Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
280s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08/09/2024, 14:16
General
-
Target
https://www.dll-files.com/d3dx9_43.dll.html
Score
10/10
Malware Config
Signatures
-
Cerber 12 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 44 IoCs
-
Drops file in System32 directory 3 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 20 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 34 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies registry class 19 IoCs
-
NTFS ADS 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 20 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dll-files.com/d3dx9_43.dll.html1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab93046f8,0x7ffab9304708,0x7ffab93047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7832 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7828 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6980 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7944 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1360 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,7668721541101445043,1639732464508755903,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\freespoof_[unknowncheats.me]_.exe"C:\Users\Admin\Downloads\freespoof_[unknowncheats.me]_.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe4⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c slmgr /ipkW269N-WFGWX-YVC9B-4J6C9-T83GX3⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ipkW269N-WFGWX-YVC9B-4J6C9-T83GX4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c runas /user:Administrator@domain slmgr /skms kms8.msguides.com3⤵
- Access Token Manipulation: Create Process with Token
-
C:\Windows\system32\runas.exerunas /user:Administrator@domain slmgr /skms kms8.msguides.com4⤵
- Access Token Manipulation: Create Process with Token
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c slmgr /ato3⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" /ato4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker34⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker24⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker14⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop wireshark4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop cpuz150 >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop cpuz1504⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop vgt >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop vgt4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop vgrl >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop vgrl4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop vgk >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop vgk4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop vgc >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc stop vgc4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete vgrl >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc delete vgrl4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete vgk >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc delete vgk4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete vgc >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc delete vgc4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete vg >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc delete vg4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im vgtray.exe >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im vgtray.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete cpuz150 >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc delete cpuz1504⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config wuauserv start = disabled >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc config wuauserv start = disabled4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop wuauserv >nul 2>&13⤵
-
C:\Windows\system32\net.exenet stop wuauserv4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wuauserv5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config bits start = disabled >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc config bits start = disabled4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop bits >nul 2>&13⤵
