Analysis
-
max time kernel
314s -
max time network
320s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 10:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win10v2004-20240226-en
Errors
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Extracted
C:\Users\Admin\Desktop\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF626.tmp [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDF64D.tmp [email protected] -
Executes dropped EXE 10 IoCs
pid Process 3016 taskdl.exe 4460 BC09.tmp 2240 system.exe 796 @[email protected] 4916 @[email protected] 5092 taskhsvc.exe 3100 taskse.exe 1880 @[email protected] 4608 taskdl.exe 624 taskhsvc.exe -
Loads dropped DLL 9 IoCs
pid Process 3268 rundll32.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3476 icacls.exe -
resource yara_rule behavioral1/memory/3108-1572-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3108-1573-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3108-1660-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3108-1663-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3108-1667-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3108-3305-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3108-3396-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eexnwotxq447 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 202 raw.githubusercontent.com 24 camo.githubusercontent.com 201 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\BC09.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1964 796 WerFault.exe 208 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 692 schtasks.exe 3620 schtasks.exe 3468 SCHTASKS.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msedge.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe msedge.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{946FE2F2-AA80-47D0-8EE4-6C75CF490BBA} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1884 reg.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1744 msedge.exe 1744 msedge.exe 4788 msedge.exe 4788 msedge.exe 2300 identity_helper.exe 2300 identity_helper.exe 3240 msedge.exe 668 msedge.exe 668 msedge.exe 1488 msedge.exe 1488 msedge.exe 3016 msedge.exe 3016 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 3496 msedge.exe 1500 msedge.exe 1500 msedge.exe 4140 msedge.exe 4140 msedge.exe 3876 msedge.exe 3876 msedge.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3268 rundll32.exe 3108 [email protected] 3108 [email protected] 3108 [email protected] 3108 [email protected] 4460 BC09.tmp 4460 BC09.tmp 4460 BC09.tmp 4460 BC09.tmp 4460 BC09.tmp 4460 BC09.tmp 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe 5092 taskhsvc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2004 Fantom.exe Token: SeShutdownPrivilege 3268 rundll32.exe Token: SeDebugPrivilege 3268 rundll32.exe Token: SeTcbPrivilege 3268 rundll32.exe Token: SeDebugPrivilege 4460 BC09.tmp Token: SeShutdownPrivilege 4996 shutdown.exe Token: SeRemoteShutdownPrivilege 4996 shutdown.exe Token: SeTcbPrivilege 3100 taskse.exe Token: SeTcbPrivilege 3100 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe 4788 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 796 @[email protected] 796 @[email protected] 4916 @[email protected] 4916 @[email protected] 1880 @[email protected] 1880 @[email protected] 536 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4788 wrote to memory of 4488 4788 msedge.exe 87 PID 4788 wrote to memory of 4488 4788 msedge.exe 87 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 3320 4788 msedge.exe 89 PID 4788 wrote to memory of 1744 4788 msedge.exe 90 PID 4788 wrote to memory of 1744 4788 msedge.exe 90 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 PID 4788 wrote to memory of 2964 4788 msedge.exe 91 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4736 