5128d953b59398b457668a8b37dd5702c2401d3a3cb1fd9af2d6fdf93913815cbc5300a83f75ae1ea8f27a67467c986507d6d7756366ed2064ee3f31392e25922aa
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1
Filesize264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
1KB
MD5886f3158d64719add10c640668fc29ee
SHA18b008cf01d33eb3705d0769d6c9e55d276bb7987
SHA2563001f805dee2db009907646ee9e461806edc350efac69f5c4680f82a51a087d3
SHA512f393b10bd5c8ccccdebd1423f08c824df088a9a33fc0fec285fcb7c970b073f5b362fe05c101f05becf291b54fb0d053906f8270e0c09ef2b5dbc453ce50726a
-
Filesize
1KB
MD5cea028d959dc675c04eb7d1a4d3f8b33
SHA17a4f19d7439937c549bbfea975042cb72119b61a
SHA256ac744c5da7cdb9c333253c17e26975cd3184263237e2b414ea186e146c25413f
SHA51223e58d64bd0db7a89bb3c22d46bef81d2f62699b62e1f890923789c153e5ffa25ac4722afc6fd8b2dec59b3b43711034c0fe663e06f1dfd0c89ed4d52ac540af
-
Filesize
1KB
MD55c2d966be4ccb89357d7a2f7a8b3d24c
SHA17036782accef0439d38b336e9d65485b234fc702
SHA256618f6888820f8a1fde0bd0b54ce77eb4e68d8caf7deb927df85846d90e9db13c
SHA512873a75987927f79b85f8d076f3adb48fe0c8f20d8f9a8723d0f3f19161c699a24670ccaff093931a3107c77c8cc13f240face921b1a19d40eeb58a7cec3dded6
-
Filesize
2KB
MD5c383097e7de1f4aec5e1a6c5bdd07b5d
SHA10848587bffab75c7f8e339cad5d2ab32b21d6740
SHA256dcbde63dbf93843a45c2457bb91cf26084fa23e6d6f28d1f7f06addda43994f9
SHA512f015b7950fe417d8d6617155917634ddb038b149564073a7a329b1974e3e29ca79e50183e584567470e5a98ed89616d3283ae6dd762f49de82f69927a1e00d0f
-
Filesize
2KB
MD5882e4c0030a60e0806371f33d092aa1e
SHA1074342ee4648c383680d8c10b07eee841a855371
SHA256f085f12bb1c575bc6914e80a4b7c6a03914b046a63ce283c5b715bfa5ffbfa20
SHA512cf499a9b85c7a8144e99582198db9b6b6795bbbaeeff1357832be2ac7294fc71aa4b33ec8c51065c1c02d73339b73701eb1fc5c760e417bbaebeec920dd2b83a
-
Filesize
1KB
MD5d56ecc501ca6a6ae601066f78a1cc914
SHA1860089f791e1e7a416658a00a24e673576859097
SHA256f1d25675108b756b20eab7876a9d05d896a939cbe7dd29030fa33d4b577e5350
SHA512f5eb5efc7da067db071b818c46d7b0545fd51c9e654cf3e6121d9e8ae254b46b0b9608a7acb68476c63b1f4f73b677ab6fb8580cdd2a4e14f4231669a2606181
-
Filesize
1KB
MD559c8e1627f2b53bee9afe6b53327e367
SHA156624235af46156df2cfd966bef6ae0e7003397e
SHA25643eb19a5a3c09270f349b710d61ba47402517ffe352583952d0b463de8fe5351
SHA512cf62c053fbc4ef267828088e5b5438a2c3a871eb0f8b5cced7b1e30f5e5a053ff5be992126048caab08981f01a49541441e7ab2f8cc8bf5754553a0439979d36
-
Filesize
1KB
MD57a3c00ab73dc25e209878bba54e124bc
SHA19b936de6c2fbf0600cbfb6047262d8026aa63179
SHA256d8ba76bee9c09c3c926d6bf280dfe3b171669a47fa1b4238d2f1f3fa10d62a4e
SHA512e05d140b2f65cb119a26b538cf746c649992197aa1937e506e01a75d7fbed57dd04f9bb66570e3d179518f56d9254b2e715ea1a14670cc0795071eaf7889cc2e
-
Filesize
1KB
MD5fb82314e4ac874ee0370251a932d66d6
SHA10e264fb9af66251ddd29b48a376c4ef31ea634ba
SHA256485b6993591f3fa09bf694d640cb7ec418d7985f397bf155a0a0cac126af8034