-
C:\Windows\system32\net.exenet stop bits4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop bits5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config dosvc start = disabled >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc config dosvc start = disabled4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop dosvc >nul 2>&13⤵
-
C:\Windows\system32\net.exenet stop dosvc4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop dosvc5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config UsoSvc start = disabled >nul 2>&13⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start = disabled4⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop UsoSvc >nul 2>&13⤵
-
C:\Windows\system32\net.exenet stop UsoSvc4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UsoSvc5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im smartscreen.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im smartscreen.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im EasyAntiCheat.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im EasyAntiCheat.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im dnf.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im DNF.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im DNF.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im CrossProxy.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im CrossProxy.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_1.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im tensafe_1.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im TenSafe_1.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im TenSafe_1.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im tensafe_2.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im tensafe_2.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im tencentdl.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im tencentdl.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im TenioDL.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im TenioDL.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im uishell.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im uishell.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im BackgroundDownloader.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im BackgroundDownloader.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im conime.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im conime.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im QQDL.EXE3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im QQDL.EXE4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im qqlogin.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im qqlogin.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im dnfchina.exe >nul 2>&13⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im dnfchina.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im dnfchinatest.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im dnfchinatest.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im dnf.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im dnf.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im txplatform.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im txplatform.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im TXPlatform.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im TXPlatform.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginWebHelperService.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginWebHelperService.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im Origin.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im Origin.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginClientService.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginClientService.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginER.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginER.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginThinSetupInternal.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginThinSetupInternal.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im OriginLegacyCLI.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im OriginLegacyCLI.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im Agent.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im Agent.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill / f / im Client.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill / f / im Client.exe4⤵
