Resubmissions
17/03/2025, 11:12
250317-naszaa1qt4 417/03/2025, 11:05
250317-m62evs1pw2 1017/03/2025, 11:00
250317-m3yvka1ny6 8Analysis
-
max time kernel
323s -
max time network
324s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/03/2025, 11:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win11-20250314-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
darkcomet
Guest1111
193.242.166.48:1605
DC_MUTEX-2QRLPN3
-
InstallPath
Windupdt\winupdate.exe
-
gencode
Rb5l52XcV9no
-
install
true
-
offline_keylogger
false
-
password
313131
-
persistence
true
-
reg_key
winupdater
Extracted
crimsonrat
185.136.161.124
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Extracted
remcos
1.7 Pro
Host
nickman12-46565.portmap.io:46565
nickman12-46565.portmap.io:1735
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
Userdata.exe
-
copy_folder
Userdata
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
remcos_vcexssuhap
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x001900000002b527-1568.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Darkcomet family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Modiloader family
-
Remcos family
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral1/memory/2700-2460-0x0000000005550000-0x0000000005578000-memory.dmp rezer0 -
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x001a00000002b51b-30477.dat revengerat -
Contacts a large (1133) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 2900 netsh.exe 7144 netsh.exe 6704 netsh.exe 36704 NetSh.exe -
Sets file to hidden 1 TTPs 50 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 35852 attrib.exe 35868 attrib.exe 5816 attrib.exe 5352 attrib.exe 5072 attrib.exe 6640 attrib.exe 2868 attrib.exe 42508 attrib.exe 5108 attrib.exe 1808 attrib.exe 648 attrib.exe 3204 attrib.exe 2884 attrib.exe 4116 attrib.exe 3876 attrib.exe 2788 attrib.exe 6936 attrib.exe 2168 attrib.exe 6688 attrib.exe 6344 attrib.exe 34936 attrib.exe 4676 attrib.exe 6892 attrib.exe 1580 attrib.exe 6736 attrib.exe 4276 attrib.exe 5628 attrib.exe 5712 attrib.exe 3780 attrib.exe 3584 attrib.exe 1108 attrib.exe 2376 attrib.exe 6392 attrib.exe 6496 attrib.exe 2548 attrib.exe 4124 attrib.exe 6908 attrib.exe 4824 attrib.exe 1064 attrib.exe 6572 attrib.exe 1020 attrib.exe 5276 attrib.exe 6984 attrib.exe 6480 attrib.exe 12932 attrib.exe 1936 attrib.exe 5524 attrib.exe 34944 attrib.exe 35680 attrib.exe 35708 attrib.exe -
Executes dropped EXE 6 IoCs
pid Process 3004 msload.exe 2644 msload.exe 4832 winupdate.exe 5440 winupdate.exe 3576 winupdate.exe 656 winupdate.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 23 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\APPXPROVISIONING = "C:\\WINDOWS\\APPXPROVISIONING.EXE" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEVICEPAIRINGWIZARD = "C:\\WINDOWS\\DEVICEPAIRINGWIZARD.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\DMCMNUTILS = "C:\\WINDOWS\\DMCMNUTILS.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\DMCMNUTILS = "C:\\WINDOWS\\DMCMNUTILS.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ACXTRNAL = "C:\\WINDOWS\\ACXTRNAL.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D3D9 = "C:\\WINDOWS\\D3D9.EXE" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEVICEPAIRINGWIZARD = "C:\\WINDOWS\\DEVICEPAIRINGWIZARD.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ACXTRNAL = "C:\\WINDOWS\\ACXTRNAL.EXE" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\APPXPROVISIONING = "C:\\WINDOWS\\APPXPROVISIONING.EXE" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D3D10_1 = "C:\\WINDOWS\\D3D10_1.EXE" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr" Opaserv.l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE" Opaserv.l.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: ChilledWindows.exe File opened (read-only) \??\L: ChilledWindows.exe File opened (read-only) \??\U: ChilledWindows.exe File opened (read-only) \??\V: ChilledWindows.exe File opened (read-only) \??\Z: ChilledWindows.exe File opened (read-only) \??\E: ChilledWindows.exe File opened (read-only) \??\G: ChilledWindows.exe File opened (read-only) \??\M: ChilledWindows.exe File opened (read-only) \??\O: ChilledWindows.exe File opened (read-only) \??\P: ChilledWindows.exe File opened (read-only) \??\Q: ChilledWindows.exe File opened (read-only) \??\S: ChilledWindows.exe File opened (read-only) \??\B: ChilledWindows.exe File opened (read-only) \??\J: ChilledWindows.exe File opened (read-only) \??\T: ChilledWindows.exe File opened (read-only) \??\I: ChilledWindows.exe File opened (read-only) \??\N: ChilledWindows.exe File opened (read-only) \??\R: ChilledWindows.exe File opened (read-only) \??\W: ChilledWindows.exe File opened (read-only) \??\X: ChilledWindows.exe File opened (read-only) \??\Y: ChilledWindows.exe File opened (read-only) \??\A: ChilledWindows.exe File opened (read-only) \??\H: ChilledWindows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 288 0.tcp.ngrok.io 314 drive.google.com 364 drive.google.com 461 0.tcp.ngrok.io -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe -
Drops file in Windows directory 40 IoCs
description ioc Process File created \??\c:\windows\system\scr.scr Opaserv.l.exe File opened for modification \??\c:\windows\system\msload.exe Opaserv.l.exe File opened for modification C:\WINDOWS\D3D9.EXE Opaserv.l.exe File created C:\WINDOWS\DMCMNUTILS.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\DMCMNUTILS.EXE Opaserv.l.exe File opened for modification \??\c:\windows\system\winsrv.exe msload.exe File opened for modification C:\WINDOWS\MPREXE.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\D3D10_1.EXE Opaserv.l.exe File created C:\WINDOWS\D3D10_1.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\MPREXE.EXE Opaserv.l.exe File opened for modification \??\c:\windows\system\winsrv.exe Opaserv.l.exe File opened for modification \??\c:\windows\MPREXE.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\DEVICEPAIRINGWIZARD.EXE Opaserv.l.exe File opened for modification C:\Windows\MSBIND.DLL Opaserv.l.exe File opened for modification \??\c:\windows\system\msload.exe Opaserv.l.exe File opened for modification \??\c:\windows\system\scr.scr Opaserv.l.exe File created C:\WINDOWS\D3D9.EXE Opaserv.l.exe File created C:\WINDOWS\APPXPROVISIONING.EXE Opaserv.l.exe File opened for modification \??\c:\windows\MPREXE.EXE msload.exe File opened for modification \??\c:\windows\system\scr.scr Opaserv.l.exe File opened for modification C:\WINDOWS\DEVICEPAIRINGWIZARD.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\ACXTRNAL.EXE Opaserv.l.exe File opened for modification \??\c:\windows\system\scr.scr msload.exe File opened for modification \??\c:\windows\system\msload.exe msload.exe File opened for modification C:\Windows\SystemTemp msedge.exe File created \??