attrib.exe 4484 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8196946f8,0x7ff819694708,0x7ff8196947182⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:82⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:1236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:1192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1780 /prefetch:12⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6208 /prefetch:82⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6320 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6992 /prefetch:82⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:12⤵PID:3264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1308 /prefetch:12⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6884 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:12⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6948 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,15052533320566780205,6558173332740572962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4244
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3408
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1076
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:828
-
C:\Users\Admin\Desktop\Fantom.exe"C:\Users\Admin\Desktop\Fantom.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4476 -
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3476
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:4736
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 220111709117809.bat2⤵PID:2988
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:1992
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:4484
-
-
C:\Users\Admin\Desktop\@[email protected]PID:796
-
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
PID:624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 5203⤵
- Program crash
PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.exePID:5076
-
C:\Users\Admin\Desktop\@[email protected]PID:4916
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:4128
-
-
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1880
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "eexnwotxq447" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f2⤵PID:3828
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "eexnwotxq447" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1884
-
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4608
-
-
C:\Users\Admin\Desktop\[email protected]PID:4320
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:2252
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3468
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:2464
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:1392
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵PID:2300
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:4752
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵PID:2808
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:1144
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵PID:4928
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:404
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:3240
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:4904
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:1048
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:4452
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:3300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:628
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
-
-
C:\Users\Admin\Desktop\[email protected]"C:\Users\Admin\Desktop\[email protected]"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
C:\Users\Admin\Desktop\[email protected]PID:1040
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:4496
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:3468
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2511806965 && exit"3⤵PID:216