- Kills process with taskkill
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll /accepteula4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll /accepteula3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll /accepteula4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll C: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll C: 6117-09804⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll D: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll D: 9172-48114⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll E: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll E: 2018-15334⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll F: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll F: 5871-52664⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll G: %random:~-1%%random:~-1%%random:~-1%%random:~-1%-%random:~-1%%random:~-1%%random:~-1%%random:~-1%3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll G: 9936-08894⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\accessibility.dll3⤵
-
C:\Windows\System32\accessibility.dllC:\Windows\System32\accessibility.dll4⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SS %random%%random%%random%3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SS 182252346545644⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BS %random%%random%%random%3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /BS 182281446224284⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SU auto3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SU auto4⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /IV %random:~-1%.%random:~-1%.%random:~-1%3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /IV 5.3.84⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /ID 0%random:~-1%/0%random:~-1%/20213⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /ID 08/03/20214⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SP MS-%random:~-1%C%random:~-1%%random:~-1%F3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SP MS-1C29F4⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SK A%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%O%random:~-1%3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SK A809S071O24⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /SF B%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%Z%random:~-1%3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /SF B195S528Z44⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /BT X%random:~-1%%random:~-1%%random:~-1%S%random:~-1%%random:~-1%%random:~-1%X%random:~-1%3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /BT X571S984X74⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\System32\ifsutipx.exe /PSN %random%%random%%random%3⤵
-
C:\Windows\System32\ifsutipx.exeC:\Windows\System32\ifsutipx.exe /PSN 1825832646193664⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\ntelidcx.dll3⤵
-
C:\Windows\ntelidcx.dllC:\Windows\ntelidcx.dll4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t2544.bat" "C:\Windows\ntelidcx.dll" "5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where caption='Admin' rename6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d 6620-6FAF /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v Hostname /t REG_SZ /d 6620-6FAF /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d 6620-6FAF /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t REG_SZ /d 6620-6FAF /f6⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d 6620-6FAF /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 00331--00001-A6FAF /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId /t REG_BINARY /d A4000000000003030312D3836382D303030303030372D383535353700AA0000005831352D3333000000000000000C3AABFCAF3BA18B8878E89DCAF3000000000000396CC459BD03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002E566736 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId4 /t REG_BINARY /d 67A04B1204000000300030003300372E56002D00300030003100370030002D003800360038002D003000300030003000300030002D00300033002D0031003000330033002D0037003600300031002E0030003000300030002D00320036003500320030003100370000000000000000000000000000000000000000000000000000000000000000006200390032006500367A04B1280030002D0062003900035002D0034003800320031002D0039006300390034002D0031003400300066003600330032006600360033003100320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050006F00660065007300730062E56F006E0061006C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C3AABFA65BBA18B889D24ED80000C6167A04B12D0BEDFD25E2E5645B89FFF45564B84E87CB968EC7F4D18F6E5066261A0B704B9D2739558B7E97DF882AB087AB0D8A314BA9BB1E06029EA28D5800310035002D0033003900310037003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C0075006D006A00470056004C004B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C007D0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration" /v ProductId /t REG_SZ /d 00331-10000-00001-A6FAF /f6⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v svcKBNumber /t REG_SZ /d KB3170958 /f6⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_DWORD /d 1509588422 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration" /v "IE Installed Date" /t REG_BINARY /d 1509588422 /f6⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {67A04B12-2E56-CAF3-2E56-801C80D394BA} /f6⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {67A04B12-2E56-CAF3-2E56-6a1C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {67A04B12-2E56-CAF3-2E56-6a1C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\BootCKCLSettings" /v GUID /t REG_SZ /d {67A04B12-2E56-CAF3-2E56-3e1C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\SecondaryLogonCKCLSettings" /v GUID /t REG_SZ /d {67A04B12-2E56-CAF3-2E56-3e1C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\ShutdownCKCLSettings" /v GUID /t REG_SZ /d {67A04B12-2E56-CAF3-2E56-3e1C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {67A04B12-2E56-CAF3-2E56-801C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 67A04B12-2E56-CAF3-2E56-e71C80D394BA /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild /t REG_SZ /d 14381 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber /t REG_SZ /d 14381 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLab /t REG_SZ /d 14381.rs1_release.171256-2100 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx /t REG_SZ /d 14381.1944.amd64fre.rs1_release.171256-2100 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 67A04B12-2E56-CAF3-2E56-1C80D394BA /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Connected" /v GUID /t REG_SZ /d {A28BBADE-2E56-CAF3-2E56-001C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Disconnected" /v GUID /t REG_SZ /d {143E4E83-2E56-CAF3-2E56-001C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\EmailImage" /v GUID /t REG_SZ /d {C66DCEE1-2E56-CAF3-2E56-2F1C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\FaxImage" /v GUID /t REG_SZ /d {C00EB793-2E56-CAF3-2E56-001C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\PrintImage" /v GUID /t REG_SZ /d {B441F425-2E56-CAF3-2E56-001C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\ScanButton" /v GUID /t REG_SZ /d {A6C5A715-2E56-CAF3-2E56-001C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\STIproxyEvent" /v GUID /t REG_SZ /d {d711f81f-2E56-CAF3-2E56-921C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE" /v value /t REG_SZ /d {27720B92-2E56-CAF3-2E56-921C80D394BA} /f6⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\net.exenet stop wuauserv6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 67A04B12-2E56-CAF3-2E56-c91C80D394BA /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /t REG_BINARY /d A4000000000003030312D3836382D303031C80D394BAD383535353700AA0000005831352D3333000000000000000C3AABFCAF3BA18B8878E89DCAF3000000000000396CC459BD03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002E566736 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet start wuauserv6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wuauserv7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown /r /t 253⤵
-
