Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
321s -
max time network
332s -
platform
windows11-21h2_x64 -
resource
win11-20231128-en -
resource tags
arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/12/2023, 18:06
Static task
static1
URLScan task
urlscan1
Errors
General
Malware Config
Extracted
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1115) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" [email protected] -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 4704 netsh.exe 4688 netsh.exe -
resource yara_rule behavioral1/files/0x000100000002a932-1234.dat aspack_v212_v242 behavioral1/files/0x000100000002a932-1235.dat aspack_v212_v242 behavioral1/files/0x000100000002a935-1266.dat aspack_v212_v242 behavioral1/files/0x000100000002a935-1265.dat aspack_v212_v242 -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC274.tmp [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC26D.tmp [email protected] -
Executes dropped EXE 26 IoCs
pid Process 1580 [email protected] 3548 [email protected] 2944 Butterfly On Desktop_1.0.exe 3528 [email protected] 4824 [email protected] 3756 Fantom.exe 4592 [email protected] 2328 [email protected] 4176 weUkYQMA.exe 4548 xsAgYkcU.exe 3884 [email protected] 2324 [email protected] 1060 taskdl.exe 1360 [email protected] 3556 [email protected] 4688 [email protected] 2120 system.exe 4312 [email protected] 4292 D4C1.tmp 3984 Antivirus 2021.exe 916 A employee has shared Covid-19 report with You.doc.exe 1776 Beryllium.exe 4160 Bitmap2_GDIOnly.exe 360 bmp.exe 5184 BitBlt.exe 5264 taskdl.exe -
Loads dropped DLL 37 IoCs
pid Process 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 1304 rundll32.exe 4516 rundll32.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4440 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/916-3078-0x0000000000400000-0x000000000046E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Windows\CurrentVersion\Run\weUkYQMA.exe = "C:\\Users\\Admin\\cmEwwgYA\\weUkYQMA.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsAgYkcU.exe = "C:\\ProgramData\\eOUgwUQk\\xsAgYkcU.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Windows\CurrentVersion\Run\weUkYQMA.exe = "C:\\Users\\Admin\\cmEwwgYA\\weUkYQMA.exe" weUkYQMA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsAgYkcU.exe = "C:\\ProgramData\\eOUgwUQk\\xsAgYkcU.exe" xsAgYkcU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" [email protected] -
Checks for any installed AV software in registry 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version Butterfly On Desktop_1.0.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast Butterfly On Desktop_1.0.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV Butterfly On Desktop_1.0.exe Key opened \REGISTRY\MACHINE\Software\Avast Software\Avast Butterfly On Desktop_1.0.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast Butterfly On Desktop_1.0.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version Butterfly On Desktop_1.0.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir Butterfly On Desktop_1.0.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir Butterfly On Desktop_1.0.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV Butterfly On Desktop_1.0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: [email protected] File opened (read-only) \??\s: [email protected] File opened (read-only) \??\w: [email protected] File opened (read-only) \??\i: [email protected] File opened (read-only) \??\v: [email protected] File opened (read-only) \??\z: [email protected] File opened (read-only) \??\a: [email protected] File opened (read-only) \??\e: [email protected] File opened (read-only) \??\l: [email protected] File opened (read-only) \??\n: [email protected] File opened (read-only) \??\o: [email protected] File opened (read-only) \??\p: [email protected] File opened (read-only) \??\t: [email protected] File opened (read-only) \??\y: [email protected] File opened (read-only) \??\b: [email protected] File opened (read-only) \??\g: [email protected] File opened (read-only) \??\h: [email protected] File opened (read-only) \??\j: [email protected] File opened (read-only) \??\k: [email protected] File opened (read-only) \??\m: [email protected] File opened (read-only) \??\q: [email protected] File opened (read-only) \??\u: [email protected] File opened (read-only) \??\x: [email protected] -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." [email protected] -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\D4C1.tmp rundll32.exe File opened for modification C:\WINDOWS\Web [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2444 SCHTASKS.exe 2172 schtasks.exe 2044 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 5784 taskkill.exe -
Modifies Control Panel 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\International [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" [email protected] Key created \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\Desktop [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\Desktop\WallpaperOriginX = "210" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\Desktop\WallpaperOriginY = "187" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\Desktop\MenuShowDelay = "9999" [email protected] -
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" [email protected] Key created \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Internet Explorer\Main [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" [email protected] -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" [email protected] -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "75" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND [email protected] Key created \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000_Classes\Local Settings Antivirus 2021.exe Key created \REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 336 reg.exe 3104 reg.exe 4016 reg.exe 2640 reg.exe 4312 reg.exe 852 reg.exe 2728 reg.exe 3688 reg.exe 2680 reg.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 Butterfly On Desktop_1.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 Butterfly On Desktop_1.0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 Butterfly On Desktop_1.0.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5400 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2172 PING.