SHA512abe861b7b3aa009c3d63fbcbf6919a6a23649027cc9f570ad000cb09b2001945a29a4ef27e4c026775fd3a81fed48ecba7956ff3b9426d4ba0afd8e24fc722f5
-
Filesize
1KB
MD58e7cac78af90d62849b4d7dc962eac39
SHA19af6237c802ddb02f849398945683f2d88c6e9c9
SHA256d30d006b29c183986a9e13f356cbfce0112bc44f87eef4d10f1e76dae3d46371
SHA5124f6f340d75cd93e8e873b95088eec8d196fd62211a5aa569c5b9c376af3b083a3eca95e5361aa69286d47c322a1e92bf0f35efa5d4c8201881d3e14b314c3422
-
Filesize
1KB
MD559348bf16a67bc119e3dfd7f594df9f0
SHA18d56587d8a75d35389d2fb5cba126cd44bafcf0a
SHA2564ad7fb0b561dd56ed366783917f13ca5f0de85d1af5dbb1f3ef002baf3e7c788
SHA5120ee5f246b1b86d4030e8d0a591efbc64302e72269f84b939fac506e87dfed388b39f14d85d24f15965c10982d4ae4083e7f3161aa02467e11f00fe23fb5be180
-
Filesize
1KB
MD51e2cb4859c81594df7c6248e8185bb48
SHA11e3087ee71cddf45d2dcf8f2fd356e1b03e1c4ba
SHA2562aa6c24085f501e6ed2c465f6318a50f8906fa3b3cb430bb46552c9ff8fb3911
SHA51229107394dba2786043c6e9406e5359e66d16d9559bfdced7178b641d4a5fdba363d23e0c1787460165cde42edda755313d798e6b13382d5d67cf48dd02daf6f1
-
Filesize
1KB
MD540501a5ddce3eb14433ae7d02ca429b5
SHA15724d927b8ca735ce7e6a7fe9c384be8db501c4f
SHA25665e845c63a22cb8b73197fe6a101b18c28088cc12487fbab5019d6a586da45ac
SHA512c726c6b33cd6a911cc72481424086ada55439b75a97374c3a633c119f649e628eee0a8349f6fdda9d51847367b22487ee7be74563f51403a1ab1021780add551
-
Filesize
1KB
MD57c3f4bcb53e346b8589961522de83d94
SHA1ea71bf85208972d56e5778468b8895b431fc0b29
SHA25695babfa253155063fce9eed061b705c26151d673ffa853ee7cfbeed928cd5729
SHA512eda4924d92e4c847278f2962db5bc0fd8706f797dac8961d28afb17f5479edc6cc32770cff54d3c5a1530973c16ce54c80455142ca4004322532de561ac66a36
-
Filesize
1KB
MD56c1fa45032426738a0eddddb0a1a7cb6
SHA1083833ed55decd3a8180de6c9c101a30a685dfab
SHA256de6f64a00f488d3adabec02ed13772191109b04d5185fad7237b463c37489363
SHA5128c514092ea5663761c02c84f8e6ca092fd22001748167ba4eaf012787dbdb93e3961a9bede8785ce5a313ab04f8d6843fd8e9928f4eee42418aaf9cb19c0f0f9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5024a40a70bfbc910522aeba1215d7882
SHA1de63a320b5c0a2f9e8ad4c808fda00738ca3a549
SHA256d6eed2655a9d81eb1e394daf6c8914d05b17aa644496bf9ae4e49e2a4811b795
SHA5128c3b75e7e63d20a99496cd350d247a0f547a6ce140f3e7c64b640136d4075a07210a623799804d34df1eaefa1ce9fa848fbffd2f42859d03c35ed35d426fa717
-
Filesize
11KB
MD52e9d3613b7be6f4da77447d5911c8a15
SHA17f32f826b528586a595c03f05348de0f416b9dea
SHA25666639a842a55a70286c09a2f845703aedddba97ef3e314e1a30431e010904416
SHA512c4648d85a875b964f4cde030de72d507be97c77d06783fb20e845d85e1e5db5f378785666697266553eb1a15f94c1d9b5b33d70991a6fec23845f3f1bc6a1c5e
-
Filesize
12KB
MD5ce8b0d53534cdd8bae24ba24177bccaa
SHA1da656066471dfdbdd08a78e271f1d18220ec9b5c
SHA2565824262d5914768d206670beef83bfd08702d7fb82f644fb0fd9692ff7f2acbe
SHA512bf97c173509da0b8c323084c5eddabe6c9460af3f3a8057398ee883ffac1f78e09819561ad2ef1078f817d41c169c6e24a5e0c57bc6823192b3e13e7c0e0a1aa