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2511806965 && exit"4⤵
- Creates scheduled task(s)
PID:692
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:14:003⤵PID:4100
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:14:004⤵
- Creates scheduled task(s)
PID:3620
-
-
-
C:\Windows\BC09.tmp"C:\Windows\BC09.tmp" \\.\pipe\{AD1723D5-C50A-4DAD-874A-22A09F55BCBF}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:8
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:2648
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3905055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 796 -ip 7961⤵PID:4764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
Filesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\958f1727-9781-4c5a-b2fb-2777e4b0bb58.tmp
Filesize7KB
MD5d9257674d4154ecde2bce62587aeb4f9
SHA198fee9cc621c735213efe2f3d561dc65bed5f135
SHA25646e67504ac90a21edcdad601ea52f4ac66f66fc3d1be2d4deeafdf626a0507c3
SHA51218ba1f3a38be0a693a7d6d8a91ea350d5ad226392813e12e8b9b7dad01dcd0f74128cce45e2167a410d0aae955e7a884119f705bfd06c4ad5f44797c44c3815d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5bb6c12daffd857871edc9cf065dcb671
SHA1f043754037ddf3ac97050620b21364a5cd2a36ba
SHA256aa2eddfbe34e7acecaf5181cd3ad668e8bbee3613d0375f9eea8398b76119cdd
SHA512e5581698c75231da7cee2132b6ea37e02c669eb438515ec872621104e4e97381441e525cc555688369d6e74778cd5ef711672aab4d099e7e2d50029bdefc5b5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5b743b3a73327ddcb15c734e3283d309c
SHA1fd9cefd36be99ecff6c03f7b47329d5d65c745c6
SHA256c18284a717bff5b86c6c8462370949b1fd2582fa431bcee9992b1e9b9005dff4
SHA512bf1d2bf3a3929cc0826fc0dada6b6605d07e63a3d360f922d0f3feab45581184b0a9e9e70fcefcfa0bf9559db6c7bdceb1bbb8b887a6d340a3d2de7e0c3f4c29
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old
Filesize389B
MD5507dd4e0087254adc25cc81365d9fe17
SHA1d7a839af5b679deadbf340f04c83d8310279bbfd
SHA25683f1d1f0c5dc8c5e2b0f30d8e0b295f94c058ce3890115e04878df6534928923
SHA512f0504119e720f2eaec909e8f70279a52103cf5cbe4a4d4543d66884d0bcb6d9688669bae5a4c4d98cf4d5aabe1c0ed0203aec680957305d4bac08f4f67e42a96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old~RFe590110.TMP
Filesize349B
MD574000a1ad795af3d8048f1578ab6a2a0
SHA154e83b560c6f2081d9f8d0ac02f920a98cce6055
SHA256f0456d02b85ae32a6bbee9ef9948ce7a4614b853f159c9249629ce7567a9586d
SHA512906f42a5c512acf0399058075b3d2ef88c41c8c6a46be91329282877280aae88a5f0d2e9b34da1a447e82a5e9bc4b18e3cb825e60497c26719ee20c6ff456cc0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
2KB
MD552d54d15960d901e1aea4a65c086ffb2
SHA11d2284fc35ce06d946a1252a4dbe84156f4410b3
SHA2562bf81501f1ac0aa163379514e8c53c055504cedc1488b8eeacd01ee6fa8090a6
SHA512e5b32c556ac494ef514772f5fc647bec3bcf58389c0e3b1867d3c3e31fd51c9e7905b428e4815267dfdcb09f55f0e320dec7ae902bb56a20c7deff0a1319fa6a
-
Filesize
2KB
MD5209726754dcc88937bd5a11e8d4da329
SHA1a1de80d44ae9683b1040e538b5230b5c94957e6a
SHA256ea2ec055a0a4eec3b48a652d41d1d6bd019fd86e73d846d9c500479a3d5e54be
SHA5127e1a6e515fea4e9a1bf1b25310bf012d637b1afa09701bb06c1d36ef0169b4e8feb31691106b288c1b886193db020da8174ef97b4b01341b54c8982a44b470d5
-
Filesize
1KB
MD558b84a3427651db1d76a3f5e5f4a40fa
SHA15ffc557d735181fd7d9b6163e1b43ad07597121c
SHA256c0e79a1d673ca51b78321e4ec971789628d90698ec5d58b6462bb47c298a1a60
SHA512be9ae0fffd2e25c4358e3418bd474bb986999c3c98624ecb282acfabfd224919238dd507e8120b6bc0f5a3f454f9b108d440d0147ea1d605e65fd7a8ee538270
-
Filesize
6KB
MD59b4010dcc67cbd995e7a32a5b062cb09
SHA15b33d1e81cd61277ea78aa6f84428b2735c76fb2
SHA256d05bd8ace6fe5bdda4e072793914966769bc02dbd32956b4e9d9bd44b31eecb0
SHA51213f2e7b5eab49b329a34a341371f0644582cbab26fef85df34f89a8514db7d7b14b485d22a5483ec523a4932abcb2458fa198241f434671f5afcc8f8ebb82b71
-
Filesize
6KB
MD5a9aafa4bdbb1f29816b0ed09a0176b2a