\c:\windows\system\winsrv.exe Opaserv.l.exe File opened for modification C:\WINDOWS\ACXTRNAL.EXE Opaserv.l.exe File opened for modification \??\c:\windows\system\msload.exe msload.exe File opened for modification \??\c:\windows\system\winsrv.exe msload.exe File opened for modification \??\c:\windows\MPREXE.EXE Opaserv.l.exe File created C:\WINDOWS\DEVICEPAIRINGWIZARD.EXE Opaserv.l.exe File opened for modification \??\c:\windows\MPREXE.EXE msload.exe File opened for modification \??\c:\windows\system\scr.scr msload.exe File created C:\WINDOWS\MPREXE.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\DMCMNUTILS.EXE Opaserv.l.exe File created C:\WINDOWS\ACXTRNAL.EXE Opaserv.l.exe File opened for modification C:\WINDOWS\APPXPROVISIONING.EXE Opaserv.l.exe File opened for modification \??\c:\windows\system\winsrv.exe Opaserv.l.exe File created \??\c:\windows\system\msload.exe Opaserv.l.exe File opened for modification C:\WINDOWS\APPXPROVISIONING.EXE Opaserv.l.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blackkomet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaserv.l.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaserv.l.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3020 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 3 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 36292 vssadmin.exe 36380 vssadmin.exe 36212 vssadmin.exe 33772 vssadmin.exe 36316 vssadmin.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866831385658437" msedge.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1678082226-3994841222-899489560-1000\{D7AD121A-A97C-4616-9AA2-9F482544006D} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1678082226-3994841222-899489560-1000\{33AD5682-6A8A-4148-996F-251AC9E41C6D} ChilledWindows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Blackkomet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 5980 reg.exe 5100 reg.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3020 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 788 schtasks.exe 2056 schtasks.exe 21080 schtasks.exe 33432 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe 6028 Opaserv.l.exe 6028 Opaserv.l.exe 2044 Opaserv.l.exe 2044 Opaserv.l.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5520 ChilledWindows.exe Token: SeCreatePagefilePrivilege 5520 ChilledWindows.exe Token: 33 2404 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2404 AUDIODG.EXE Token: SeShutdownPrivilege 5520 ChilledWindows.exe Token: SeCreatePagefilePrivilege 5520 ChilledWindows.exe Token: SeShutdownPrivilege 5520 ChilledWindows.exe Token: SeCreatePagefilePrivilege 5520 ChilledWindows.exe Token: SeDebugPrivilege 6028 Opaserv.l.exe Token: SeDebugPrivilege 2044 Opaserv.l.exe Token: SeDebugPrivilege 3004 msload.exe Token: SeShutdownPrivilege 3004 msload.exe Token: SeDebugPrivilege 2644 msload.exe Token: SeShutdownPrivilege 2644 msload.exe Token: SeIncreaseQuotaPrivilege 2608 Blackkomet.exe Token: SeSecurityPrivilege 2608 Blackkomet.exe Token: SeTakeOwnershipPrivilege 2608 Blackkomet.exe Token: SeLoadDriverPrivilege 2608 Blackkomet.exe Token: SeSystemProfilePrivilege 2608 Blackkomet.exe Token: SeSystemtimePrivilege 2608 Blackkomet.exe Token: SeProfSingleProcessPrivilege 2608 Blackkomet.exe Token: SeIncBasePriorityPrivilege 2608 Blackkomet.exe Token: SeCreatePagefilePrivilege 2608 Blackkomet.exe Token: SeBackupPrivilege 2608 Blackkomet.exe Token: SeRestorePrivilege 2608 Blackkomet.exe Token: SeShutdownPrivilege 2608 Blackkomet.exe Token: SeDebugPrivilege 2608 Blackkomet.exe Token: SeSystemEnvironmentPrivilege 2608 Blackkomet.exe Token: SeChangeNotifyPrivilege 2608 Blackkomet.exe Token: SeRemoteShutdownPrivilege 2608 Blackkomet.exe Token: SeUndockPrivilege 2608 Blackkomet.exe Token: SeManageVolumePrivilege 2608 Blackkomet.exe Token: SeImpersonatePrivilege 2608 Blackkomet.exe Token: SeCreateGlobalPrivilege 2608 Blackkomet.exe Token: 33 2608 Blackkomet.exe Token: 34 2608 Blackkomet.exe Token: 35 2608 Blackkomet.exe Token: 36 2608 Blackkomet.exe Token: SeIncreaseQuotaPrivilege 4832 winupdate.exe Token: SeSecurityPrivilege 4832 winupdate.exe Token: SeTakeOwnershipPrivilege 4832 winupdate.exe Token: SeLoadDriverPrivilege 4832 winupdate.exe Token: SeSystemProfilePrivilege 4832 winupdate.exe Token: SeSystemtimePrivilege 4832 winupdate.exe Token: SeProfSingleProcessPrivilege 4832 winupdate.exe Token: SeIncBasePriorityPrivilege 4832 winupdate.exe Token: SeCreatePagefilePrivilege 4832 winupdate.exe Token: SeBackupPrivilege 4832 winupdate.exe Token: SeRestorePrivilege 4832 winupdate.exe Token: SeShutdownPrivilege 4832 winupdate.exe Token: SeDebugPrivilege 4832 winupdate.exe Token: SeSystemEnvironmentPrivilege 4832 winupdate.exe Token: SeChangeNotifyPrivilege 4832 winupdate.exe Token: SeRemoteShutdownPrivilege 4832 winupdate.exe Token: SeUndockPrivilege 4832 winupdate.exe Token: SeManageVolumePrivilege 4832 winupdate.exe Token: SeImpersonatePrivilege 4832 winupdate.exe Token: SeCreateGlobalPrivilege 4832 winupdate.exe Token: 33 4832 winupdate.exe Token: 34 4832 winupdate.exe Token: 35 4832 winupdate.exe Token: 36 4832 winupdate.exe Token: SeIncreaseQuotaPrivilege 5440 winupdate.exe Token: SeSecurityPrivilege 5440 winupdate.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe 4592 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4592 wrote to memory of 3408 4592 msedge.exe 82 PID 4592 wrote to memory of 3408 4592 msedge.exe 82 PID 4592 wrote to memory of 4512 4592 msedge.exe 83 PID 4592 wrote to memory of 4512 4592 msedge.exe 83 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4908 4592 msedge.exe 84 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 PID 4592 wrote to memory of 4972 4592 msedge.exe 85 -
Views/modifies file attributes 1 TTPs 50 IoCs
pid Process 5524 attrib.exe 6908 attrib.exe 6984 attrib.exe 6480 attrib.exe 35708 attrib.exe 6736 attrib.exe 1808 attrib.exe 648 attrib.exe 5072 attrib.exe 6892 attrib.exe 1020 attrib.exe 5712 attrib.exe 42508 attrib.exe 5816 attrib.exe 2788 attrib.exe 3584 attrib.exe 2168 attrib.exe 3876 attrib.exe 1580 attrib.exe 1936 attrib.exe 4276 attrib.exe 3780 attrib.exe 12932 attrib.exe 34944 attrib.exe 35868 attrib.exe 4824 attrib.exe 4676 attrib.exe 3204 attrib.exe 6392 attrib.exe 6496 attrib.exe 2548 attrib.exe 2868 attrib.exe 5108 attrib.exe 1108 attrib.exe 5352 attrib.exe 2376 attrib.exe 6572 attrib.exe 5276 attrib.exe 35852 attrib.exe 1064 attrib.exe 6688 attrib.exe 6640 attrib.exe 5628 attrib.exe 35680 attrib.exe 2884 attrib.exe 4124 attrib.exe 6344 attrib.exe 34936 attrib.exe 4116 attrib.exe 6936 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7ff9907bf208,0x7ff9907bf214,0x7ff9907bf2202⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1804,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:112⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2172,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2484,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=2636 /prefetch:132⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3384,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:142⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4656,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:142⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:142⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5680,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:142⤵PID:2940