-
Filesize
12KB
MD5c904e2718a73d711ca427a28eb3c6245
SHA156c9a55c7ac4f22862ac13f300176d5db2d6d15b
SHA256cb6f3becfa6ebdeefe51b84fe0284049bb1ac1dd281c5426666cd6a48c5f0caf
SHA5129e9d891edaa5e9b08e431c3150c9161b1368a8d0301a59487463f9aa8b9a28658592622bdc03ff8cc56ef871eb861ac51fdc3a5c20bde1b60ac7c8f2385bee3f
-
Filesize
12KB
MD5c5e08c4e3eb1667c360b4fcbd1d481ab
SHA1fb4bb1819c56f0a2fd36e693239099f9c7f98620
SHA2564f5d8ab14b80cf58a8b06c3c0278fd803d0753175b1c90e04bb77f747188f8d5
SHA512434db669677005eb8fd1e22b950c1809debe4345dff6dc661674ed79b7f4aa450be3672c1ed90035418d352bc7e26d600eebfe564b0b3c2b7a6337586ce5c918
-
Filesize
10KB
MD543a09019f05faa8a1bf4429298328772
SHA18a6049ef2d73f5e75c04e717331099d5802e649c
SHA256cd3599b1184722ca38173a8a8c2e4dd31438681b4f3ce2c9d4ef7b9305a5c1a7
SHA5128fed771669190e92a09eba2cd51cbb9e2448c68f11ae2637d0ff2f16d9afed5d43a91c7b8a5df0fec51d18c395330c86c0f65647bb84914cdcdc8f1a6ea8c866
-
Filesize
12KB
MD5b7d4a73c3c54aed7e30d1d2f3b52e0a0
SHA181bcfc322fd29f5b818c0b67f074630c32477bcc
SHA256e772a3e7d02972378733ff7f264f958dfacdd5d478f150c327b5e61fbfa1bf0f
SHA51217e19662e1a6e6a449166ade4cd6a05ff3b5408e16029912ddebebef9e5974b320de3a7fcfa173d6224328380e0232965d7697f1d0b81b31b2d8e3e9b095f4e1
-
Filesize
12KB
MD57014e9d9a4f36fe2bfb7d2358e0df121
SHA1e7090dff488c26a6e280bfb549af288887b52bf1
SHA25679385d608b6c3b0152471265aa937d8f2167e9569a8404871c1e71bc4c0b5fe0
SHA512c6d62185ff76354a547d2f5a9de73a56ff8642b8654cacaed390cd6494a43422e84b5b5f005dd1bd76b4932c53f3d6d3f173385427a1959a4575bf714a68357b
-
Filesize
10KB
MD5747c1cb06f645bb18376eb736e333d81
SHA1cffa63faaf21d2926fe0ddfd02c5a6efe01768e8
SHA2563134e6e291f54ea969c0dec7e63edb71686ed6ba4f3db371a26a3b8ddbefe493
SHA51240042739248128694a0ee22ad5e007f6fe4abe9f7b58df9b3310cffc754eae37588ea24670bcaa172b25228e2a98d1ea0c107e1ee9deedce80d21b395ea48e08
-
Filesize
10KB
MD5f6043e7cda2e60eb761454568cad25b5
SHA145cc4f40848b1a1fd7197ca93d6532195d2235c0
SHA25624567f20c9400e6746ee7cdfb8ca87110c11bde602b5e9fdc1a3e3b94b72341e
SHA512d6aa22d98bb103dced3279ca51f4b59d9f6fb4b83784a8f402d0d6f2af20940b7e3ecfe598ff291e95d979e958edb728fcc6b70c8e6cff192db89aef27a0b7c0
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5c8dcc2014d3c31093171fbbb05312a87
SHA1313020383cb16f7133f52c92df42476b30eb5571
SHA2566c4fff5bc52a301aaf118de0b9a8b2dbc5d08cad5a9b11f43c2452aceeb78d63
SHA5125cbab04762b0af28fcc9861c60726472f62c667703896ac34ee843e861f507035c68923980fbe1776d406f1b4c24f3f8fc3e40bbfcba925e3ab7cf88eef0afed
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\IPWDBVC8\microsoft.windows[1].xml
Filesize97B
MD547a6cd3f07c8a10235786da4a201fec3
SHA181e4aff679e7b4082a8a12750b0da76b1eee2089
SHA256a730043465c7712bf7f98422ead007c4ade414e8cb742ed4909a4e0fafb36d7e