SHA121e614ad88517ed7d0b19d76ee2febab5c613098
SHA2564092d28f404db3a6461d31904589777d2868848ae5256268abfe85a3ec2612fe
SHA5122e193fa34617871717580d0c6330ea54934c67acb9ebabe77a1395b35d70cdd63d80538af35381e6f1071b889890c16b018747c8b01a18438b6e2ac19ccd3cf6
-
Filesize
7KB
MD508bcc8e045b593d97bdee1ff5cfe0394
SHA1f560e6bb893d27556be251d54a3a7404eeaef471
SHA256295b48149e05489de72dda9f8713e23b6502f0646054bb0dcd72925fcee7e17f
SHA512c1b99b80b6cff34e28f4b2a4c6f87ebfe273052cd71d53908fb970d6481c6c12b5e1cc714021431547690216f260c0ab4f732d16d739f9ea3fb5571b5b3d6ee0
-
Filesize
6KB
MD5a895a29a72d661bd8afb958953e8556a
SHA15ea50542e46cd88c7075114e1bb2c835f5a5e389
SHA256b603df9c2a139d624e4d572651abcd593c018353964f221a0ded0a640878efaf
SHA5129a9eb63957b6d2d2d0ba694c324cbd51bcacf8ce7a3de60d7653d0b1d9b53ba8bd0b1b6094a136c43b9639e8eb53cf13ca79a14c0d748fddc3d387de5de4b66d
-
Filesize
2KB
MD5904023ac64cb4de8289f5b0753b186f3
SHA1b8f2c3e98ce21ce0293a1afd5466cb475da96787
SHA2562cbd03fd37db7817ff4c5bd7f454d30fae6a113562f840a5c1c8440508b35396
SHA512dabbb8e3be8e5a3b42ac3096a3f3a5d8d51887db6bcbc8feecbe8a6f02ccf93b761d323859abab2963eedaacf22e431cbe8272a9fa3c3a1c9b11e937bf9d03a2
-
Filesize
2KB
MD5e2e9947d116c041850184c566563558b
SHA1c7d811fe3834060f4f713b6a9cb23c1127eb66ff
SHA256972ddedf3097b4a0f9ebd9aa19ed22c450bc42e64de1883da3211aab9f08b94b
SHA51290c3ff635cd85df1981e726ca4014c5449bd2d60f9372d1c53d626c0d859a51b5f138ca630e801c1e6a5889232239a706bacd1dab89aee774eafc31a09f890ef
-
Filesize
2KB
MD5ba92d5123f0a04f8051fcb13f337f444
SHA1f0032b5b22d48e8c94ed54e5cdf00e2080b55516
SHA2561462f427553795ae9605084027ec4c93e423b9c432ed7cbe4a536a313975e4c8
SHA512b97ba88e271d2c2c910b4fca33b3983430a1b58eb58789c0f97bb094cf0e5f8ba5c110b92dfc98bd455967ee1bbb4c2a4f9c4622441376aeb0182a716482930e
-
Filesize
4KB
MD5ab77045276b0e978af0d20e37bdda89e
SHA128a59ecc0096b5c01d78ad87c22f6ccd90c9ba87
SHA25646891117c4333625f1db9e04eec961c86a7517b550b44a9dc9ad7406cd517566
SHA5121936e740f6a55ea71560328e0ad0f39d4a8d2573e2f9cb4c3441f7575c4f9b0dc64add611191ce22117784ebaf1f97dc281f8a86adcf251d135aa97348995fbb
-
Filesize
4KB
MD516f70bfd8dfd5ddbf0dfcfac5a44d863
SHA1d447985263b609945f4967eaf8e4d386b5ab2ffc
SHA256bfad25040b9174e8f7272a869a7c388cd10be040472748540c82ecb9b92cf7ab
SHA5125ba12a622fcf2435cb806c8cb0333bf03c856c7bca54659ebfe0d92a0f3049af3253eafc2030dc1d6335446a0ba7a6d32a9208adb2bdfa0734e335a766d4661d
-
Filesize
4KB
MD5d10023c4b3d6a31e3adade78b261ded2
SHA1f27dafb5bf78dd3e43fcdcfe300daebcec01bc42
SHA256bc0190ad54e2d72eeaf961f32e09e99bf4e45b3c875de29dbcb9c181ae20e830
SHA51292c28c4529c416cd960d8ab3c8524ccd731601f4f84d27d77b0f9f4e21accfef9055ef9402089bc675cb580ebe0d729efcc0a346e1a649849efac0558c062f48
-
Filesize
4KB
MD56487c1d4ab0643da108c8742c1a0ddef
SHA17ccbf432bc57bad58d780121541141641736a725
SHA256cd2f584de7d765776274ad331f6d3c9924065a4e490073ad49ddd49fbf5d8eca
SHA5120f2fbb4f27888785cdf58a2c02b029837a5f925794a892057606869323eeafe091aafa688c2ebf0148ea7659430cc2262a375ad1da3e73bfb6ae60b88fc18af4
-
Filesize
4KB
MD55bb495d36dd923930e0f81d5681cfa10
SHA14130331de79444c87de273b0114042947af53b1e
SHA256010919195fe1a24c0135671249caa205ed31ea07d8f26987485d809ff6c48377
SHA51274ee73851cb0a148b23929253b1d24e78835a18b19b11f426045913d784aac411e4dedc29e0e74eb1283ba77e5c62be874823e4847db04b62b546bd8babc3f83
-
Filesize
4KB
MD54580eb524fd1891972948c18b0fc9e50
SHA184744a641c4a10a1057738b2f6b4364a34599754
SHA2569e07163119f67cc5e4062ee427fb983c642a6d2c657c432dc58b1424bc10e125
SHA512838097ae2ab7c00fadefbef67f7c9f0b0164adc5a3ec194308856f98d492c7c55cebf900a270a5eb575717fba005c8cdd6a2a60e3a6f6e1d4ab871650003aec0
-
Filesize
2KB
MD57384c679b83e029aef513d2dfa539bc9
SHA132470e107d6deca7e376c3e6b62ab6cb36416a20
SHA2567a3f7db2ca282c956b17771b5e4128b605955eb71462ee7d5751059dbd8c9940