C:\Windows\system32\shutdown.exeshutdown /r /t 254⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Windows\AppVLicense.dll3⤵
-
C:\Windows\AppVLicense.dllC:\Windows\AppVLicense.dll4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp5⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp2654.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp2654.bat"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp2713.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp2713.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp2654.bat "C:\Windows\AppVLicense.dll"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr [0-9]7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 6EA507DD26F3 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr [0-9]7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00016⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh interface set interface name="Ethernet" disable6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x474 0x4181⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
63KB
MD5a2b03561cabc0d346e9a6be3f5b11b5e
SHA1ba0aea2acc1c20700c4c09c5b2b8d0bfbd33ce6b
SHA25609588f4db755d8d88d9e521f5189d97c2ac781ee7ad782bb0c644eb9f69feef1
SHA5123602c58bf569bbf22d2a559f0a62c4ac8d6c9868dd956cf0d75d694d104eaf2f82d22c9427636a46ec82cc24e758ad1eaad75fab771ce843308c1b2fe57c6ddb
-
Filesize
20KB
MD5e9e58e168c0232394ce8cd2d0a18944a
SHA19b27cccbb34b3b837fb52f355f1a2b823fb975f9
SHA2562c09714f6c24f22eebead7e80a08684778895f7b6c21ce6cdd00fd220aa4fbe0
SHA512d9ef910c9df9e70b02220d67cb24e501d7068968cb27f76f982ed26e5649426d89559f3f19ab01f445cb2c2ed3cfb3d6aa2e6d06af9c5fae9dc920d74d8b5221
-
Filesize
20KB
MD518f9722fdcc2c1955b8c73ce08582803
SHA1043cebf1675f9313c6f74cbb6be3768df9eb6b3c
SHA256d23cf15bf702c78411dd7bf1046e2e23a64785250c3eb01e4f8afcca9697ab8f
SHA512c9681a079d3aa55f04c0495dd2834fc8e1e55118da2055b17d5057a42001927e29793d9493b3e5b82c36549b2206740c4db48f029e90062453a8f1c950b1b9cd
-
Filesize
62KB
MD56b04ab52540bdc8a646d6e42255a6c4b
SHA14cdfc59b5b62dafa3b20d23a165716b5218aa646
SHA25633353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d
SHA5124f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730
-
Filesize
31KB
MD5c03ff64e7985603de96e7f84ec7dd438
SHA1dfc067c6cb07b81281561fdfe995aca09c18d0e9
SHA2560db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526
SHA512bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692
-
Filesize
251KB
MD57a4c6579e85e7687b7caeff56326b359
SHA1b39f533c843aaefbac0058eafc4e6b6b05d09aa2
SHA2564ae263098c462e6e6b2243f5a3a69df9de80d09c341c137dac3b7318b2038b50
SHA512686c78f37b70b6eb8ce3728208cfd280d784511882487284d53da9a34e6ed6e5ac366d0200629c9f77c84899166feeb976b95e8a095a13bd0191665a06b6d17f
-
Filesize
18KB
MD5115c2d84727b41da5e9b4394887a8c40
SHA144f495a7f32620e51acca2e78f7e0615cb305781
SHA256ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6
SHA51200402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45
-
Filesize
18KB
MD58eff0b8045fd1959e117f85654ae7770
SHA1227fee13ceb7c410b5c0bb8000258b6643cb6255
SHA25689978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571
SHA5122e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058
-
Filesize
1024KB
MD599061db4beb29630a3e16b22e0388d53
SHA12fd6132716a4bd805a1d001c0e5c4ad165b152a1
SHA256218ff417f830c79ec7a8a4dc9bae7cc728f6e6b7602b06f289a2d5bb24d8466b
SHA512fe5a69e1d95d76f0ab99496bb86152ffd48e271c72ea6fe2c7858d85a5f5df9968dc8c1374386146895fba8e88928c96f555eca9edac7a16881a9b5b7318a369
-
Filesize
1024KB
MD55b092628af16de22b68aaf70bd5fe13d
SHA170620055cd6154d7d892cd98e563508fb86906c6
SHA2568d75f8a77de65e3586392b8acfb1afc4177008d76d62f78b4776f04cf9e6bbba
SHA5123cb0d3a6052e146ba1389aaa249667b758f345143bd017b69865cfd8ee6f40ef0cfed9d42bfab9bb89ac0b71838e31b71accd03a733156d6e0a1973a4371c522
-
Filesize
33KB
MD5e039a23ea465d2de0388937695a7e724
SHA168e95d5b4060761fc2b0b58a593ebe7d661c52f9
SHA256bc3b9c09bf69ce51b930e86a23c6f249f9cc6dc98a84fd278d4131c9ddd78f43
SHA5125fedf2fbff555599108ae7bdaa86cb9d22537e46ecda50cbd7a25199338fba4bef35bfa813eba76b1b367fb8b93e2c1ee9952a55deff9f49daa189f22b5e0336
-
Filesize
50KB
MD584952f98cccb079b3f36f29c0f2f7d8d
SHA192a207064b6cb9cb6104bd8b3dd1e1e3e789b26c
SHA256d9a98b67c7edffef7138d578788a1c25310cd3561b94d8bce6999f40b0073186