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11443⤵PID:6124
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:142⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:142⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6248,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:142⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6264,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:12⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3684,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6504 /prefetch:142⤵PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6832,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:142⤵PID:3424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3676,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:142⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=2716,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6740,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:12⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6936,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=4840 /prefetch:142⤵PID:5436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6904,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:142⤵PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7384,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7436 /prefetch:12⤵PID:5900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=5004,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:12⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7764,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7780 /prefetch:12⤵PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7076,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:12⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=2492,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:12⤵PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7712,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7416 /prefetch:12⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5944,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7272 /prefetch:142⤵PID:2180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=6108,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=1240 /prefetch:12⤵PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7752,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7796 /prefetch:142⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2608,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:102⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:142⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5440
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5644
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"1⤵PID:5220
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5520
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"1⤵PID:5280
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"1⤵PID:484
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6028 -
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC2⤵PID:5412
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:5528
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW2⤵
- System Location Discovery: System Language Discovery
PID:5256 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW3⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC2⤵
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC3⤵
- System Location Discovery: System Language Discovery
PID:4052
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD2⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
PID:644
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS2⤵
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS3⤵
- System Location Discovery: System Language Discovery
PID:5108
-
-
-
C:\WINDOWS\system\msload.exeC:\WINDOWS\system\msload.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
PID:5012
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
- System Location Discovery: System Language Discovery
PID:4640
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:5920
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:2012
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:1428
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:4996
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:3676
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
PID:2356
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:3428 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:2868
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:4792
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:5648
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:4340
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
- System Location Discovery: System Language Discovery
PID:656 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC2⤵
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:3392
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW2⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW3⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC2⤵PID:3472
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC3⤵PID:3840
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD2⤵
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
PID:3428
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS2⤵
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS3⤵PID:2940
-
-
-
C:\WINDOWS\system\msload.exeC:\WINDOWS\system\msload.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵
- System Location Discovery: System Language Discovery
PID:1972
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:2092
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
- System Location Discovery: System Language Discovery
PID:4596
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
- System Location Discovery: System Language Discovery
PID:3880
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
PID:4352
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
PID:3708
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:1564
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:2892