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3328 msedge.exe 3328 msedge.exe 1136 msedge.exe 1136 msedge.exe 900 identity_helper.exe 900 identity_helper.exe 840 msedge.exe 840 msedge.exe 2444 msedge.exe 2444 msedge.exe 3336 msedge.exe 3336 msedge.exe 3336 msedge.exe 3336 msedge.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2944 Butterfly On Desktop_1.0.exe 2328 [email protected] 2328 [email protected] 2328 [email protected] 2328 [email protected] 2324 [email protected] 2324 [email protected] 2324 [email protected] 2324 [email protected] 1360 [email protected] 1360 [email protected] 1360 [email protected] 1360 [email protected] 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 1304 rundll32.exe 4516 rundll32.exe 4516 rundll32.exe 4292 D4C1.tmp 4292 D4C1.tmp 4292 D4C1.tmp 4292 D4C1.tmp 4292 D4C1.tmp 4292 D4C1.tmp 4292 D4C1.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5184 BitBlt.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: 33 4640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4640 AUDIODG.EXE Token: SeRestorePrivilege 2936 7zG.exe Token: 35 2936 7zG.exe Token: SeSecurityPrivilege 2936 7zG.exe Token: SeSecurityPrivilege 2936 7zG.exe Token: SeDebugPrivilege 2944 Butterfly On Desktop_1.0.exe Token: SeSystemtimePrivilege 4824 [email protected] Token: SeDebugPrivilege 3756 Fantom.exe Token: SeShutdownPrivilege 3884 [email protected] Token: SeCreatePagefilePrivilege 3884 [email protected] Token: SeShutdownPrivilege 1304 rundll32.exe Token: SeDebugPrivilege 1304 rundll32.exe Token: SeTcbPrivilege 1304 rundll32.exe Token: SeShutdownPrivilege 4516 rundll32.exe Token: SeDebugPrivilege 4516 rundll32.exe Token: SeTcbPrivilege 4516 rundll32.exe Token: SeDebugPrivilege 4292 D4C1.tmp Token: SeShutdownPrivilege 5476 shutdown.exe Token: SeRemoteShutdownPrivilege 5476 shutdown.exe Token: SeDebugPrivilege 5784 taskkill.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 2936 7zG.exe 3548 [email protected] -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe 1136 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4060 MiniSearchHost.exe 2944 Butterfly On Desktop_1.0.exe 5764 PickerHost.exe 5712 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1136 wrote to memory of 712 1136 msedge.exe 78 PID 1136 wrote to memory of 712 1136 msedge.exe 78 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 4336 1136 msedge.exe 79 PID 1136 wrote to memory of 3328 1136 msedge.exe 80 PID 1136 wrote to memory of 3328 1136 msedge.exe 80 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 PID 1136 wrote to memory of 3076 1136 msedge.exe 81 -
System policy modification 1 TTPs 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" [email protected] -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 996 attrib.exe 2912 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/5AV20ICB#6vywRQbH_cRm1BMKvkkSAsDwMOlsZ8GASR4D5o9QxSo1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc2b303cb8,0x7ffc2b303cc8,0x7ffc2b303cd82⤵PID:712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2368 /prefetch:12⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4776 /prefetch:82⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵PID:3528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3420 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3336
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2312
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004EC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4060
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4936
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VirusCollection\" -spe -an -ai#7zMap27410:94:7zEvent95481⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2936
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"1⤵
- Executes dropped EXE
PID:1580
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3548
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\Butterfly On Desktop_1.0.exe"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\Butterfly On Desktop_1.0.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2944
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"1⤵
- Executes dropped EXE
PID:3528
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4824
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Fantom.exe"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Fantom.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"1⤵
- Drops startup file
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:996
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4440
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 121131701540660.bat2⤵PID:1428
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:2292
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:2912
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5264
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Users\Admin\cmEwwgYA\weUkYQMA.exe"C:\Users\Admin\cmEwwgYA\weUkYQMA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock"2⤵PID:1644
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock"4⤵PID:1480
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock"6⤵PID:2728
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
PID:336
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
PID:3104
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
PID:4016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmoUAcoQ.bat" "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]""6⤵PID:2276
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:2144
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:852
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:3688
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:2680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqEIkgcg.bat" "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]""4⤵PID:1516
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:8
-
-
-
-
-
C:\ProgramData\eOUgwUQk\xsAgYkcU.exe"C:\ProgramData\eOUgwUQk\xsAgYkcU.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwoUEAcU.bat" "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]""2⤵PID:2172
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2380
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:2640
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:4312
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2728
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3884 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
PID:4704
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