SHA512d7aff20928cf944e3a81d1cf70fc22e82484da946caca269c52197885accf5411c4ce46f3b34fbd152e4edc5f827477ac7b8f45b07d2e02b04159aa4a1999a3b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650422242854206.txt
Filesize2KB
MD5ecaea544af9da1114077b951d8cb520d
SHA15820b2d71e7b2543cf1804eb91716c4e9f732fde
SHA2569117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6
SHA512dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize1KB
MD5e194d5a48ad74716b3a743f5e8177be5
SHA117f179df9f79026960ab78f63b2af3aa043cffd4
SHA25621b0c808f8d52332c7e56bc5a9005fbe7431ca103422199bc93b272e03646c3c
SHA512706a82d253f9d8581396b6b14dd05562d3a943341c127e1ecd5b3a2a1751a1d952fd4352aa522bf5aaebfa3a5ede221bfa11e819ca6e08c7b60c891a23b58e2b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize1KB
MD506c88fd799fe404da046690f26e0b6d3
SHA1c42d6c92ee7b34b7b4e3d4b88615c5e3e5f7b217
SHA256ef9d5ab658414870b1f5675396b0381cdd116a0b5615520adfaac55c8364744f
SHA512145e4ab0edef63e75fc81d05e1d8e9bd2e3f9cbeed29dac68ced5bedbd2b48a5db871ca0c0a1475437d85e204f1ae241a4c3cbbb1f454f78a0c5a57edd933669
-
Filesize
1KB
MD5bc3e6a28de19b45de224f9add2a678f3
SHA14a5ab84c0acf1cfbeb4c4ec9c9f582188fafa26b
SHA2567ed3196813cf8f254d957211c30557964c4cf463dab27d60c2bc652f1e31969f
SHA51245fd8fc97db0207f993f4d2bae105aa9235a6e7fc206c13405f8f5f7062cbff192ce887fcf9bf802f034dbb2ed315aa710dfb8102fe7687870dca6f7fc0e3557
-
Filesize
91B
MD5de97f8c7f4f066b79ad91c4883cc6716
SHA192cc8bf74888ea1151d9fd219eb8caee02978556
SHA256a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9
SHA512cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
5KB
MD5763e954d21f7968dd730b5520de260f5
SHA1637f408ed6a5953fa5a2c394f919f69c1cbccd7a
SHA2564dcd46b515e54ed20cdd1e88b7dd301dfb2168b64d681f0df83a20bc207ea86b
SHA512c00993820cf5e11a8e40d83fa783fa4aedd13091d5f090492667696ee5d384353124ff807334babac0650fcb5eb35d761d90f78b4d3bd4a38d48f97ef89f273f
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
5KB
MD52bdb5d0b0d38d5d62806bedb36d3f387
SHA1e5d00979726ff4dc1df3e236f4603d7ad7bb9a58
SHA256b4f30ed6bb599fa7bc739bc5b9e5340c03173309219b77893badd7633215a0c7
SHA5121815b00a9ee86a1e355311b2f81ee4e9b1a108ed31306ddc739b6b302e2ec7278e85a134516ce5cfe2728ff626b625ee758a1ca8b95fd7cdf1330589f0456394
-
Filesize
12KB
MD59c642c5b111ee85a6bccffc7af896a51
SHA1eca8571b994fd40e2018f48c214fab6472a98bab
SHA2564bbf7589615ebdb6c769d6d2e7bdcb26072bac0cda6e225a4133ba8819e688d5
SHA51223cc74b5a7bdf70ba789d1730a0009414cfb9c780544e3d8d841be58782b9a9a089969c4295a0da25d07285505992386486d6ff0524e75605b96bb99cd3aaa1c
-
Filesize
423B
MD564f5832b76fb815ad034ef32eab14f5a
SHA156ccad9b74b6e7c008fc6cb884750deefdf45fd0
SHA256507b287b4c5a7877a29b4fc859d7ac765e092c699674f8d863594e108b20583e
SHA512b077b5090ed3ce913345bb0d854beb3773a6750f875e5bfe0119dc021a8bb9698e128590a664ad29b3f228abc912cb2a07c5a17665b3a7bfdf77ca21bc993b1a
-
Filesize
435B
MD5190438760938d89ba2e23c1f3fdd9ed5
SHA1517c622521ffd2743aca5dbf0f689cfccb831143