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:2664
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:3888
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:3812
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
PID:868
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:3784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:2080
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:2036
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
- System Location Discovery: System Language Discovery
PID:4476 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵
- System Location Discovery: System Language Discovery
PID:3928
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵
- System Location Discovery: System Language Discovery
PID:4124 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵
- System Location Discovery: System Language Discovery
PID:1028
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵
- System Location Discovery: System Language Discovery
PID:1620
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:1760
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:3804
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:4976
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵
- System Location Discovery: System Language Discovery
PID:5956
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:5896
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:1296
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:5336
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:4748
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:232
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:2440
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:560
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:5712
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:464
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:5540
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:900
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:3904
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:6300
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:340
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:6408
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:3840
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:6624
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:2412
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:6700
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:2744
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:6720
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:3388
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:740
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:6448
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:6188
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:6412
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:6212
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:6520
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:6236
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:6376
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:6272
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:6232
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:4340
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:2840
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:3388
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:656
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:5072
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:3448
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:6664
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:1296
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:6712
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:3760
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:6900
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:21576
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:8052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:42496
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:17472
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:26820
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:18604
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:21164
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:28940
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:30480
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:34980
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:34152
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:34992
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:35556
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:35012
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:35572
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:35032
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:35608
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:35052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:35624
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:35944
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:36776
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:36164
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:37032
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:36148
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:4956
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:36088
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:36976
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:36044
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:36820
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:39024
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:39408
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:39052
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:39392
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:38976
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:39440
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:38948
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:39532
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:38932
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:39504
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP NAVAPSVC3⤵PID:40064
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP NAVAPSVC4⤵PID:40864
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP PERSFW3⤵PID:40280
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP PERSFW4⤵PID:41232
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP AVPCC3⤵PID:40288
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AVPCC4⤵PID:40852
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP MCSHIELD3⤵PID:40296
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MCSHIELD4⤵PID:41208