PID:4688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit2⤵PID:5612
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "E"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5784
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:2172
-
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"1⤵
- Executes dropped EXE
PID:3556 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2444
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:3340
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:2756
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵PID:4320
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:2728
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:200
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵PID:5100
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵PID:2096
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵PID:1432
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:4516
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵PID:3928
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:1080
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:3100
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵PID:2276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:3560
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:4848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:5048
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5476
-
-
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4688 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:2924
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:3568
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2723248496 && exit"3⤵PID:2188
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2723248496 && exit"4⤵
- Creates scheduled task(s)
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:29:003⤵PID:2788
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:29:004⤵
- Creates scheduled task(s)
PID:2044
-
-
-
C:\Windows\D4C1.tmp"C:\Windows\D4C1.tmp" \\.\pipe\{9BBBC7B5-D81C-4A15-B35D-FFDFEEC6C3A7}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:340
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:5516
-
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4312 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Antivirus 2021.exe"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Antivirus 2021.exe"1⤵
- Executes dropped EXE
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Antivirus.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:5752
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\A employee has shared Covid-19 report with You.doc.exe"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\A employee has shared Covid-19 report with You.doc.exe"1⤵
- Executes dropped EXE
PID:916 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E58A.tmp\E58B.tmp\E58C.bat "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\A employee has shared Covid-19 report with You.doc.exe""2⤵
- Modifies registry class
PID:5192 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Covid19.txt3⤵
- Opens file in notepad (likely ransom note)
PID:5400
-
-
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Beryllium.exe"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Beryllium.exe"1⤵
- Executes dropped EXE
PID:1776
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Bitmap2_GDIOnly.exe"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Bitmap2_GDIOnly.exe"1⤵
- Executes dropped EXE
PID:4160
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\bmp.exe"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\bmp.exe"1⤵
- Executes dropped EXE
PID:360
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\BitBlt.exe"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\BitBlt.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:5184
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5764
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3949055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\AppV\Setup\@[email protected]
Filesize936B
MD54011e955ba3cce63a2c1ff888d839091
SHA15eb4ae19e152f6108c9335f4aec23bdbe77e8893
SHA2563b31f0970bbcbd31f11465b1a0695090d127235e1f02cfcaaef63b6f337677d9
SHA5121b89451db3a166a700e631b22bdbf37e3fa1425816530e533c6a19d63129d1ae76c1641cd188f0e11f9e64023925e0bc37c2a7a9a88110ab0eae7c38a045f285
-
Filesize
152B
MD56e126312d2ac3e6411def860af3effb5
SHA10bafa7fa6e6ff58c03f90e7be34f176d2fa6482d
SHA25666d8cd3d3710122eb73a2991cd38b5b9eb0b84a7479d9a18aae674489cd4b45b
SHA512f0770e3e4c9f0e9160aec628ba7771a76d6761119c12541775fdf4578d185b04ed3c87537e4e43a717dfd8dd152e35aa4b1ddb92ff00667aa74a56877dd21a53
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5fb4b886e735dc3311026796968449fbc
SHA1fffeebcb6d4bc7a961347f558858999e5d0d8467
SHA25649fb57f5bea8715606ce2abcd4620d4bd2f9d75ba2ff2c04816ac940d83997a7
SHA512bd9051232d4b27bf5a8aea378ecbaf033eb16142193155280a4a0dd8e7bf0d7581e426c86b40a14a4a4573b3cdadda260fea8a4f3f8961e3402861ad502e2da7
-
Filesize
4.5MB
MD5064c693eacf7ed4a710ada56eb526f5b
SHA180cd53a2ae4f4ce58ec637f9d5199ea6726fe450
SHA256229f77469eb6350c70923a7383e547fbcaf33e4513803d36e93c314dbe33ff6b
SHA512b926760e9d4df86072fbb5730451f6932309ce3e5dbe4e8d552586fba66fdef65e7e56f48e32536e0ca45945775eb3ecf981dd7499e888ebbb8cbc472a4088a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD5bc3c50b1f5a496df585860e1e5030044
SHA1535ae8e15d301f69ffa147ddcb4285bac1a8d3a1
SHA2562db18e1686b50c0fd1364f8f0c7180b2aa28ba83113d51121ddc5b082294bcff
SHA512a125d5f9705a3ae8868754092c0f08ea096d4cef652a52896597b481fb6886ab9ee11608da603a5dc0c2df550d0cf73950890eab602417ad6240b7ab14376c1a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD599e1d0752a76d7a93fb2828700a3e62a
SHA1c2782d7ad706e2119e59ca7b1ef6589c79c52c1a
SHA256e3c3162ab008bba7fc6e2b0c57940a51bf9bbcb0d3c57da096590ea5deabe26d
SHA5129ce8e3adc557c1444b871b1eb9a54dad0c4c7e7148069f70153a880db7ba7a7143ff035849c00cfc1aa489ce669be9868e164719e8604761d3cc651c622af19d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD56654d41bcf0ffff09a2530d16d1c1f96
SHA186bb24a069be57d7910e2fd145ea0a7ef25e89ce
SHA256126ef8c49e146a378ea199430c41e8a3372b232d5ae53674de6211dc801e8020
SHA512c6fe867e3cc2967a63923790968eca934e59033e7d017944ba18e5b2d6287a3d52a6ac437aed7c9c2e7323415256f67ec9f38507d28d61cd8e61a0a43cb5604b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD52dd6b67845e013a976813b5834bbfa3b
SHA187044bf3aef81d63acc2a6e8a858908f0832f28a
SHA2565071f0166040da8c5dd29427ef09699bcdc29cb3907954abeb933c9dc7823626