SHA512a052abb5bfeb8ece88ce62b46ecc920db7db71467f1433d96fdc13072ec4dc4a67f13853f4d14e8f5794d9fbc58cbe1bf94e9f3a2afb7dfbdcecc2af2046bc37
-
Filesize
93KB
MD506cb502613f99040e534fec65fa725c7
SHA103006f32792e033497e9ca68373b6c3386305933
SHA256e1172d3a0a208cf01dc066f0abeaf17f00264a966159a69f71947d6edcd4935f
SHA512734faf4aff6d9c64b87f3c1320114f71d099d10c0ff9a4de3ef65e009918a5b8faecabd0e7e56b2630e1de58a5e3c2c82c9c6120241feba750f2dfc12723a8fe
-
Filesize
190KB
MD516b20908101acc6624cb9446fcac64a1
SHA1b7cd57a4fd6a1fae6126150f427ef217397293e4
SHA2562933c96348a4eae7cbbf8f280ca0981586a9b5c097ef952b996cad7d28f2fad0
SHA512b22c1efe85cc8528c60b02e7fac72b68f396ac9c4795480c04c65774f7b64e7937234c771120a82f3ed66793531fa499af2c0c63e3c1d5c8f2a89e63025b823a
-
Filesize
18KB
MD5ef2fa694e64f0f30991f6ef31df083f8
SHA1ccb1d5e39a8a896d0e26820325eb58b7bec13e7b
SHA256b61f934b22e57d2adcff5fb7f44fc731bb3baf6d61a9c6007ad59d3b167ecf00
SHA5122079f97097948e5a5232b3e8e6be43efcdf81469cd0f300153d0e130829071920608b615bd08c58ce99297f97171ff322e9e4f14a0f1afcaabd2e164e2b835fd
-
Filesize
1024KB
MD57dbbbf5efc500e7b501bb24cea205fc2
SHA1957553099966546cf92792554594fbe400e17f27
SHA256e1762a24979d3c5150eb523c42cbf3c757908fbdd37b50d7946b0ee88e501db3
SHA5122a3032d40194e6a6e81ba9ae81d160e8af97bc498e2cf2b0904be88cbc20ce0b3bc8ba89dc5138abe5991687e31cf2b9b7f7de205ddcb3b96a85686b45f5aed1
-
Filesize
439KB
MD59d37b1ec4d3619cbaf59ccd14445d067
SHA12c67a97eba407c7b54acfebde3dbad8119947ee0
SHA256283c61658e9568ba9b2afabf9c51f9dfa1d2b69848c18dad6ecba04f5ef07ca9
SHA51223172bf545b6880d0ee3cc3f9b359e830999f1e149e399127824de6eb76c204ec534223e93d17320ba844fc53fd51dc93ee4ec45cdbd0117e99193c368ad2845
-
Filesize
48KB
MD5cb5c40d988b76a8b87fc2269084fced2
SHA105cd77ca3953b7c14f441e8e8007c775e9cd7124
SHA256015e05f5aff349c90c9399eb1c0dcb5f401a15c2b8b432b159406954aa7a8584
SHA512a662b1eae27e37c8cf779c8245791892f23087bb5e57fd4eaabae98025c3d07990c72036d3bcc4f8cf17e00e0c2c7def5ef54192497bd3a163979dc9bcc98e17
-
Filesize
1024KB
MD55c4c7d78a2d5db7e170159028e03a082
SHA1a04d0c879e5307f501f19ec5c0d9589e39081526
SHA256832e8db1c4dd36c0310fed2eed1f5e740d0c176405ea870a2c09848a37c0d6ac
SHA51253ed0ae3730212d1ab6f5f17cf5aa2262f03ca98389a0d3043b8ddc750440015456a24dc8ba5a77c9fac626812b2c2a1150898a5114504788872983f3a503102
-
Filesize
1024KB
MD5bfa711760fb1959a4581402de5fed116
SHA1e66b3e4b864e8932d49e651a2cc69977d4571b21
SHA25638bbd28bd9bcf39063bb73b379afb3f37e031b9f6a4a4979f639e1b323cff97e
SHA512139946ba985f91e20d67264c088f0a5709f84bf4064f5833a2881e2c5cfa8326bfbd9949717154f87094d65cf1ecb87d56f74bcd6e0ca3b3ed032d783caabc8c
-
Filesize
1024KB
MD55540948a89bba0e70636449cd3408bec
SHA187d0ef329827ebdae8e64e6055f53fe8265d0603
SHA25617e67a2a3416be0ca33014c0996058beb22d855f4e1edc5be43b314ccc98015f
SHA512cebb88f6bc6e094fbf3c73f837030a68e0c0016288e1c4a9831fcdf1e8434a8b3f1406e520659989b8c6693946f5d2cd0d728b9606c7a35d54f4bcc2bc5cc8ef
-
Filesize
1024KB
MD5647d72dba057622495b2c8c8e37a1c86
SHA1776fb6ac9f49491244478ce501bc2217003d7e8e
SHA256e10c55ceff4641676673b28e7cbc4c90a06f982ea41cbfbd39f1a6ed425ba1c3
SHA5121fb76cc8345dd6c76f4af61b33449dff321395f016894b0b963bc317c3e1ffb57def8255ee43a997c5a08b3b91de69a7a93e3565ee1c496cd69ff6aacc21598f
-
Filesize
229B
MD5c0a4e3f21841c773d4d3f4059d6ab773
SHA1516db7254fcef3a1e88524b1adab1291de34c82c
SHA256dedfc0f9757a7bf64d028e55b907108b6c50246ee590fcd47cddb5bede014e9d
SHA512df6dd9832219dc2aace481d0f5da40a94efaff6d8d1281dc408dd5f9883155c0bdf75e394c53a4cf8f3d36a9f06eb2078a27470d06d9904a3f0823960a0da450
-
Filesize
38KB
MD5a8eeb3e1eab694283a04dffea752135a
SHA1f147ee6470de604bf39f2a68864d1e0a11ac6db8
SHA256562aa6d3eba5979e6e1fa1fc3170660b8ced2f572d7e51e805754bfb268abade
SHA5120930fad83ba225d43e090a6e2f055b548398d837d0966fedf67a84a63fcb1786b987e5f24f03b172db7be76ec22121695f738851f39479cb15fc41fa5415d2fe
-
Filesize
3KB
MD57ee4a237b8dd4ccfe6a76bb92a106678
SHA1d88749b9f0fd5e9f83ce9c274b30f640149e5a3e
SHA256990fe535600831d7a141a072ba8dc97c0d69ac7d4e737e0ddf1e39ca9762231e
SHA512f063dc33190e1ee15973c3e6e3879f12137c2ff47057b6efae352573d90549b7ab8ecd322126efe536a2774bbc244e44e115e83a40a5a84616688d09376181a6
-
Filesize
2KB
MD56b4fc72dab049a1263c77c3d371faa34
SHA13fd5e9122f702d01b8b5c69bad9080694c5ad617