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP SWEEPSRV.SYS3⤵PID:40328
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP SWEEPSRV.SYS4⤵PID:41192
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"1⤵PID:2720
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h2⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5816
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h2⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4824
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h3⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1808
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4676
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5440 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2788
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:648
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3204
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3584
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:656 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5352
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1108
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵PID:3472
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5072
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1064
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵PID:1296
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2884
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4116
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵PID:3008
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6892
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6936
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵PID:7144
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2376
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2168
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵PID:1592
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6392
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6572
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵PID:6340
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6688
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3876
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵PID:868
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h13⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5108
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h13⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1580
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵PID:5944
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6496
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6736
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵PID:6460
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6640
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1020
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"15⤵PID:4992
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2548
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5276
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"16⤵PID:4084
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1936
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4276
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"17⤵PID:1952
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h18⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5524
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h18⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4124
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"18⤵PID:4120
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5628
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2868
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"19⤵PID:5688
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6344
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6908
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"20⤵PID:6248
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5712
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h21⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3780
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"21⤵PID:6188
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6480
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
PID:6984
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"22⤵PID:21020
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
PID:12932
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
PID:42508
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"23⤵PID:34772
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
PID:34944
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
PID:34936
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"24⤵PID:23224
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h25⤵
- Sets file to hidden
- Views/modifies file attributes
PID:35680
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h25⤵
- Sets file to hidden
- Views/modifies file attributes
PID:35708
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"25⤵PID:2848
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:35852
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:35868
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"26⤵PID:37280
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"27⤵PID:38628
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"28⤵PID:38384
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"29⤵PID:38872
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"30⤵PID:39968
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"31⤵PID:40128
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"32⤵PID:40892
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe21⤵PID:5100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵PID:5732
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵PID:5216
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵PID:1656
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"2⤵PID:3396
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"1⤵PID:6852
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2900
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"1⤵PID:3452
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵PID:4792
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:5980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵PID:6156
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3020
-
-
C:\Windows\SysWOW64\Userdata\Userdata.exe"C:\Windows\SysWOW64\Userdata\Userdata.exe"3⤵PID:3632
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵PID:6320
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Modifies registry key
PID:5100
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵PID:6368
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵PID:6496
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵PID:6772
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:3444
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\re5pq9pt.cmdline"3⤵PID:6808
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC82E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95739464D94D420EA6DBB9BB6840F9D3.TMP"4⤵PID:33728
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵PID:33584
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:33996
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵PID:34332
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yyadnul_.cmdline"5⤵PID:15268
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hq96bgul.cmdline"5⤵PID:40192
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D309C876F38414C818974BAB7CEE25E.TMP"6⤵PID:40488
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tr2sucnn.cmdline"5⤵PID:41240
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD3405C3195E47E887E02790B67C85A.TMP"6⤵PID:40940
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mld8bicl.cmdline"5⤵PID:41328
-
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"1⤵PID:432
-
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"2⤵PID:2648
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"1⤵PID:2700
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1411.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2344
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"1⤵PID:1444
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1970.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:1588
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵PID:6116
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:1372
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:30064
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:36212
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:31568
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:34456
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:33772
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:28772
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:33640
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"1⤵PID:3136
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
PID:7144
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
PID:6704
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵PID:1052
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵PID:6824
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:6568
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:20772
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3154147355 && exit"3⤵PID:29952
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3154147355 && exit"4⤵
- Scheduled Task/Job: Scheduled Task
PID:21080
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:28:003⤵PID:20808
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:28:004⤵
- Scheduled Task/Job: Scheduled Task
PID:33432
-
-
-
C:\Windows\7C8F.tmp"C:\Windows\7C8F.tmp" \\.\pipe\{28443530-C48C-474F-87B2-D08814C04C47}3⤵PID:21044
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵PID:7020
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵PID:20564
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"1⤵PID:30024
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:36292
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:36316
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:36380
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:36704
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:34260
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\95da214eb0d1467281f9c60115609a0f /t 33648 /p 336401⤵PID:27268
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
3Discovery
Browser Information Discovery
1Network Service Discovery
1Peripheral Device Discovery
1Query Registry
2Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-B2A5D049.[[email protected]].ncov
Filesize2.9MB
MD59aff4f21618c880675fce15b5ba2009e
SHA11d449339e326e3210bca82c6d684ededa64eb67b
SHA256817cf767a682f684159605f758f1bb712f0aa53049ae757331c55f3dd3d00e18
SHA51277fe01812f183e255a0d3615e475edb371e3ca761162eb4f60d4a8598ea68309430022fdcccabf07558299e55fbb2be1af222bcb96729576647270c3d1a75e9e
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
507B
MD5a0c3e1aca0335d2d3a6c16038a5e1feb
SHA1865132ecfd8bc3781419e10a57ef33686d80f83f
SHA25668e52b0dae9281848730d457702a3fbe0868a0209d2740c9b5435dcf872d1072
SHA5126b5dc7bb61bebea323e806e4eeaac8383621c84be7545af744923445dc4545b9395abcd8f7b82f8b30fddc28872e3f47a010a271f588b5dd725cdd1be2ee4ed8
-
Filesize
280B
MD519a88bad99bffbae6102e191cfedd75b
SHA1df476b325df883b73eda1b2349bab45aa22e808d
SHA2560d576dfbde1712b7288e4561e3eea75ffdad84dc50a77ceb57a6e9c37d60465a
SHA5129ec5eb487d8c8fc8e283a94bd43afd740edc4df6a4509d83629416d040586bd42330eb0da6dd41ec1e5550bce9a6643319ff8584f8638a9cde9042fa406825fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize6KB
MD5d404dfbee988e9ebaccce464678e48d8
SHA11609bc90b67f2bb5a55d3b6ba43ea4d02cf5c26a
SHA25635d9487e5d405d4d3786fdfd51ee68d5d6d94cc6733fc21269dba7275e471f81
SHA5122064ccd38de22f238c790bcbce980b1aa9d33be49a0dfa57d6352f7de9168e16a7976de0f7e7262ddd4c483123bb9d4ed848ba31b82b06b8fda8c92e1c93fac9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize6KB
MD5c70d976f4ae975d605648d642cfc155d
SHA10d609ddb34b0fb32771596ebf1b131762df1ec54
SHA256d3f7b8aed2e0805754644b92c67726b7d9868d1e4173ac411cb7e99dfb9b600f
SHA512b084088baddb2844813eaca54d012045ab9e667e299b1eabb6a225f8dceea69e9978ab94e66eac82333492190b1de86b408d5585d4cc600b5a46b869ef071e4c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5813c2.TMP
Filesize3KB
MD5ca33c8c80006fec55fdbbc056db6a7ea
SHA1e9e5a98a043530a44cec1867baba15423c4d8900
SHA256e0d9fce17da7fa86c91dc268edf494fedbed3285937c1c3f7aa3d157a4e11351
SHA51295c990236c628ce50a7402ee11078e5e04e9ac91a3b2eb755d86a0a420d56003cc970d0b2de8d9f4f2bff2c331e11c3da582d6e0f0bee0d0896ee62d9342cec1
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log
Filesize33KB
MD5b563c92688a1de9fc95771d756a50fbb
SHA16d775b34fd46e572946f895daa28d92a39131869
SHA2562d8cc738fc97774c0d42b0dd8f1b048073f705174c19021dc00ac74137b9afae
SHA512cc34db3761fd2603071f8631e80f84e329e3a622bf6b58060a1ab2099d8c6ce08272c0c0e5ea53035748b0d424365f75f6053cccfe5e70aca3ca3ed71e2268a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\LOG.old
Filesize345B
MD5fa7859f37818b7b5bc5b79d346a8440b
SHA12a8e2f3ef81f14d9933ca60a9a3c4b9ac99bcf3f
SHA2567fcda60521e3dcd8b8f0c6dfb70e5b4d1569e7903a3262d71e2d16331c53ad43
SHA5129a0b8099c6cf014ae8f04dd73f44b7bd56560e2480a35336aca5defe72b3c489e782a7d374f3d2c469683312015676ae6671b0ff4ea22e0727a28ec65b94c453
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
5KB
MD5f1cfffd044b155b2b9cc2f39620212be
SHA182517c1d531f3007692130382416899d12c75509