SHA51261bbaf16f66b1e57b73f8ca40c35fab32f36b869610338c8f01fa2d7fc1895f9199ea5238e8168452972c777296642423a53416a345c9856ede01467bc648814
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD52a8b2b8d6035327126f094ad1c21d53d
SHA1e35faf4c84b5f57e95c8a4d801563bfe4400a0ee
SHA2563ebe47fda56cf09ab161dd7a535703540f3baee3084903dd5a9b734d5802a699
SHA51255028e3629c8806e5dc73f5cb028892328d271b2503ab0da477f533b8a3aecfcf5e3827fe115e7b8f80f46df2b25505894baa13b4c118fbf8af813c05c06fbdc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD5ece930b2f769242e518c72fc38c1ac4f
SHA199df741f93659446e52f7e3320bb9370ed9a04b4
SHA2565a9b6ff79710ac57d8fdd13ada543bae88cf447079bb9ac94eae280c0d5a2775
SHA512110ed872add60dbb6a25cfacc4b940e7bb3f33f108c901bf94a4cc83c2da9c6e3720a4a1d235df90b55dfeceb7e657da8196aaa9da7a48c0b1c59f11ae0ec49a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD51787cb9fb6070e127787e27a678011ba
SHA1f5cd975173d651c045473b666a63a6f4309c67a5
SHA2567281fdf93f6c9c6be95e7b82e7fc3d00ddfb848f5a5a0252c3d2af1b29718701
SHA5127d4ca038545d0fc811171340b5c30b62d7665f4eac82458edb6d418b2245edef9bd0a09e73f3cdd3cd10e3e0a2016295d86ef2cee836852923b534dd3f5e175f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD5482e4e43e3a9cd163a3c790afafcf3d7
SHA167fb3fcab4b90b7cf0fe4540e5488e85a1fd7886
SHA256445c294ac8f4630dff285ef8b5579a3c9370f786c8648c0b33cbab90d30a5583
SHA512b3368b0ff0c5e3dbfb17ce001591530e252b15f7d6e4bdf97e0bdd7f286ef72200603b9c7884a0a39111dafdb9e987411ee384a67f634adb2fac5790ab1a0b53
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD5e19070f46a681afbfdae7b07d659a06e
SHA1f625d29523461d3e103d7c61515288d05a99b2e6
SHA256304b3fea835e984722a8eae3747bc3c655b52e215910c3842c1c42f21e669085
SHA51238cb0cae43836f58f25d1c7458f886a7a1b8907857a43c975aa34379e4aa37abaf41e1a1eee4be29f55a6950f2a29c5a2ae7409b7c698b3e219160441e7cf9c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD5fd807f8738b78d3fbd3ba13ce136924f
SHA1d1e97e3550f3bc7ec3e0e06529305817ff3e2909
SHA256dd352e11798e4f1628e95ee74475b49bc7167ec5a09a82be1015dee554fa62ee
SHA51241d808055514f2f957235b5801cdfc9ff92d22a9cbc8c1ab2b7458ff2f71bb4f069340ef1ace47d5587d89d253aeab5847d8229c5b220a64e5fc2bbf9484ae1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD58af13522a956a79af0e69903f55b1fba
SHA13181cce322bcc38874a86b86ad2b1c3ec4462820
SHA256e16a3abb4e70392fd0b03a259bd1f590c1f6b963517f7d9a677392ca9fab7233
SHA51254f67a24dbbec64654ded1cab2c1a990b84bcce3265dedb82c718b2d585d348a8e38d63c245234cbf2363f9125bb34e3208752f1d6f3e046301656a810d08f8b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD55c1598dc30041b62fbb41384c2087ff8
SHA11d288c77aa134a1291020d73b9445c0eb1867c6c
SHA256064e060ee10ef1c7bed46d393741abb0f2d797d5e8fe7581aa3285242d8ae1e4
SHA51259e077dac8a18963536925f5d2e6d11ba9edc6d5d91991a5b3fd0db9be6c55e9318dfd3ac93cab6279051c3d64d9ca63c3034f94f8441feee69f5bfdc56402b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize1KB
MD5d2ecb42f846c32db4e76188faf6abb01
SHA1f81b1f687921ce7313edf737f78c49a10cad65c5
SHA2562afe7774466c2df1887510916468179196934f1c0b2d22ebe50da20138b47dfb
SHA512171c42c9384aad204f4cef588afdf443e5ccb809ce8a703d5f1f423b608554c8760eab70ba0fbdecf81becfcc53a7640e2d40d5cf91f8fe74019089783677492
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize2KB
MD5bd42d28eeeafeee47b42df4d2166f5ff
SHA10f8f94551359802b5d1f0a5729784e595bdcf144
SHA256f608b30b82f902108ca1e6c9112086fe61c2292f3b1e104bd9bed20f7135541b
SHA512c4e8b8ef7234b835d57d0b3edd7bfa0cd4659beeb7fb654cfe10ca4fe4d76fb4b992ad00d26baaa9d5a04daf47dbf8414233dca42a6af437a94aa31125ac00e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe57cddf.TMP
Filesize598B
MD5fd3ef1bb183cc9a7580144d6b676b73c
SHA18106a8050ab4467584648a9280891bbbe379f1bd
SHA256956c1e10d9571d51f84ebc41ff359dc2dea9109f04447c9c4845184ee6d51fd1
SHA512c4e253b0fa9eb6b883e6f3188056a2466ff08e6d23ca8724bbe46e20eeb056a9687428e8ed0f607c3e05be05e45b9db99a0e7f9705dce178dd8d6cb1982a2755
-
Filesize
188B
MD503da8e9f1c34251a6a9fc171f9972a58
SHA14817ec312c6bd1ce48635f652f4ea8d70a190987
SHA25608bfcc15479ee1cf404d6d0c9aa3a5a1eba16288f4e432b56b66861d88052451
SHA512d8df733d82c529cf321cb5ac9db4216b32b6b6904201207600fec3fcd26c92e550520335e02ff423747d3772ab672ad95528f8bc4a15bd70abf6421d6e0ac727
-
Filesize
5KB
MD59931e5552670e24b01e50bd1b82e39de
SHA16c80c31712a2742398a0bf8ea3193ceb7afcb1e9
SHA256135bc71cc6a024ab8a70e1e344b0ff76afcfd5438fb3d40320718578b9f9caeb
SHA5120498dfe778bf51e6ad4a48356694573006e92de3ca60475aaf80a43000f58ba833d970d57e9872f748b7c1e46424c704fe7b676a11ea035c24f50d865e2c1427
-
Filesize
5KB
MD536d38ba5b1697972918d3932758f799d
SHA15130279e272501368a3f7f1d9ce5c974df2b1f34
SHA256c5d3ca9a793ecac8b821b81c9c6765bda0cf1ec849dc3a300ddd1c5f63b0873e
SHA512ceffcd6a444342f41aa8d387b4223c11fbbd9891869690bf28377e195136a7830dd2a90164d454ce692fb185f20ecd4d40a2ec8749ba616fb6994c2f15468e6a
-
Filesize
5KB
MD5182a43e7dd9dc21191aa7cd76c4f5dda
SHA1d9a2c164ca5d754b9ac889dc06d1875404e70318
SHA256d780e19fe090ebc48a967aab3ab82b2cad27e42cad71db753a23b7d03b89df09
SHA51214d6904f53c76ffcbc7f5d8cf8ca573e874f2c7e803318e9e9c077487025759eaa3801327c802cdde59758d3987b086cfbc308579d4ae0f5033fe3582f1546dd
-
Filesize
5KB
MD51ae397b084a1ed17629564d7aec31f61
SHA10abca5b486839f5082bef8a8b9e242963d11b6a5
SHA256ffc3083df397a7a2ce8bd04b7768aed2fe42d88c8963e1890a3897dc82ce6463
SHA512fea8742e0b6e7e51032a144205d0d0fdffa0185d8ad489c0279f7475d6f9051c97daded93beb95d02743ca65240bfc858424c70bb8f774e9c3c45d24c7f60a70
-
Filesize
25KB
MD5590a4be82ce0e7f8c69b0a547a8ed945
SHA1062639b7a6e192a2587e55c8463dfd1173a25c0a
SHA256e5e00d40a7698d1436f72cfaf14a43372bfad5c71ae3737e8131e4662628dbbb
SHA512eb91a8f98ed3ff1a7e3ff65ff94cdecead42f31aca2ba25b9edaa5dab948a83bb2566a99f3237659eba753917d283d18ee3286da4150f47d4297b99a979472f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD545d969ec6a6af1de920c16675497d16b
SHA1305cb4bbd8eca5a0feef3ed9f728d480d4b4406c
SHA256d8c3b020b3610692f6bfe027f449ec888aa4679868302612abb2af39d8f1b132
SHA51255ce3524bd2016579b5453d9bc582c14164f0ead858361ffdc183fc173a4e025e282bfca835a09a3441fe0ec6bf90d9f33a6c07b756f1edebab40992f54591f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f695.TMP
Filesize48B
MD526db2bb14c188bf7712cd4f6de3be178
SHA1d1244f56b3aba760d95c7234ef0141fcadc19c58
SHA256f43bc679a0670c69064543fb192e3b0acce0eded0a08e1ba88f62ff408451957
SHA5126355db1f1a01fa38a2d96ef425903860606264f1eb0d0469646f366da7f4554a347955f3a7cf8dffa31ab8bbe8fc4e43ce1e103d3086f52d636525f352c2151d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e43a294e-f25f-45cc-b9e5-8245dc567be5.tmp