SHA2560575aaba31ab487647c52037a27ad72016e748883222491da638e765d34035f5
SHA512ca80cadfb5cdcab1705007000806408a72eeb4a6a9c615d2996920fd4577d3327734845e1746ff875b3171f7145935da70c85b45cdf69f27c8fe6112c31e7bda
-
Filesize
26KB
MD578e0d3a231e8d0357e6b6ad0a1d310f4
SHA12ef96746f638179923adb7da2a7cbe1ae0602d3c
SHA2562593106c4db854ecebc341d2934366757361cfface1dcf3503a076b24c2e3697
SHA5125b8ae4848db2b13e07a05e2a9dcd922a1a41c64772c0278ca29d6d6ef371d5df5b687f125005c25cc115ea94db759d4dbfeae93b8cbf5efd860a9ff1c4fa3a9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize2KB
MD562d66a26a8b16f77f897f9f85c594391
SHA12bec97959d5ac4c95ab6c28a13fb26ad8cd5ea05
SHA256db53b256445762bc664ceec65ad8ec43691196dc30d608315bef52a963e15b54
SHA51263f79b6c10c24e110db0de9ee96d3c23c2edc2828df0d20c252e45ea2e00d8dd0b091f2ea058c33d6e976f260c1a07b81f1e7a0b648dd9cf45ff0741b1843269
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5c1f63782046b94ebbdd878fe0469191b
SHA10247d25fcdd41f04d84a0cdd9b669494b4cf5720
SHA25614299e62a1faf224a58cff163b43167283e6662929ccb9342d540e721dd6e7b0
SHA512112ec9eb5ed656eb4fa036df840ba05bfd96241ecc4fcf5d5c83397838ba560534f9c311beafc5b2814471d3394b5c01007e19cde3f6216366de7f2789c21e97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD55c28ea9ef8f8d62abe40aac24ecf8018
SHA1b4984c5fb00447fa83a13ab4f72b69166b094c4a
SHA256ffd01b2965624da92b47208b2b4d3b7dbd9255bd0713838e499fbc37732eba66
SHA512dd235388b02305362a8b86436bed5b5489992c7e293bf0e6818a4801706dc8e3748c81e04dc0e718f2110a5746a70dadad94c3bc1a02779d3de1ba9f78808092
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD520344a14fbf68d7bbce5096884b31ae8
SHA1467e03f4821954e2f53facbe63d169d7431831a9
SHA256d234760c0f85bef5b5d6abe524619c24b984fdc5ea7304eeb3697472f611db5e
SHA5129a9fcd5356c3ecb4caf22915f2d67a90e955ff2a8b8fd3e8c036576fb2e9f93aa2fe075bff4c9fb510c1cf97a4d24ba167fdea6a7e1ef0d51b3f9e0a78301b3b
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
Filesize
8KB
MD53e1813e6968cd65048413d0dfaaacaf6
SHA1f389d7b5673178d78cf7308d86d8961b5914edc7
SHA256250cba74e9819288948a1c5be1b699b6863df0a51b0e2e9d9e10a3387cc356a5
SHA51225c99c6bac0866e380257648dc124f5e9b1ffe3ba5a2f87834108d47dc1c89dec1859d7cd4d70e0c09b3460494843ce0df59bb135119892a19b421920c71cb61
-
Filesize
1KB
MD5de27e86eb71b18de13bab00bf7b0ad8f
SHA14488e7df141818b06e50ddc82eb9c9a26d861457
SHA2569966b54c25057601cbba8e9df33f92d906bece7ad445f80a93e0f8e8f5b95858
SHA51206fed9ed1070bba71c914e6a7e257f84aa14aa79cccf37f5301a9d4749ad30ceced2aaf040e809120535c206d09c2d0b471a98ea1d27919de471dbaf55f82f77
-
Filesize
4KB
MD5cf20c2783cb5aac9d806b5de5d8203f6
SHA15ce9e35ffbbbf9b90158423b601e8e0a1af4c1e2
SHA256fac1319b085188d3fd20e9d16203e43ac171e20dc6a4a4a7f502628763b1c448
SHA512f3a03cf7ec2eb2a55588650a37e024e76607254aea45e5eacced74a6abadaf851936d6425794eb3e14a27d7cb2475cb3ad39a907a1bbd48536b931ab53cdcfc7
-