SHA2566c16d01c5a0b403fdcfd1b31c83fca8a3a26f52f24018c52b9a674be6d840fdc
SHA512fbdc0bbed24f58ec6782ec66d7bf6834952788f41710d1d763605e90d7eceb7c04ccc0b9e0b07b4ccb6982642d04725ee67b063e3e77c15feb9b62050f87f930
-
Filesize
4KB
MD5d931fd1cb67daff1b05cb01d00eb167c
SHA168690e8c5561fa9f396a3b1ec3960814a976605e
SHA2566c088357d26d2ad951d5034c3d35e51656ef1b93330bffb8fc6c778249736413
SHA5123a74f8a35469e2aa04d59fbb9421405bda823be3db887fa8084a884a8688223b9345a0ffd8e4352504225552754f5db8a66a05381d64e8af69a6cb7d4fefc6a0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
211B
MD55584ddbee4baa80e36b23173e439f499
SHA100a40cfdc64938933e46a6bc3a5184b403826b35
SHA256ecfc3b0137f985fd9791f6b92b662dddced54c57cff87aaf2fb947f7e05477f0
SHA5120315c2e7e855f1e1d0ecae1aeecf3f283a3bd3685e484e3b72dd77ebecfaed30a8e55bcae72e540c4064be8b97813368fe7287ebb28cf5ee12e99a860e0beb24
-
Filesize
16KB
MD5c26f021a2bf1556c80accd9fbdd96e12
SHA1684946e287e731b25335ff93642d57eac5966d92
SHA2569a3129624056ef90468e6aefd47105b3d391aa5c5749b47aa89b0f658c95c45a
SHA5125f5fcb8a36f5e27f86a8b236ce4ab1666fab3162d153f5c5f971c82aeb61b8d40c8ee1385c75bbb671911f72d466b0fa7c83d0781e1c8b36033650b80d48ad16
-
Filesize
18KB
MD51d80ce65686c0e1ccb0540c763fdcbc5
SHA1232b743387b3e55878c13089defa725d118f0bba
SHA25647c23cae81484cc63ec0c196e72dbb816a65207c4c2cf87e12d40ebc912390f3
SHA51281018fa1e65339dc1242c2aff157c9cc4acbb8411a970292475887d0aef4b22817bacb1ba147f839c30df29ac6464093fd7dae51ef74ac787968aa9484159bd5
-
Filesize
19KB
MD5ab76f2f68315b1538599868eba666a3c
SHA137e6b05a28188106a3cd3f8a99c793d5f6181fbc
SHA2563e9256e67dc490653807534600fac43dcc0a54e16f0d23481bea8a3bc215b7ec
SHA512329ec1ca0582701d5afbf0e9b7dc8bb28187b8bca905ae99b5183aab943b50cd434373859870fa7274cb2d59a783c8cc96494492ea5c10df933031787a94ddbd
-
Filesize
37KB
MD5f81020a69350de103e0352384db380f8
SHA18abf6dc80492653c07e3eede30d5b8e3dadfc533
SHA256b910775603103a5bc6150c2728f50cac33cd5a5e069679e8b1e830aa0fcc70e5
SHA51206bffabf3821032dd5509d0c1e829b6cac106563b6d9f14cd78702077c30555b0ad42be23a49472f55c2efb957189485b76ef89ca3dcdc95e1ce712d74060a3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\13bf7cd5-3f0a-4967-869d-004c84656018\170ce29fd1bcbf73_0
Filesize57KB
MD574a59b9e1c718a595ac0c5521949b93e
SHA1d2a0199d99a764968e985f9ebb9bca5c256de775
SHA25600bd8f9938ef372f815ac1fee5428cfd12c382606258ff1ed32395df53b79c0f
SHA512663c2124fbe963fa4fb64bbd17c8f0ac93712f926803bbdddda43b5881bc80085d1548b9e3d970c862175110984f11144ba2f5eeb62b90867270ab22a6c54d62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\13bf7cd5-3f0a-4967-869d-004c84656018\index-dir\the-real-index
Filesize72B
MD5cc590647fc867b451c10f9fbe494f11e
SHA1acb6a2b7146811cbfdffeaf1e09bf508f7e534f1
SHA2569c24b122f86b037d88203b3d707e2b6314da3b7b1e28caa9a7490ce2557c165c
SHA5125285de01d0c72a50e399608543bb3fa831130ec8431874cb11440fd6f8e3f268b393efb6ef46d92d8e1d4fcc5d2fda1ac3419ccf68cf4c1daec25329f8d013be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\index-dir\the-real-index
Filesize2KB
MD5ca8c2c6b68f9b588dfa42bcc5fca7276
SHA122ea0fad412e4c9cbdce9892d9404785c0e64769
SHA256b3021950c7de1f594f86da2dca240700487f1fd701ee1239ff2fad43ca742ef7
SHA512ae831f3bf386ab9ef2e18a849efc77a5958f014e81f9fcddbaafc3edcf067beaf148edcf5da5b9583eeb4a5072b1287777d7291e149491640ae750b833366a16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\index-dir\the-real-index
Filesize2KB
MD5885035eda2d505c8b641b81d13312b55
SHA1dee12740f68cfad9727d7e41da6b53a259abc2b4
SHA2561deed47f891ac959b44d347db8a48e8c6d5e9c80d9fcc7cedd4ebc2c0480060e
SHA5125483752af5d3dfc081de54cd513d28507d25bbab4b9b50952b3479df9bfd3b095ac788d8f33f90182530e9acdb40732bb142adceeddbc517eb723c21ce70ff42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc7ad1e6-2a51-4dc0-9579-f8bf6674ff51\index-dir\the-real-index
Filesize72B
MD5784e347b9fcf818f61e4c4c5ff0eaa91
SHA14d542c35d322e85c75acf02481d8ce9877d5c01f
SHA256295602b18715343936934ce8e950351b248cb7b9be8f9aaa0e257ded33484833
SHA512f4966442bd0c2824bff4c5fdcf6f524c1754092a9bcc6c0c122a0b1a39d250a2b4e88aadcaed497ca8cd57f968818f22ff0f2619df5fd0e8b1fe64555b9b6085
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc7ad1e6-2a51-4dc0-9579-f8bf6674ff51\index-dir\the-real-index~RFe589313.TMP
Filesize72B
MD58f88645bc4cd269aede85ad09fecc7be
SHA10c9533ad6b5809c1df55f88878314ed33decf1af
SHA2560f480c87d15a3f0ef3433628a4a712c658321e07389648ed7be4637fe9cb5c03
SHA5121dac2549ff0e4a3e8ea173463b1d431a447fe3ea7bb12d9b3fde5cc1c33f99b375190622e10b1cf69e3e3a7141ad967546661d7a21e5b73e9e32fb6f20001df3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f36e08ac-138c-4223-aa0c-bbc9e3e734e9\index-dir\the-real-index
Filesize96B
MD5a48d1dcf374f7e3a11b7abcf3fded727
SHA1fa9bae9d89f312ec4915278c00eb3d486c1943d9
SHA2562928f0780079a094afca267fa40906c208f49c6278b170daa35cdd75fcdad939
SHA512cfd902629f33945cf84b223b9b4ef0be143658587a36ed5977ba650e8dbd065ecb74cb1e744641d3df7d3959ba1228e71bbe48a4e2fcf0dc5e73bfc34ca3ae5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f36e08ac-138c-4223-aa0c-bbc9e3e734e9\index-dir\the-real-index~RFe58b021.TMP
Filesize48B
MD5abd00f99134fabe0f9ed1f8558836f96
SHA1f409de6f76b1fb701576a0fa0701582e61055e14
SHA256464c6d5e101ebfc817c5e113cd8a0334c58b844701ff3175766141f1563556cf
SHA51211f8d6e9f6688110d2ae209d4605c1bc417156b58e500514866a4092327a530a149d10e930289bbb652bd59f83eede94c87f5462e498e770227103da990b9a79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize327B
MD52da4246210b575fe1be6977da8b5db68
SHA1144892b05b7e23a6747efa397d8437f76615dacb
SHA256c697cf5e177905f4e6cba49cd34baed0e718e243dd1cdf3f2b2b8e5f248dc9ea
SHA512496d0eda892e3ea328c5fc02c3056c9848c4188d0fea49c13cf874c339ff9c14ac707bd77f3c6c3d4af61945370b60bf0bf55a435757d4bed7a87746225ea4d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize322B
MD52b2858a7cce4286d788e4fd08f5dffab
SHA1848d6e372d853235e7d1df212b1e36e21cfb6303
SHA2568d10a370f577ae59f0da8476127ef778e861188625988aa34fc4d8e596b3b572
SHA512b641b8d8d12b989b238c590406d123a0a744197bfb10f0824418951de9d16f13482a6ac35ac2e3357b90216f98d4f3705fc91e88e58dd356d20753b387f70087
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD581b87549ee3cb76f2fe11a37299844aa
SHA18b14bef38b5341b5c3cf75d9546cbb00605cacaa
SHA256d310207bb328bcf180f5f2b9ca30c3b06262f87b714b535944ca1ccb59ccb610
SHA5120abb6b1b0ab5525fc001f6492d9fc0c6b0c49640c7fd8f5e7436b71bfe3f1379d6ef4b02489b6c9ea227ba10f7f28ebfa67b7d4e46d5b36a060b4cfb52df7567
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a246.TMP
Filesize72B
MD5839b3d56310f6a44d38f931e992eeb80
SHA1a42c449203e7c9392573b7811c37fbdd2c262315
SHA25660a5241a438eff61242a5e6aabfab6a05a2d40122d68b91ce242d442b7a6a637
SHA51243bebcd3755576d55d427677a0bafcbb96f096255ed6ad35815357b488b1f3f1d038004c394bc49ace32b71d2455a52a8208ae8f7e184896869083819dd5ff8d
-
Filesize
22KB
MD59b6626a4d415e1dc2a6a4f8973e59353