Filesize5KB
MD59de7d8f9f1d530ce13d75dac468b246c
SHA156c1e98649cd04b79b3c76cd9e8ffa9ad8b66ce8
SHA2568881c0dfa4dddff5de0156069891e46b30f8f4430c61c0919628f967104d234d
SHA512ef361a51e80059328daf385f4de73af451b344383a2429cd4358f1d4bafb515cfad7f0c64562109f6d4cb4169e90c59ecb018df7392263b33ee9f0f811243ea2
-
Filesize
10KB
MD51e71195086021b112553895b7e5fa872
SHA1d5cc5ab8f2f2a25766ef207b2e9814586bc54094
SHA256bedc4eb480c5f0923252c6be58dbf46f858ecdb86c6df489b1671169e510254c
SHA51260d2c52561349fed6e64fdca264500f5f13368b503d586997e1d631caeb3bba1820c6cbb9118d29b4f71378e39227643ea535b8bfd8180f9d01b0596ae73eac9
-
Filesize
11KB
MD5ae6de843adaa4dacf825c81e8e1295b2
SHA119dca5426a72c5eb83403b99eb2e55303fec26f0
SHA256d221f81a32638b2ab7e20d19becfe1499730e5edfc78da6dd6b6d23583a6dc05
SHA512917fc139ce0e77cbab1b5e64a54b1b6634507f3b7ee336494e1c68690e42c3b93a98d75821e3458e03e9843ba5bf23487031e08ea266c5588641659122520110
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5b14496d248a07986e0cd800e041aa514
SHA1f0a8b6b33814d9b4491b98793ccd543fb826712d
SHA2568818f0f6e475d86a2f6cd4ae19c6dff5eb9c7e5d7bce84136041ea6743effeca
SHA51219a96fd12f59298b30455560995135d285f73d3d20e4ca8fe6976c27c4040bcf7f5ffb19cdf9bdfd38bc55c5b9e417a88fabf76a5aee8ae95ed2560cf3d9a073
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5b07ce292c287dd50161c41e105c98ca8
SHA185caf49dfc198504c651f713482dce881066ed42
SHA256c6de30a4987f6ad068caef9f96ae181eee48a95d7bff7297d512b68c80bb24e2
SHA5125ef87c9289816e0f6982573bf6a92925b5b5119ba421691e769982570fa67f3ac2dba3f55481bc767da88a709edf7a5e1b72657fdf6eef7646f41d956efda66f
-
Filesize
1KB
MD5bd68838ecb5211eec61b623b8d90c7b1
SHA1468d3c8cdbbe481db7ff9ccc36ca1e0549fe8e76
SHA256528bdb8513b87c0ab8f940c5cd2905a942511b073fb3a58754cba5fbf76d04e7
SHA512cf92209cc21461e5e77889dd9c53d84639b2e5446cc508bec131048d93ca9c9e063da314a18c66190f52fad4517034ff544d3686651f91fed272ec00d5ffc457
-
Filesize
5.6MB
MD5b431083586e39d018e19880ad1a5ce8f
SHA13bbf957ab534d845d485a8698accc0a40b63cedd
SHA256b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b
SHA5127805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
5.7MB
MD5574bf4e368acda5c4d0587cef85f3265
SHA19145d21575bfb3e917660da0c7c17950a5ed2293
SHA256b7d24e1f000d2ac8040967f33102c7393e502160029ce0efd62330c02d367703
SHA5125544c3a225ea77cf289acf4957ef500877165fa47a09ba1edb45a90989cb284a94665ca9d7e809dc4b1264cfd1f99cfb4d771db862d4d298fa9fc0b492bb6410
-
Filesize
5.7MB
MD5574bf4e368acda5c4d0587cef85f3265
SHA19145d21575bfb3e917660da0c7c17950a5ed2293
SHA256b7d24e1f000d2ac8040967f33102c7393e502160029ce0efd62330c02d367703
SHA5125544c3a225ea77cf289acf4957ef500877165fa47a09ba1edb45a90989cb284a94665ca9d7e809dc4b1264cfd1f99cfb4d771db862d4d298fa9fc0b492bb6410
-
Filesize
5.7MB
MD5574bf4e368acda5c4d0587cef85f3265
SHA19145d21575bfb3e917660da0c7c17950a5ed2293
SHA256b7d24e1f000d2ac8040967f33102c7393e502160029ce0efd62330c02d367703
SHA5125544c3a225ea77cf289acf4957ef500877165fa47a09ba1edb45a90989cb284a94665ca9d7e809dc4b1264cfd1f99cfb4d771db862d4d298fa9fc0b492bb6410
-
Filesize
17KB
MD5d8baf69855cd6e563db75040d5c93446
SHA1e18a423066eebe04c250b9c39df85f9f141a7511
SHA256747feb099706d4835e000c3ee8ceadc8c15d824cbb1d7439161d56ffcd2eaf21
SHA5122cf7198589baef6fd3f4e508c761a5d223060c6418accd8bb50d6eb5dedd8cbd5aa29bb0dd4146dffcbb6755526bdb8e501dc6feb5a8cca39452c2b89c19696d
-
Filesize
17KB
MD5d8baf69855cd6e563db75040d5c93446
SHA1e18a423066eebe04c250b9c39df85f9f141a7511
SHA256747feb099706d4835e000c3ee8ceadc8c15d824cbb1d7439161d56ffcd2eaf21
SHA5122cf7198589baef6fd3f4e508c761a5d223060c6418accd8bb50d6eb5dedd8cbd5aa29bb0dd4146dffcbb6755526bdb8e501dc6feb5a8cca39452c2b89c19696d
-
Filesize
17KB
MD5d8baf69855cd6e563db75040d5c93446
SHA1e18a423066eebe04c250b9c39df85f9f141a7511
SHA256747feb099706d4835e000c3ee8ceadc8c15d824cbb1d7439161d56ffcd2eaf21
SHA5122cf7198589baef6fd3f4e508c761a5d223060c6418accd8bb50d6eb5dedd8cbd5aa29bb0dd4146dffcbb6755526bdb8e501dc6feb5a8cca39452c2b89c19696d
-
Filesize
78KB
MD517e51e917a9571db645210bbf3346e8d
SHA15b3d7d918feea625613fba2442c1bd59dcea8c6c
SHA256a5d947b0492fdfe581ab89bc639c5a293d0fbe8ec337ae52f5e42ffa460ef442
SHA512bbdb70f38f032e7e210c1bbfddc12b65fc7e9ade06b20661f291c0ab0c6403c24fdc6bfc446126122a5a784c55b35256657f6ad98ed00604426e83ed59bab310
-
Filesize
78KB
MD517e51e917a9571db645210bbf3346e8d
SHA15b3d7d918feea625613fba2442c1bd59dcea8c6c
SHA256a5d947b0492fdfe581ab89bc639c5a293d0fbe8ec337ae52f5e42ffa460ef442
SHA512bbdb70f38f032e7e210c1bbfddc12b65fc7e9ade06b20661f291c0ab0c6403c24fdc6bfc446126122a5a784c55b35256657f6ad98ed00604426e83ed59bab310
-
Filesize
78KB
MD517e51e917a9571db645210bbf3346e8d
SHA15b3d7d918feea625613fba2442c1bd59dcea8c6c
SHA256a5d947b0492fdfe581ab89bc639c5a293d0fbe8ec337ae52f5e42ffa460ef442
SHA512bbdb70f38f032e7e210c1bbfddc12b65fc7e9ade06b20661f291c0ab0c6403c24fdc6bfc446126122a5a784c55b35256657f6ad98ed00604426e83ed59bab310
-
Filesize
20KB
MD5c358d1550a03a629d994a6780cd71cdf
SHA18afa6e479d1e9deb4a02cd8756981ad68f4ef123
SHA256a0ad25c23dcd972e19372960bc4724f41f242664f34c54c67d5e31a6186a58d5
SHA5121e552a1746f7caeef1491971ed0f5903cec4b424130134691799454fba673b7c091ec924984abedbd5b17158092b1ed967a6fa27e233fb6e551b925c50acb092
-
Filesize
20KB
MD5c358d1550a03a629d994a6780cd71cdf
SHA18afa6e479d1e9deb4a02cd8756981ad68f4ef123
SHA256a0ad25c23dcd972e19372960bc4724f41f242664f34c54c67d5e31a6186a58d5
SHA5121e552a1746f7caeef1491971ed0f5903cec4b424130134691799454fba673b7c091ec924984abedbd5b17158092b1ed967a6fa27e233fb6e551b925c50acb092
-
Filesize
20KB
MD5c358d1550a03a629d994a6780cd71cdf
SHA18afa6e479d1e9deb4a02cd8756981ad68f4ef123
SHA256a0ad25c23dcd972e19372960bc4724f41f242664f34c54c67d5e31a6186a58d5
SHA5121e552a1746f7caeef1491971ed0f5903cec4b424130134691799454fba673b7c091ec924984abedbd5b17158092b1ed967a6fa27e233fb6e551b925c50acb092
-
Filesize
166KB
MD5d823cce48af722c77d35d6d49f75b3f6
SHA1957ef9b96fb2de5ba00faf5d1d5e07c7a800e423
SHA25669d6fd2ce57ad98a56fbe0ed9d09f5f8cd969e8a68d7dfcd64a06592ad23aaff
SHA5122b7db40a3a39c97e3b31c8abd500f148f4bfdae87fc1b7bcd4d873cde95b2328fdf59024328625d96976dd61d9e2669ba2e4dbc1fabce734397cdf35888421e9
-
Filesize
166KB
MD5d823cce48af722c77d35d6d49f75b3f6
SHA1957ef9b96fb2de5ba00faf5d1d5e07c7a800e423
SHA25669d6fd2ce57ad98a56fbe0ed9d09f5f8cd969e8a68d7dfcd64a06592ad23aaff
SHA5122b7db40a3a39c97e3b31c8abd500f148f4bfdae87fc1b7bcd4d873cde95b2328fdf59024328625d96976dd61d9e2669ba2e4dbc1fabce734397cdf35888421e9
-
Filesize