SHA5123d1dc2318c123404c5b3536b708b9e6a7f3fffa9035983dbc42125b3b9880192879cfbc65ea5c58e3cdacec788d08cd0279032ea3c916a9fa359ccc6028edeb4
-
Filesize
4KB
MD58b0434dd48b54db2beb076fa673b57ac
SHA1b2a1b9e8c8522e2fd3ef960a5c7035651d383c9c
SHA2560dc19efc4b9694574f619c6b6ef694436604d877fe600456403446cf2dde4e7a
SHA51234b2812289adb04016ab95fd4d6595fa1be328708d3990508f080242cf58263fe24d3cc09f03d7d3cb803151a0a9f45aee19f38d1d7f8e459c8f18ae5a04095f
-
Filesize
4KB
MD5040ce58b8a48d3200db6977b50a6863c
SHA1efabacecf2ecf5eec1c7d7cbe1c5f2575c89b5da
SHA256d5bbb284505b97f564a4e45be2d4392496e4a17722de833cf651e0176c16695d
SHA512bd0765b9bf9541b331df85b02ed132e34b6ac54281f6fb405849445f1d43bd5de02c3e387cd9359cb7bb54188faa773fc22f0c472da8a7f978fb23ae8adfa194
-
Filesize
2KB
MD558999d0c97e9c3e5f525b7d6318d3432
SHA187728d595398d3c5891524af2045aaaf99e98007
SHA256349dcd6705f4d5040855164dd916ed5fa672364c2f184caf5b015d59a8d704ca
SHA5126724a88b1b60628b137e6284ac554a583a90c36feb25171f422d33c60f0a6a23d3717dfa5ddcbbb2758b497754b53207620d9108ea118017e58d0ba3389bfff2
-
Filesize
2KB
MD544844df5c605ef59df83bbe808cfbb93
SHA18dbb0e783e2896cf490bc0813c91aa5c52332be1
SHA25623df1841e561d176ef901a446313e7fed069cb1ffadb7299573f3616b561531c
SHA512ebfa9e6eadba8c0a5cea666fceb4dee0357d84a1e8089362e799c5475664e94b227c67126e703ae66da63fef32cda39abbcbe9253ecf29e39616f34f00592cda
-
Filesize
1KB
MD564d667204c02e36f49b6012f3999eb00
SHA1452d19f7934a654848c3a88451b70e44b4165dcc
SHA256bdc4b35ee2cfa8364e0adbd8c809068f9d8414e5a57150eac7b87037fb9a653f
SHA512389f4efc6741ba5c28736da6fb7044e63415e3c8ff988fb9c64bcda2008c914f21996faac5fa5a3e2289b3b7668550f9a050719cd0f3d83084f3646f3cfa6417
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD584abb81ec282cbd800c7d9f3e8bb4bb4
SHA19ac7f3382508184e3423a655160d01f159a13cb1
SHA256876b8567f6bb3a719b338e31a56c7f25308d71829e78f6f05c1e1afb8d53c5ac
SHA51236117186fabcef4674c67ad293692b64d0d8695e51682be6202e0860aab8311a4d056968a5a0a5dab77972948496e3f69463d91536b63ad116d9c8d69b549aa8
-
Filesize
12KB
MD5ec215a04197b40c9be0dec6070e6ea7d
SHA17ccb9129f6e1b3e227470459a4b409b2db900d3b
SHA25663e8735ba58cbe94b5c39ac2f85dd78f8d362298c9e9c50c09eca97d608a3488
SHA5120d0e7da86047601a68744ec4bf2f08d8b1e482e8c787958a9761eed1a9b4ae4e58b72f795aaa4099ee0bbdd3e53be7d065e6c77612c060775f0dec7fdbd88c98
-
Filesize
12KB
MD590aa51d39d92283d6e9ad4a532594af2
SHA10f1ad1a853de58aced5960e7beac9fa8fdf0a443
SHA256f68f4426b1e4015205aeb3ee7ee41455f03efe2dbc6ca7419a15a1ea2bda764c
SHA512069f7899bb201a8c8ef41aaf725753fef461b77353a7d701c9d0db08ac45aaf204d5fd1dd9036ce8975c3fc270e74c46e913675baf943181571d47b9219234a3
-
Filesize
11KB
MD503670682d82dc7644aa36aa09e31b46b
SHA1b9c438c167d8696370b98577d2493ed08f6d5edf
SHA256cab6b347feca4d554a13957e821e49109cc60fdef9bfeb22a1831a56a6acb4d8
SHA512223b998cac6c767300ba39f416050d083c734df5fe28abe684f299d0ce51ca7f5930735bc3a3e420ab3c65b6a193b2da3296010416e9108be9ac6393597a65b0
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\Desktop\@[email protected]
Filesize933B
MD5f97d2e6f8d820dbd3b66f21137de4f09
SHA1596799b75b5d60aa9cd45646f68e9c0bd06df252
SHA2560e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a
SHA512efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
780B
MD5383a85eab6ecda319bfddd82416fc6c2
SHA12a9324e1d02c3e41582bf5370043d8afeb02ba6f
SHA256079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21
SHA512c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252
-
Filesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
Filesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
Filesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
Filesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
Filesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
Filesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
Filesize
36KB
MD57a8d499407c6a647c03c4471a67eaad7