SHA1e5e0132ae69951e0b51c422aaae1ee4fba0b22cf
SHA256ed441fabb4f1a486fbffaaed0793be933a94812006ea1fc886934de27d8255fd
SHA512fb16791e9968f2bf187d07b0bc671fb5ebafbedf1a54dc119317a4876a67c1c5749749e153acd526de95aba1af5cb1f093c0c010b52a51c6d042a4876bdab6ba
-
Filesize
462B
MD5d86ad683794d7ebd96f15a4dd8dbef75
SHA1190f1345143985997afd55a560184f332c20ef7f
SHA2564568cf805fa36fa1c85838cc2329d795f01d3b3dbd3962a59ef3e85666ee6577
SHA512fb52360427bd96edaad8ca3e81cdd52865bf14df08d8f11c63eac1dac9fca098f50d153bd2344387c7de3426f92a2fa7b1b634567e5126e161d12610bd23d11f
-
Filesize
55KB
MD538b6aca7115ddeeca2f06ea10c154a0e
SHA1d09881285dd109951047c8799703fdc0283c22e0
SHA256811d1d17fa7b03821947d0f2505ebcea669bb320f2d2d34e7ff0c524a2dbbdd4
SHA512d7238584632c42e64637418b6074ab5a693bc6815df3d6765889375f4dfe629cbdc7fe26c57dd6a50cef2eb198442b31b9d3a124268e3e2eec37fe81c541badb
-
Filesize
40KB
MD51b7f8bdb6453290b9fe38b6634800d9d
SHA1f0c6c9818eb17d21162c793592a2672ac6c72dc2
SHA256e2aec6dadbe323016baf8057968113d29935d293b2ba4fb14b928884ba6912eb
SHA51297e886c2fb947d9118138a434dbb6ebeffaf589ee66f1d135438e85e35f633dbb3778c1b61dc09dcdb090bb6154f92cb07dfbac017c0b97f30c2812c565d4b9f
-
Filesize
49KB
MD5d1fd7b3cba9161739dd2c4b8e22d9842
SHA1a7091880c69700bdc5b862d7899432df56ddd89b
SHA25663d7682dca5ab0ae6e9ba999c0b92d3358d3f6747eb3fd54c5a4e6f6669d31ee
SHA51283e9820ed86a243fb52a647c90986eec52120ec558938038d939166caadd59ae46b1ec928eef4d8979e7d445244e26a3f33588df0845005cd21981302c3e89df
-
Filesize
49KB
MD5f44397a2c5465d6521639c8448a79b90
SHA1befcba499d947ec9d75c5a4b178b4ba4333dffca
SHA256e07d7295f56bd95eb2a15bff7a4f599680fe857d6d6587be20d4b29c1c4c78f6
SHA51258178a7fe6da0ffaf99f360e3b36a82b9f439f42eec839611d961c84e5ed6c5057e8d45e8a8af24ed2ccd7e186ad6dbdb94f2248e004e436f63830a379b99e39
-
Filesize
55KB
MD5d48600f8b47792644d8e6bcbb21988e7
SHA1748c6aa6dec32081172bbd7155a30e3874a96932
SHA2562c95da2f3876e62bf321360f4a50fb3fff1d15963e4170f9aad46772008fcb95
SHA512e3ad0bb8bc4d9db0ffddbdf2161a6ce454a3e2cee8e3df446babe7f7b868ca435f4b425b44c974a8976f7c60e43de14e7f6631686a26a6379040a9f280aa5a2a
-
Filesize
392B
MD5fb049c9f70bfbcbf70ffcf007b954a8a
SHA1f092d4ecaea53f1768eb312d8fa0536bc480b496
SHA256ab76ffec594b6c10288b7d53bdc291049c908a4739df6958838ac5c132013dcb
SHA5129412af89ccc144f9c76ff3e2c157abe645c01da63780c2a7ec3ce2881bff97354e2551b1d8e33a27b1108ec61b329448a5d6c8d6d5d48ee22c9985b31d6d2487
-
Filesize
392B
MD5f1ae41d59d2edbbda2d0423c51fc8ee0
SHA1c1262fa2af057f9645e95852522a73e795656c41
SHA25617c2f477b431ba36b7247fd6c297415d7549a3910e3bc2c27c09dcc04a11f861
SHA5129baa5c8a7f0f984c823483d31dce64d59498d574855f31129b9a293963496c8d92209e8bcfc181d7165624da3b274ef798846b5bc2f87eab41a3f9bdcc23c3ff
-
Filesize
392B
MD5963f1470ee832f193a45b0a5d6827ebb
SHA1804e2fc663f6f42ed089fa6aa5b79b10b118d924
SHA25671fa805ace1fdc0c23f224ac23fa7ab9bae79dfdf2e4c50f2146203e01fa23c5
SHA512b42e95187032285dfd0b8c03f8c0dc6c8c67dcf4b47e95fd8f49b9d5327f32dd03642fc77e1db6be7e82bd1dec1d61c6d2cd4ec76668c32657da7756ee3a0ab5
-
Filesize
392B
MD5514dcc31cffe7dd7e96a3fec48da302d
SHA1418821b1223d8aa1571ec9be1daa1fee05ed63ea
SHA2567fe00291b685a2ef05fdc9745cce14763aab651e8ea8c82cbf981f6c09196d5f
SHA512e694e62ec4c614fe2222b0a6f0f601b93d2be756577bb304d93fd7771b790842379b8225bb58b4d9aff2f7a24cd0bde10428e6caeb14822f5ac161a1f6724164
-
Filesize
640KB
MD5806a71699f2c6e71e7ffbea8f883676d
SHA1c96b46fddef09ad4eeaad51c2ef3c45964451475
SHA2566baf3690642eb580e1fdef84963c25145a66d7292b35c19a0107c533e995e8b1
SHA5124b035012f41b8063b74c491949225803e2aa744a03ad2020bafa6cd9becd4ffb5b895b648299470b253b77ddbd2d90551964943a4961c4761f150c8fadd6df89
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
187B
MD508d2e4a2d9e2c22025fc369cc551ca6c
SHA1fbb518fd33cf1c752f762dc43d904cacad3aec00
SHA2560e7dc72dce87f7448c7e65dfdae1ffebec653e4f066807a94993feb1039787bb
SHA51292993473f027749718df243d6ac9480c1607cf908b3b01fc7dd92bd6afe4b8f3b0ae17c79fc75ed79c52cf79fc5f7bdc1814a4d132fd80202d80ba6539577686
-
Filesize
91B
MD5f169d4314eac558c126347c9c306a220
SHA103ac751a07b7347541dac5e0f254769aadbde0e4
SHA256ccfec9a3c2f862abed746e5c40f37985053b1ebed048ad0452eaab6143b93969
SHA5122ff8ce927e41fea9de98f7fc91e2d641f6342ffe3f154258c8d9b005fa09d094cff6587def01bee1cbb43b9191db067c3174c23c5916cb422c478c9ba537fecb
-
Filesize
1KB
MD5071e6d059bcf44ea0400c3aba41a0170
SHA1073e88139d49975f6596733b50f71aae28e3e996
SHA256786225aa9671d4526dcb073daa4cc16eaf974f6284b1e5ca3f0e195c89f6cd4f
SHA5125033302df0d75dd0cf86ab16896bd7e2ce39a1d41312053db40da63bad86a559e577023581aea65644fd46d783d9aa6b2c9640b36521dff9898697dda414e775
-
Filesize
91B
MD5de97f8c7f4f066b79ad91c4883cc6716
SHA192cc8bf74888ea1151d9fd219eb8caee02978556
SHA256a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9
SHA512cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
Filesize
183KB
MD53d4e3f149f3d0cdfe76bf8b235742c97
SHA10e0e34b5fd8c15547ca98027e49b1dcf37146d95
SHA256b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
SHA5128c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
-
Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155
-
Filesize
12KB
MD59a53cd6b36825e500254fca152e1193b
SHA1d18642e2d45e8886abc6b0fc57f9624e4c7321c5
SHA256c93d4fe28aac9d63003c10585d7db9b32950af33387e45f1cd35d3c5dc128f47
SHA512c5de4f00198ab3d27a77ccb9e1ced649dbe1aef6d7f68b94832693825517d032aa8e21ccf95f952e726ef4b8540e7a0402373dec07e4dda2fc6b49db00246328
-
Filesize
92KB
MD5fb598b93c04baafe98683dc210e779c9
SHA1c7ccd43a721a508b807c9bf6d774344df58e752f
SHA256c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4
SHA5121185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
336B
MD58b450bdd9267ce9e0cdd99f6ebf88d13
SHA1ca2516ef38cb2da276fd231b5802b8caf2caeea4
SHA256d640bac8990c3b13b9b50909efc8170fc3a993cec4c9587475719b7f8387849c
SHA512bae68adfe392a1c7595b1698041df2376d0c26033a34f3685a934bd5a77af149951ad9396452a92429a29665358a4d1bea0bbfb41de06bb925abf749b02cc696
-
Filesize
412B
MD5944436a88ea9107c06abfbaf6f8ec3f0
SHA1b09c04af2e73be57bbcf7a55f892ee98f6b31cd0
SHA256245d4746c7ec911a2bea81cd64f06e8bcbc09126f62d2fb52d271ccbf8f20620
SHA512619d82a512cb036b9d97ce7494054f3c717e0720d61f21d094c3838b84717a535ebe9b7976cbcdd368363975c9714de3a61da6ac5292b10e635f7a794f5d83ed
-
Filesize
455B
MD5074dd70e8b517c2f0af0706d42f4da1c
SHA16ec4fed2d9691b4e226565a2e41bb48bdb3ef958
SHA25679567368a2352c64a339303632bc598be81784f9e0618dabf3c9ce7ea9e16c77
SHA512a755e7e44ac48a5453f4402539189a537eceeee5fd228acc9d89082800b42201f841bb7dd8be2103139836013d28d9d3e88d98fd1ec8f25cbd77d46d37f0e172
-
Filesize
28KB
MD571c981d4f5316c3ad1deefe48fddb94a
SHA18e59bbdb29c4234bfcd0465bb6526154bd98b8e4
SHA256de709dacac623c637448dc91f6dfd441a49c89372af2c53e2027e4af5310b95d
SHA512e6ed88ce880e0bbb96995140df0999b1fb3bd45b3d0976e92f94be042d63b8f5030d346f3d24fbadd9822a98690a6d90ba000d9188b3946807fd77735c65c2b1