166KB
MD5d823cce48af722c77d35d6d49f75b3f6
SHA1957ef9b96fb2de5ba00faf5d1d5e07c7a800e423
SHA25669d6fd2ce57ad98a56fbe0ed9d09f5f8cd969e8a68d7dfcd64a06592ad23aaff
SHA5122b7db40a3a39c97e3b31c8abd500f148f4bfdae87fc1b7bcd4d873cde95b2328fdf59024328625d96976dd61d9e2669ba2e4dbc1fabce734397cdf35888421e9
-
Filesize
125KB
MD5d1565006cd6c858e0722e828ab7d0af6
SHA181681d919901a3342f18cee9c9186873a297db22
SHA256be34893a1e2ed82d3824872b87febcfe9cf2aeee59df4c171f8861a34d6e8bee
SHA51224b966098814f84500459df29c1225672b6ba7dd54773820fbdd6f36eceead5116bad411e40f11ff7e0000e4247001d7eacabe073e3a9d1f56cf311c7470cebb
-
Filesize
125KB
MD5d1565006cd6c858e0722e828ab7d0af6
SHA181681d919901a3342f18cee9c9186873a297db22
SHA256be34893a1e2ed82d3824872b87febcfe9cf2aeee59df4c171f8861a34d6e8bee
SHA51224b966098814f84500459df29c1225672b6ba7dd54773820fbdd6f36eceead5116bad411e40f11ff7e0000e4247001d7eacabe073e3a9d1f56cf311c7470cebb
-
Filesize
125KB
MD5d1565006cd6c858e0722e828ab7d0af6
SHA181681d919901a3342f18cee9c9186873a297db22
SHA256be34893a1e2ed82d3824872b87febcfe9cf2aeee59df4c171f8861a34d6e8bee
SHA51224b966098814f84500459df29c1225672b6ba7dd54773820fbdd6f36eceead5116bad411e40f11ff7e0000e4247001d7eacabe073e3a9d1f56cf311c7470cebb
-
Filesize
9KB
MD529c85eb8d9e8fcc08dcb6702049a3178
SHA1faec404c9195e242b05b11fa1658f4db04db7ab0
SHA256b72fdb3cf3356fe3b447745aaf2a4b77b8d6efd536434bb9f2b39e43d790b4e7
SHA512728d2d0cfa97a27ca5287806a841aa88e48eac42a615e4316fe48c9836113829e33366b211142af58ff8a7c37963ee5953f5871b0acaf5ab85510cb050014729
-
Filesize
9KB
MD529c85eb8d9e8fcc08dcb6702049a3178
SHA1faec404c9195e242b05b11fa1658f4db04db7ab0
SHA256b72fdb3cf3356fe3b447745aaf2a4b77b8d6efd536434bb9f2b39e43d790b4e7
SHA512728d2d0cfa97a27ca5287806a841aa88e48eac42a615e4316fe48c9836113829e33366b211142af58ff8a7c37963ee5953f5871b0acaf5ab85510cb050014729
-
Filesize
9KB
MD529c85eb8d9e8fcc08dcb6702049a3178
SHA1faec404c9195e242b05b11fa1658f4db04db7ab0
SHA256b72fdb3cf3356fe3b447745aaf2a4b77b8d6efd536434bb9f2b39e43d790b4e7
SHA512728d2d0cfa97a27ca5287806a841aa88e48eac42a615e4316fe48c9836113829e33366b211142af58ff8a7c37963ee5953f5871b0acaf5ab85510cb050014729
-
Filesize
154KB
MD517220f65bd242b6a491423d5bb7940c1
SHA1a33fabf2b788e80f0f7f84524fe3ed9b797be7ad
SHA25623056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f
SHA512bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e
-
Filesize
154KB
MD517220f65bd242b6a491423d5bb7940c1
SHA1a33fabf2b788e80f0f7f84524fe3ed9b797be7ad
SHA25623056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f
SHA512bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e
-
Filesize
154KB
MD517220f65bd242b6a491423d5bb7940c1
SHA1a33fabf2b788e80f0f7f84524fe3ed9b797be7ad
SHA25623056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f
SHA512bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e
-
Filesize
56KB
MD5f931e960cc4ed0d2f392376525ff44db
SHA11895aaa8f5b8314d8a4c5938d1405775d3837109
SHA2561c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA5127fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0
-
Filesize
56KB
MD5f931e960cc4ed0d2f392376525ff44db
SHA11895aaa8f5b8314d8a4c5938d1405775d3837109
SHA2561c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA5127fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0
-
Filesize
56KB
MD5f931e960cc4ed0d2f392376525ff44db
SHA11895aaa8f5b8314d8a4c5938d1405775d3837109
SHA2561c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA5127fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0
-
Filesize
168KB
MD528f1996059e79df241388bd9f89cf0b1
SHA16ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA5129654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29
-
Filesize
168KB
MD528f1996059e79df241388bd9f89cf0b1
SHA16ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA5129654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29
-
Filesize
168KB
MD528f1996059e79df241388bd9f89cf0b1
SHA16ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA5129654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29
-
Filesize
541KB
MD59de86cdf74a30602d6baa7affc8c4a0f
SHA19c79b6fbf85b8b87dd781b20fc38ba2ac0664143
SHA25656032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583
SHA512dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641
-
Filesize
541KB
MD59de86cdf74a30602d6baa7affc8c4a0f
SHA19c79b6fbf85b8b87dd781b20fc38ba2ac0664143
SHA25656032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583
SHA512dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641
-
Filesize
541KB
MD59de86cdf74a30602d6baa7affc8c4a0f
SHA19c79b6fbf85b8b87dd781b20fc38ba2ac0664143
SHA25656032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583
SHA512dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641
-
Filesize
133KB
MD58db691813a26e7d0f1db5e2f4d0d05e3
SHA17c7a33553dd0b50b78bf0ca6974c77088da253eb
SHA2563043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701
SHA512d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f
-
Filesize
133KB
MD58db691813a26e7d0f1db5e2f4d0d05e3
SHA17c7a33553dd0b50b78bf0ca6974c77088da253eb
SHA2563043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701
SHA512d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f
-
Filesize
133KB
MD58db691813a26e7d0f1db5e2f4d0d05e3
SHA17c7a33553dd0b50b78bf0ca6974c77088da253eb
SHA2563043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701
SHA512d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f
-
Filesize
173KB
MD596ba82404612c54c8035670384f5a768
SHA11bd337d88be490a2bd12b21e5dfdbf211a1235af
SHA256368b5072de14843f919ab626fca2ae95c6c2b5ed77b0318db5f3cd2a93971de0
SHA512720a0bcf060899d341b5625747944ab2d29c82297f2db85334f3ebfe1c0134f22055f413667255e8fcb9374fa5595e3778b67c097aa988c25b04367293d024f2
-
Filesize
173KB
MD596ba82404612c54c8035670384f5a768
SHA11bd337d88be490a2bd12b21e5dfdbf211a1235af
SHA256368b5072de14843f919ab626fca2ae95c6c2b5ed77b0318db5f3cd2a93971de0
SHA512720a0bcf060899d341b5625747944ab2d29c82297f2db85334f3ebfe1c0134f22055f413667255e8fcb9374fa5595e3778b67c097aa988c25b04367293d024f2
-
Filesize
173KB
MD596ba82404612c54c8035670384f5a768
SHA11bd337d88be490a2bd12b21e5dfdbf211a1235af
SHA256368b5072de14843f919ab626fca2ae95c6c2b5ed77b0318db5f3cd2a93971de0
SHA512720a0bcf060899d341b5625747944ab2d29c82297f2db85334f3ebfe1c0134f22055f413667255e8fcb9374fa5595e3778b67c097aa988c25b04367293d024f2
-
Filesize
139KB
MD502900ea60f5b8bca8d930315707af125
SHA16474108d4639b6ed5a4359e62845b521c2a281bc
SHA2563878264e135b3b7381580455eb90c98a9929c0311762ce031efd5f5f7aa0ca33