SHA256984345591e98e9ee005791858fc7df346f7efa8382b130e9adc1b98cd49fe5ba
SHA512b3d5c5d33c00bc5ce9abe7527e44ebaff904f5ddaa7c1c2ae20f6fcc45c41abc2191ab83bdf2713db521cdc8d16c2196585032c9fed802bb7c43877b2d234a16
-
Filesize
2KB
MD5353b8fefb3cb3ce45ef65545d4c0e0b7
SHA149957bbafd8242c382593e62988c61d895774031
SHA256a224602014bb800fe606e7538c5085b54d5ab6a432e6a72d6410c98d6181223b
SHA51208da1ed67e2a1797d718fb86f06c395825b6eb988fde4ca03551749103af078accdd082cead9021491e143f9d47a5ae738834c8a0c9adc145cbc8468d46bd3ee
-
Filesize
2KB
MD5e5e74659e22a7bb1dec04f6288c1e64c
SHA1d72d1dabac0964dc57ffe44911365cb6f152d707
SHA256fcc1830c2c53b17027987038df93cb6b078a816c77d35a88e4fdb84561e609de
SHA51288b6938f4c56a8419f842cc2e93fbc390c9b1db80e2bdbe8ad2beae09cdf2637be95bedd3d94811a0d7c5e30486be99eaf905f4a847f1960dab43232d6834bd5
-
Filesize
2KB
MD5ef5a7addf71d92dec9f9fa269b756714
SHA14c89252ba865c85e6a3730efac11aac3546230d4
SHA2560b1b7d89db2173e7701eba1fe23eb2bf06734c867645d81c0467ab3befdd3fb0
SHA512ed38622397c627b48999bfad3504ded4abca968a46cb37fee77e65e55d9b15f2357585a766c899f8c7363333a04724d3626aee2f19d23528a5a5e4d2233caa0b
-
Filesize
2KB
MD58addb29ae462d011153aab408ae7faca
SHA121ae9f07286d073c3aae0d5447837f2779022171
SHA256ac72aea665fe767ce72b6143b49d790c30f1d217e1ec2e804818a20250b9cdff
SHA51215db7db187828fa2214b7be8e8d91977e8daf6c4ed7e000ccc97f4d4e1f0edbb503e619894300bf84648615c06646ecb9db8f40405f779b5695709b464fa6a9e
-
Filesize
10KB
MD520a7a3190ba65037eb14b891d70362fd
SHA198042607c4e750bb77aad7f50352b1d61eb4c907
SHA25651a577923cb5a897dd6dd781d8fe790f7b581155ec6348049b9424dbf1201403
SHA5128ef8ddc1ac0d47ba700ecd03cf3585a01d2ea84f5751e3440e984fc4921c67128fcf37ee19183013e98e37ad799f7c3e77a1c600449222e2d37e1474123f2672
-
Filesize
12KB
MD59ef2aeff519f4fb5883f90e82d9084b7
SHA1fcbde09456b74dc9a8a5d9284b8f0b2f99eea254
SHA2563f72eee5222c5899a59a7787b29c0a01885008ef36de1b856abe398874ae2369
SHA512e76bddd522ee07f1d6745ededbadbfe43b6158872c352b4fa70739166d86c2003a77f2fb057be3f13ed374b9509c294181b191264fcf214a3fdcad418b0579f7
-
Filesize
13KB
MD5da972bcbbcfe05d715f58724fd30e54e
SHA15918d43913abfcd2ca3c23164980607a19cc33e6
SHA2561c0feaa9c267a2cbbfab1523fb3bd87a6a7fddf020c8d2dd4e9808d4f04f5a64
SHA512bae64c823b07bbe0d472ada28e0fda6f519b9555ed846edde21536fb677511b9e72cf5f570f740fc519e916b68602cac15171bb23d39ece7b4f171cad0c7a1dd
-
Filesize
5KB
MD5e7e0a17e0e07b599f28ea70900e3fdf5
SHA14542ac47749f6e4830dbae46d428ad7b2ce274d1
SHA256f92c308499c8c3165b858ece5208bba2687c47957c44c19f37685fd4dbcc6cec
SHA5124b05d1b11c1419639a252a861009035ef25ed8d91e1c162d0025d953ecaa7fda4585a03ac69f86bf3752687fe689862fa339c6af6e884886e31ced75f216c966
-
Filesize
10KB
MD532a03ce8574242f0c4557921a30aefe6
SHA105d7655ee1ba38622abd97a6794b655a994e3ee9
SHA2560348bf6b2f11111af3d2a22d0e3245c8f0c9d07ac86f94bbf6f279271a505957
SHA51218bdb81bdae89b287dc4a60d61ff6068d9e01386102ae2491ce742368a7726a25f0eafb2975dd460dad1a756d61e69dccc83ce7f894ce338a327a4c0cb65b3e0
-
Filesize
13KB
MD57f8a6879b409931c16bc677875e1b14a
SHA1599500d1355669c5e48a053471a5b2ea725f48c2
SHA256477477b1e3bbac582f7e7cfa76ca8aa150bdc3cbb0383db674ec6530cebd9c00
SHA51222e47ef7bbbaff54645adfd357762a7770c45bd851106e438a72d66d3bbd6322be6116bb0224cb7c0ce40d063955ba078828d48c0083487ef5d2328cbf7699b2
-
Filesize
12KB
MD5a1ec5163cd7c4b61bb9a0c009ec3acbc
SHA15d9d25eb0c983960497268af455e0433eca470d2
SHA25611b9449031c88df272b94b85929959d7af1b83ec1326a2a2bddd0e85c3aaaa72
SHA5121133b6e2647bb6c2a50c5a7e192cc7252f9a22d46294c4e887569b18a48205bbebee0c56c3b30bcecb222972165421aef0cd2bb1aecc305082ea4dac96e12db5
-
Filesize
13KB
MD564268e5a7f4ce7192dd0962533386e31
SHA183cb1d3fd4973782519f43668d6085c6b6b7662e
SHA2569a6cabc45696aaee99cfbb536e8f91fb4c1ab2ff3072390736fcd728513a5ef1
SHA512f44c56816cf46c8d0a1f46f4577b574af205852e767bb3542bb093c280a18616b06217d53df5dbbd3a1d404537518dfaf1444349a3b8cbe16d171c397fcbe06c
-
Filesize
13KB
MD557267839972f5a4c4c4fbad3e2a27320
SHA152d5c44e3202ed08243b0188996f3bbf9204e061
SHA256e3725eabd5d4e8dca558390ff256ab3ba619ddbbf46e96478a6542de49423f53
SHA512370713e34dedf2a73651a0efda24901644fa23146e039925a4581d247d019afe6cc3d28a0cde063d5049c4fee95e2869389e5979e0d38553ef3df677448b44fd
-
Filesize
13KB
MD503e79ace128008fac6e1c8f39506feab