Filesize
16B
MD5553dda8f9d6b50d4b2087d9b908e5ac5
SHA1b5f9dbf4646ab7aea0fdadd4ce6e528b96f5a57b
SHA2568288480cd94c59fce9ac64396943716caf1d0d20b21e459fed07abc490117909
SHA5125c9a0d9e19ef8cc5994957b947cf8a6b0cc3997ea7f0535bed223866d7ccd26622ac1a9e72d46802af81b30fb204f5b4d36ff96158afa5e13b7feab89e7c1eb4
-
C:\Users\Admin\Documents\SendRepair.pot.id-F9B9ACFC.[[email protected]].ncov.locked
Filesize2.4MB
MD59f01fccf6730afb0f1da32bb0dad9177
SHA1586f89543637384cf7433d2433dd024431555e8c
SHA2567a8ab6a8f59f2ccff918949002e3d6105781d1a3a2b340c19c65f984bff67381
SHA512a7c7bb9061f3f0757d730d3c9fa2e4f15559994b5796dbb08be1ac867b5b81c16da1d02729cde4fbff0b711c81191ffbb5042ac03cd2d38428f9b2d3bbe88405
-
Filesize
8.7MB
MD5799c965e0a5a132ec2263d5fea0b0e1c
SHA1a15c5a706122fabdef1989c893c72c6530fedcb4
SHA256001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
SHA5126c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8
-
Filesize
12KB
MD58f40ab355ce87d20b87de8b224242bfc
SHA115fe66eced37a3a90821464702725e408644af77
SHA2562f1c3f37c6468ebb385731ae5867a7a142ebd58cbb6791f3208a19504cc7e822
SHA5123c1add73c2d1d83e08df101af0fcdeb524b7037f5b16c2cb5aef9fb5e6a1b5fc56398bf69b5379bb1181ddd6da0f930aa9b5c9cb05522d062e9f95b47ed301d2
-
Filesize
4KB
MD520e335859ff991575cf1ddf538e5817c
SHA11e81b804d67d6c0e22c0cef7e1cb9f86ce0ef5ee
SHA25688339750431112ed60cdf9bdb7697434ba9b38e2d15ad604c4462705bc1bdfcf
SHA512012251b342722cf35ebec2c7d071db505a992d81fc4b3492cd87640b5c955dc084825fc5e72edc821f4c481867183f21d26cd904fe7f0373d1156332f87b031d
-
Filesize
8KB
MD55ce1a2162bf5e16485f5e263b3cc5cf5
SHA1e9ec3e06bef08fcf29be35c6a4b2217a8328133c
SHA2560557ea4c5e309b16458ca32ac617b76d1a55f5f0103e368d05c0f0386b7a0a43
SHA512ceb5e270bdbcab5be645e50705e3111a5c4751a7a865580d53fa86580025201264a49dd0ea9135b10cff28d7bb21b767ac5d4aff40e880a866ab35df273b5de1
-
Filesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
Filesize
5KB
MD5d2ea024b943caa1361833885b832d20b
SHA11e17c27a3260862645bdaff5cf82c44172d4df9a
SHA25639df3364a3af6f7d360aa7e1345e27befc4be960e0e7e7e060b20f3389b80e76
SHA5127b7cfb5e689feed6a52eedf36b89a7b5cc411191571c0af5e5d704b5f24bfa04afa62d1daab159a7e5702d80e56f3946bf32db0551d256419ca12cd3c57dcecb
-
Filesize
12KB
MD58ce8fc61248ec439225bdd3a71ad4be9
SHA1881d4c3f400b74fdde172df440a2eddb22eb90f6
SHA25615ef265d305f4a1eac11fc0e65515b94b115cf6cbb498597125fa3a8a1af44f5
SHA512fe66db34bde67304091281872510354c8381f2d1cf053b91dcd2ff16839e6e58969b2c4cb8f70544f5ddef2e7898af18aaaacb074fb2d51883687034ec18cdd9
-
Filesize
17KB
MD5352c9d71fa5ab9e8771ce9e1937d88e9
SHA17ef6ee09896dd5867cff056c58b889bb33706913
SHA2563d5d9bc94be3d1b7566a652155b0b37006583868311f20ef00283c30314b5c61
SHA5126c133aa0c0834bf3dbb3a4fb7ff163e3b17ae2500782d6bba72812b4e703fb3a4f939a799eeb17436ea24f225386479d3aa3b81fdf35975c4f104914f895ff23
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e