SHA5123aebac944a095bb59a8845cbbfa6df025b6e4c3cc5e82560dfbe6d48bda99bfcacd37a47e37f055e8fb0493f32f26846f5219c17dfefc88234e47a68e776e70d
-
Filesize
139KB
MD502900ea60f5b8bca8d930315707af125
SHA16474108d4639b6ed5a4359e62845b521c2a281bc
SHA2563878264e135b3b7381580455eb90c98a9929c0311762ce031efd5f5f7aa0ca33
SHA5123aebac944a095bb59a8845cbbfa6df025b6e4c3cc5e82560dfbe6d48bda99bfcacd37a47e37f055e8fb0493f32f26846f5219c17dfefc88234e47a68e776e70d
-
Filesize
139KB
MD502900ea60f5b8bca8d930315707af125
SHA16474108d4639b6ed5a4359e62845b521c2a281bc
SHA2563878264e135b3b7381580455eb90c98a9929c0311762ce031efd5f5f7aa0ca33
SHA5123aebac944a095bb59a8845cbbfa6df025b6e4c3cc5e82560dfbe6d48bda99bfcacd37a47e37f055e8fb0493f32f26846f5219c17dfefc88234e47a68e776e70d
-
Filesize
101KB
MD55ed5560e3c4562619a5225772483064a
SHA16a0e59a06171225db80d0c3ca1cdd53ce4e3f02c
SHA25627bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780
SHA51250f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b
-
Filesize
101KB
MD55ed5560e3c4562619a5225772483064a
SHA16a0e59a06171225db80d0c3ca1cdd53ce4e3f02c
SHA25627bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780
SHA51250f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b
-
Filesize
101KB
MD55ed5560e3c4562619a5225772483064a
SHA16a0e59a06171225db80d0c3ca1cdd53ce4e3f02c
SHA25627bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780
SHA51250f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b
-
Filesize
101KB
MD55ed5560e3c4562619a5225772483064a
SHA16a0e59a06171225db80d0c3ca1cdd53ce4e3f02c
SHA25627bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780
SHA51250f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b
-
Filesize
151KB
MD51bf73d9f025be036e5acc0cfe1928af4
SHA180dca2951603b3383c319a43da1a1e93b8f369d5
SHA2565580588820f429d6d17c73c0526e032e5fdb2e2b1343071f5c4fc379c209353a
SHA5124212e4cb5738998837a2f62ee5c326d1461c31300894f1d9380155b510ea3ba3364c543496cdab0ff97e18722ba83939426901eeb7f013e0618a26e626643fec
-
Filesize
151KB
MD51bf73d9f025be036e5acc0cfe1928af4
SHA180dca2951603b3383c319a43da1a1e93b8f369d5
SHA2565580588820f429d6d17c73c0526e032e5fdb2e2b1343071f5c4fc379c209353a
SHA5124212e4cb5738998837a2f62ee5c326d1461c31300894f1d9380155b510ea3ba3364c543496cdab0ff97e18722ba83939426901eeb7f013e0618a26e626643fec
-
Filesize
426KB
MD58ff1898897f3f4391803c7253366a87b
SHA19bdbeed8f75a892b6b630ef9e634667f4c620fa0
SHA25651398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
SHA512cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03
-
Filesize
74KB
MD51a84957b6e681fca057160cd04e26b27
SHA18d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe
SHA2569faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
SHA5125f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa
-
Filesize
315KB
MD5f74b265e5da8b9094b627b43dc330fe2
SHA1528750e48eb39ea00ce0ad0f094d6b4d248e5155
SHA2562f90de3c1fce18a2fc396f99f7e03bf3a3bb7cac911b194a98dda191011de0bb
SHA512377386cfad937f803fe5fb9b1964515996a5eee47bed974c54887d0d7af92718f8c423bd0ff6546331e02b39b23a1fc3ec2cb5ea4a1b4b5e1885c0b7a99a3f0f
-
Filesize
571.7MB
MD5114fffa0822d7897307f8001d9bd872a
SHA1d6ef493b79df63c48b8b798716384b5a83ec2bce
SHA256fbd87c34ab60337f178f8f246336de88defb24dde931ca15a9d07be0371014cf
SHA512cf2ea145f932b32fbb274fb5dba88f7d153d7d455ac9d23dbbd5dff1faad5c66ca58f7056db0a1caf09e6b5ba7cecbc0703d685d5b585e34a8c1b35e4b0a5372
-
Filesize
11.2MB
MD52b4de576cc897dba5c6c9b7bab273bcf
SHA153f9cb004413cfc277878efe0c70a261ea7cd502
SHA2561e2796b060e7c4876df3b648ac7f55a19b0c03369eecc75616755f356753e867
SHA512d96f721a0edecf38d50c8f4c40009769996d7a51a422c5b5d30469b06f5fa2b8b8d5e1650a15725a86c9d0cbe22e2c3732564d1c0ca2eeddfceb935a9c27df77
-
Filesize
6.7MB
MD5ad3de6f0bcaaeae04496d25e1104ddb9
SHA137316fbaf792816268d5c181fae7eedbbc6427cb
SHA256a84bd135f9efdf2b8edeeaaf497809f4c6ec853f2cf47c7f5b8cf36c55a40d14
SHA512ddb5f24841e38e22be019c411772b291b5b045e9b6f4f9d7ec9e0fb38f089712cec4025112d109059e13eda1040725cb18508bed5ef9e8eeb53cc0b3b5ca2def
-
Filesize
6.7MB
MD5ad3de6f0bcaaeae04496d25e1104ddb9
SHA137316fbaf792816268d5c181fae7eedbbc6427cb
SHA256a84bd135f9efdf2b8edeeaaf497809f4c6ec853f2cf47c7f5b8cf36c55a40d14
SHA512ddb5f24841e38e22be019c411772b291b5b045e9b6f4f9d7ec9e0fb38f089712cec4025112d109059e13eda1040725cb18508bed5ef9e8eeb53cc0b3b5ca2def
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
Filesize248KB
MD520d2c71d6d9daf4499ffc4a5d164f1c3
SHA138e5dcd93f25386d05a34a5b26d3fba1bf02f7c8
SHA2563ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d
SHA5128ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
Filesize248KB
MD520d2c71d6d9daf4499ffc4a5d164f1c3
SHA138e5dcd93f25386d05a34a5b26d3fba1bf02f7c8
SHA2563ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d
SHA5128ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
Filesize138KB
MD50b3b2dff5503cb032acd11d232a3af55
SHA16efc31c1d67f70cf77c319199ac39f70d5a7fa95
SHA256ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b
SHA512484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
Filesize138KB
MD50b3b2dff5503cb032acd11d232a3af55
SHA16efc31c1d67f70cf77c319199ac39f70d5a7fa95
SHA256ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b
SHA512484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
Filesize246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
Filesize246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\@[email protected]
Filesize933B
MD5f97d2e6f8d820dbd3b66f21137de4f09
SHA1596799b75b5d60aa9cd45646f68e9c0bd06df252
SHA2560e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a
SHA512efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
651KB
MD5a90eabed2ccdbc2ab5866246244f03bf
SHA16a81a1e542510029c0ebb42346c86ee6d48d835e
SHA256678249ce1b9a5e78021a9ca6d2175d25088e11f6a337869edf28b9d1ec18a282
SHA512dde005a834c7ed5e68d4ed8a07895221e3115e2260f98312b85d236c6130b7006a69ba5c76eb07be51455d79392ae3f4c77556aa9228aa20b05ef69c04f6256e
-
Filesize
5.2MB
MD5fe6369e837eac69a563a92dbd38a233b
SHA1973fee53ac01904f2b6768600dde2394a13074ae
SHA256f682956f8b9c979cc43f16be748b1006f588f8147e8fde5c8c016f51a559d94f
SHA512ea489939c790e1e4e1fd8d5f8a30d454b15cdfd4bbe911a505e258850517bfd1e588371ac4237bc21d61573fd237957fb669f9de9873c9689e9bd7da9e407e3e
-
Filesize
813KB
MD53e55a7335e8c5f58097f2d85f8d02b78
SHA146e92ea713fe9198417ac5ba2035cc4cd0db17b9
SHA2561e0ea5ea2238b9ca57096f6315eac497ddafd1253d4ac67153c22f95b353ea13
SHA51216b4501df3b203a98465ce795f7c6f815a83934fe9e300d942682088d5f3fbb6b4235c99da33e8dc3c5115bb4678699ff7b74e8d65fcdbbc8a40701efeaabec0