SHA14deef2457922f664fa8a448814ca93caf615c31a
SHA256a3e89aae8b60f279d2635094cb60dc66f1aa5741ffe6b61d1765460266acd232
SHA512dcddca4e4735cf7565e9de681dcd97a7988a1584380125f080e480bf24708ce1eb342a77fccd8903ab67cedd13fe59fcef52ece810330f2d36211ee8a5520e9a
-
Filesize
2KB
MD55bd511d4140e4a8f80af1d1f04aadb5e
SHA17ff942a95496edcbf200c7c16f023941696d5cc9
SHA25617061ed0c8e39dc279e1c233981a99eabd6ddfa0082af879185a9721b015c24a
SHA512b2b685555e5538c675590cb936b6db0a53e6a50f43c25d08bfe6564d216828216c743ad513670b672f5a322d0c1163e6efd94474df50c8d853914c65715c26c4
-
Filesize
2KB
MD532f977003295e44982bd699fa34b2f3e
SHA19a18a61af49540644fa35ade8848b1608aea9912
SHA2560c02677171f19ef8da3421d24fdca58dbf67636f9dd977d71043f5f6d811e23a
SHA51231d3864bb83be5f634d0f34a4cc538eb101cd3836c9c171ed1a739344bb47396d184b7e1b563b6f89fa33761199efcb8d84c50c8ba79a1745b4660ec40f7fc2b
-
Filesize
2KB
MD5e5921080988b9e4c348cc758bfb9ad89
SHA192d9b543dd8e634a00f6178a3dd42dab4ad865dd
SHA256b72d1649accbcbd9ef62c0ee22b3b6724c58d9089ada0f0803bcfaace295b4fe
SHA512fd62a7f4962b29991eb7cfd7c630dc87c13c1f72dbedb20ed2dbc7b80248208160c2f9d3b5d18ba9f309245d6d1bdd5a73b53c6b3402ea57dfd9e3cb3bb99e4d
-
Filesize
2KB
MD51205b87a51889751c30a5457b6e433d2
SHA1d227251c610cd6c35ef4daa9a37d11621b87fe85
SHA2560b65839dc283f0e9f7287de64024292bb4f0f41db4d77a06173fbef8a6e23baa
SHA512f4c75b23118453c32ffe3c54e91fab9b65faed4998e8dca6aedd8ef9fbf8595b046ea2ba85b9ae933713cc6edd6ea0e28f21845bd17082844c216adf1bf43242
-
Filesize
2KB
MD584caa2728012a6ae51c4ff296c89760f
SHA1fa5627bf65000f29a4c2c20d471d21dad5b93967
SHA256af1d11aee57e512e742e1e0c3af428b4999da8f9a761ffd7891472b62e25f78b
SHA512545782efd9dc93714c03515fd4feb2bcf77153e4bec9ad8241165ce88502264bdf40b1e2c4d1fb0c05487a38c08c49d93a909a314595b924cbaaa5123a105019
-
Filesize
2KB
MD56ff506dcac8efe75ba0a6a20ba4bae6d
SHA11e87665b29f969a75bba85ac7dc7831277e2446d
SHA256eca2712fd2c939a91ac4e2c4f8a2ee9bed7aa1213594651e601a18f5763cfa34
SHA5124476f536aa7d7b5ba49b45b17e7aeaa42a64e1beb6d030fea6ba4e12af08ff2bf32247b2a14f0a5b55d8935ba49bcff7840b8f339cd4ccc0a14727ceb738b6b1
-
Filesize
1KB
MD5dd4b0e1dc9c3e98d865e587d73ceeb75
SHA1390c97d51ec0aef47c4a42545c249130dce86fa0
SHA2562b82f3ee71e2ad81e0fa52e66684ac2ae8c476278075dfe1e1def7ba10030650
SHA512181cf7a94be6c280bbed02f29e39168652ac8593195846ed75611ec50921e77479a60cb2ab7cc88629434c1c49ae37958d93a3fe12b7c0e5e0f007e311a88533
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD546375e8ff48f2bfb44d2950709d2192b
SHA15f8cd9cd56f98911040e064a8c0b9486da95003d
SHA2567a352f960074afd28457769212d142b9bdc820ff739046d3d64c55c4175291b6
SHA512603da4c431a6cf31384fd62c1f712a608fa9086c8c535c006e585c1cdb2704aebf36546c91408cdfbe8cf3b1bf1466832e9339294f65657afef266c29d3a2945
-
Filesize
10KB
MD50f86bbd5825f3dcd2fc08c54011f8b1e
SHA18f6b63f7338b29629905db829690595f7c7fabc0
SHA2560434a89ee555306e3e5b7695b6c55c0882caaf716b1798c6ddf12bc02ed98ab5
SHA512f67d3e686e34474d34d624595c8f20b99f6d53dccf2cae9fd7b05343d72776c5808ce336da0f4169273063b67857a1620da8dd6152574b862dc20428df517c27
-
Filesize
11KB
MD597097c34fc539b1dac160a5be9629068
SHA156a94f108dd759f745c350a71f0d2276d78c24ae
SHA256ad1380ff1bca2d062bb088d505dd1a27335a52f0e804c34a385d963e25f7a8ff
SHA512c39ce65c6dfa54c68086570bd02717507812eba0e27c843a60713c0a05f490991241abb050c4c43ed698c6962a9fc49c1de48e2afd60e4442e443412b3474afc
-
Filesize
2.7MB
MD5e001605fa695282a2d3170d8d9e956c9
SHA14544155daae0335ada1d05a509e43b8c0434ffc8
SHA256003dc05c74dedfb83f73982173d2ed293a84a2af8a7ef8b6e6ff928119859a2e
SHA51211642791791255eea62db5b5058e651329d9b537cc9ffd734702b5bf5207351ecc3bbdb3499acb3dc43e7937da8efd9e23b1e1ccfaa6a077bd747a40926d40d6
-
Filesize
1.0MB
MD57e77ab38910f9c32ffe0f7e8dd201b0d
SHA1b72d7c292b933de597137ce9b8ac79b998d46045
SHA2564b7379a7cf933af65b40aa1d8fc154a61546f8bf5203e86777e43c70c203cd25
SHA5125f72cfc2d83f470bae3358ddb142ae7a3dfd5acea47e2519c969a7a612f10135d1ea78775bdd5be00486568461d74d0abaa854e2b7410a9d021ee0f09a437b03
-
Filesize
165KB
MD542b7d0cdd6a7ce9791b11d69315523dc
SHA18de659e46ea55b5ab3eb32b8216f74fe53f7d0a2
SHA2565b85d64218283c933ca9afd194d5b8f451a519dcec58369434009d0dbd04e9e1
SHA512f5141adbf226f15128e553088b2625f2cb38a1fbf3cff98dda205e1686ce186537abf5daa7c7148f887ab3bafcf03a9fa487844cad95e77ae38eae5d00af41cf