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
Filesize53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
Filesize53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
Filesize3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
Filesize3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
646KB
MD5ed155a6700b5b0450a4c8c0e4687058d
SHA1bf63593d780750a004e0499674c32caea4664ecb
SHA2564e4c47acede520c34a6a22c51fd001203ce7d24480db95e16b4140f0dade282f
SHA51217031d7e704c077ccbfa4751dec3d07ffa9f68c7af6b72e1cb61d6f92c3baa43a10562ee2522193d207b224e903acc4ea0f49d13d2038007d2185cc759594e7d
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
816KB
MD5cc3e3d1461cf402a39b2b880bfa630d0
SHA1703754d4ff6e766cdbd8955f8b22636251d0af99
SHA25646d13456de28806afde62b8a5ce301d91eb16e995a8a7decbd413fef3d95e40c
SHA5123f36541473d0e3362b3ea356705300a35b0cb69971ec90091d37830cbce2a66b9d8152eb55ee8f529d60af21e88abe7e2ea2eefe74ad38634f11eca0d77be897
-
Filesize
782KB
MD5e7701099913f0e042ea486dd7250a1f1
SHA18b5a98c8494a4d4a4b1a8e49f4d11c550123022d
SHA256412b514563d47d6260ac397d847de147c8797082c86876f388d863ae5162e568
SHA512346f4e3c0dccc411fb26693e9ed1eaf4d8941089720bbbf6e4a81e859789ebe76557ce85adf9e898b2b329ef0d40f7d79f714488f9e785e2df39a6e59a76f98c
-
Filesize
637KB
MD5a223ef8ce5a9a0584c1cbd57970af530
SHA128f437f1ac3159778ae513aea23684486f54305b
SHA2565f156b072ef1b4620eb8ff13aa57c49fe4245fa20c4487cd1e37ddc96f2eb846
SHA512208db885df2746765a1b14975cfce33dfab25d0e97ae79fb38ad3ef98550dddc46523146919cfeb0024cccf86f01cf66d01a3f9ebf8fa6786dfd837b357ead08
-
Filesize
185KB
MD553bce98811b82b0e8303e457c00182d1
SHA191d7ec2e5660c46ffe6e876e0300f0eae03fdc6c
SHA25607b9acbc9b6a4575de3658049ffeebe759965eca3603a517ba52a0d32a726974
SHA51214811207b7714d04c1fc16d8b81e9cb58a873c90ecfd9bf339b29b15695529d82a2917d10e9e5ff7e21cf9dc1926152658f46645355f682e2e00d043e815f008
-
Filesize
238KB
MD5fda81a737103807ad90ffcc7cb4b7a4a
SHA13297a7ae3f4ebf93f542183e4fc7dddd7718373c
SHA25667e1d3fa79440f56daf566502b64de236ac98b507c835cb72a073cdeeeb0f73b
SHA512d075ea885cda14b7988bf37a05e4f210a4cf75966f1fca59b75064fc0fe43def12e8a27e192c2282f51dd9360868d1c7744f5ea70297ba95ba633c6a3cbc27a4
-
Filesize
206KB
MD5d21c94f93d89b251b867e1eacfa1123a
SHA1426de861fb0f4597e38c012b29d7d61f4be6c03b
SHA25676f91dcde9e03fbef23508ef64fda9c54b63dea5d155222d96dce36e51ab18d3
SHA512be62d7a4e8d20620b6534622a4317be83af4f9b676948c0914dd95e8925dd60b2414ed9d144048b908f06a1b3aa84655ab3a4a37df31ad868fe026805418c238
-
Filesize
427KB
MD50e1c43cbe49826e1b658df09b040568f
SHA175aec9d9212e42d1992dfea60d7fd5c5f77bda82
SHA256447dfb75a6b3089dbd36c52df466e7c4880a6f5ebb62f1f3cf617764c476e583
SHA512b9315a6b3b8f859c04c930fe00df015b103fabe715fc86ee8ab53f12d256a924b20c960e33eba9028e7b44dc398cab5c6b3cd7dee6a6d4054c1d96d7f7f27bfd
-
Filesize
824KB
MD5f0a75161c3f502d542c06744a065c3d2
SHA12896f33a33405f832c29a586f27c6275c14dbfa6
SHA256cc95fc60decb56cdd500b9c62ef0a5c7d114500d5773d9dee6dabeb8b7855417
SHA512ace3f2d4b5fab95a08f012158bf0d98e7a68733d344aaf45aeb7c81bdd1aa347fee456810b548a88d18a96f59d885923143a471a371dcdbbafa5fff524049ee2
-
Filesize
4KB
MD59af98ac11e0ef05c4c1b9f50e0764888
SHA10b15f3f188a4d2e6daec528802f291805fad3f58
SHA256c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA51235217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1
-
Filesize
315KB
MD5791568593c7dcf9976527b66362f72c6
SHA1549c2dca308797a5ee3b488e9bae80b518d2990f
SHA25679ecb2928f23e937ba5abb0f3d0b9cc6ce975ad51525a2c78ae5a4ba5e75d227
SHA5125b710c2b7cd9446a5c2d508c3718e3227cf19b98989513ad053f8222448daf00505a47b7e1f43fb3ce213ca0aee63176daaf14fb44f8663004f61cf52244ab29
-
Filesize
776KB
MD5da4d45730d40d76a3a94b16520ce05fc
SHA1d430d02ee4f3b535c025faabb2784bce9c439e11
SHA256837e1a21bb456e8e521b4bb61a64e3f0d65e48371714406806d971f2716bf841
SHA5120425bb70288c0fabdfde85667761c08fc2d4500cd519827b3f9fbd7c257dccc6cb317aaede8536c28e3390fc4cdf61dbc9a729b7e781355bed0c1f2c46406e45
-
Filesize
640KB
MD5f48ace0cb224d5c92fe79d1d892ede3d
SHA13d22c4ff7f5df863891e07395ec9d72613160aef
SHA256409b2bbaa0c8eaa0c2ec47a3825566f479d6c9a3bc199f93b7fdf1ea97e14e07
SHA512b6e29da74e52ee08140894b0c982e8aa00a401f1eef44bc0ecc011d2686c241f7c3cfb6d9e9d05cb12be0a8b241cffc6e68c98f693b811ccd82a084401b9265f
-
Filesize
239KB
MD59014d5ea58dc4bdb1bcbc7334eafc48a
SHA14107ffdc026d54868523b4e5fcb3e19ad69d63de
SHA2565ee1b24086a05168fd0a026109988e759e4702194a3bc58d5958d7b23ed4297d
SHA512dbe8831fb42b6d81a633fe472218ca68e3881c2d7698f297e1ecacf382f7bab484a41fbb1f338d79133d278cf901cbcfd0218323506bf67c0fe63de8f8c972f5
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
816KB
MD58a58167ba01afbe36d08709da532f969
SHA165638cbcf4ade8290539951f532229336ef43bd0
SHA256b1dc8c7fd77008132cf960d1e32a3fc94b104fe233022f5f91267fa8e7850043
SHA512f3cdb5682c37c8b0e8c4a78c90f05ba9b53f582534a40cab745dfdc10b70854af9e146217701e496db69b759fb681023701fea1d933375f0ba1194a02a4f1bc9
-
Filesize
657KB
MD51ce6af49b1a990278cf7b8f3f6cb6be6
SHA1e57db922bc2cfeabc7d67a0adf52e29ebc5fe7e9
SHA25645dc5868526830e01e4e746f6000bbdc94316c3d9679c838a1e6de7c5146e4c8
SHA5128f8b09d079651623aef74d65f3eb9403f493fca71713fb1457c0a06d3351ce12ae5c96585b95e7a74ec6c9c5cbd63722fe75bf3572ab701ecd06a410e166aeee
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
208KB
MD5143bee1c08224d6e2eda976273eb3a29
SHA1acf781342f5122f5fd9a09f84f63155e145e7984
SHA256f16cfc74f6c4be0bfdb0aade4359e7cf19f5c273edd43fae470333f459fef911
SHA51225a49f69ac9e86d152d8843b3eab76e805221a612ae9dcc448ccd323e646b31c59144696b30dd939448475a79439e2a3671b214f40683fb039407f142fed0606
-
Filesize
188KB
MD50f62c57fb8457b4be6602ac5eb9c5671
SHA10ef8b1ef83958061036eb3b5fd5980eb85684c14
SHA25614db2c57577c00cd5057dd35ab4f186686ebbee8bc6cea11adb91b7e15f98750
SHA5124964e99c9a5bdcddd8f91126629de49fad0892238699f33252e7390f75b0adceb3795fdc5c5185fefe530b2109c5f6f872c14f64467d8750ce033b9c5e5e3671
-
Filesize
230KB
MD5a98b1613b7e4188e3fd1af3dfecbacad
SHA1e203191625e2ccc8f9cc24753057d880f5aabdcf
SHA256c5fdb306156c1902f97e81d3b540ac50b3885da38cd6fc68704be25cfdfa5cce
SHA512a70814d88b05caa5fdef281265d1e18a3039cf4a0c2c373e649178c30fd1b7b7c29731acc8489986a256f9ac68ee4a2f14b97a2190efe94640f978ecbd116f0a
-
Filesize
323KB
MD5f3dc72ef094e0b218422636bf97f33f0
SHA1b0cb4d4f6a346d679348d00e9ef4337a590db9aa
SHA256ce4769fdff89f43e7f4d8d14233ada3379d5db1b51c326c0a9bed6530abcc069
SHA512338652df85fbe38a1872bd25702958b4ef99ee27a90b5c7b50622cab25554aa35f16e7d80e940809a5dd641a7f83b7c8700f19d9b1cdbf7a091b3a384161e404