SHA1d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA2562c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12
-
Filesize
36KB
MD5fe68c2dc0d2419b38f44d83f2fcf232e
SHA16c6e49949957215aa2f3dfb72207d249adf36283
SHA25626fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810
-
Filesize
36KB
MD508b9e69b57e4c9b966664f8e1c27ab09
SHA12da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
37KB
MD54e57113a6bf6b88fdd32782a4a381274
SHA10fccbc91f0f94453d91670c6794f71348711061d
SHA2569bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA5124f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9
-
Filesize
36KB
MD53d59bbb5553fe03a89f817819540f469
SHA126781d4b06ff704800b463d0f1fca3afd923a9fe
SHA2562adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA51295719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac
-
Filesize
47KB
MD5fb4e8718fea95bb7479727fde80cb424
SHA11088c7653cba385fe994e9ae34a6595898f20aeb
SHA256e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA51224db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb
-
Filesize
36KB
MD53788f91c694dfc48e12417ce93356b0f
SHA1eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA25623e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd
-
Filesize
36KB
MD530a200f78498990095b36f574b6e8690
SHA1c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA25649f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511
-
Filesize
79KB
MD5b77e1221f7ecd0b5d696cb66cda1609e
SHA151eb7a254a33d05edf188ded653005dc82de8a46
SHA2567e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc
-
Filesize
89KB
MD56735cb43fe44832b061eeb3f5956b099
SHA1d636daf64d524f81367ea92fdafa3726c909bee1
SHA256552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA51260272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e
-
Filesize
40KB
MD5c33afb4ecc04ee1bcc6975bea49abe40
SHA1fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA5120d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44
-
Filesize
36KB
MD5ff70cc7c00951084175d12128ce02399
SHA175ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19
-
Filesize
38KB
MD5e79d7f2833a9c2e2553c7fe04a1b63f4
SHA13d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de
-
Filesize
37KB
MD5fa948f7d8dfb21ceddd6794f2d56b44f
SHA1ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA5120d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a
-
Filesize
50KB
MD5313e0ececd24f4fa1504118a11bc7986
SHA1e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA25670c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730
-
Filesize
46KB
MD5452615db2336d60af7e2057481e4cab5
SHA1442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA25602932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA5127613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f
-
Filesize
40KB
MD5c911aba4ab1da6c28cf86338ab2ab6cc
SHA1fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA5123491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a
-
Filesize
36KB
MD58d61648d34cba8ae9d1e2a219019add1
SHA12091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA25672f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA51268489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079
-
Filesize
37KB
MD5c7a19984eb9f37198652eaf2fd1ee25c
SHA106eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
SHA256146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4
SHA51243dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020
-
Filesize
41KB
MD5531ba6b1a5460fc9446946f91cc8c94b
SHA1cc56978681bd546fd82d87926b5d9905c92a5803
SHA2566db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9
-
Filesize
91KB
MD58419be28a0dcec3f55823620922b00fa
SHA12e4791f9cdfca8abf345d606f313d22b36c46b92
SHA2561f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA5128fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386
-
Filesize
864B
MD53e0020fc529b1c2a061016dd2469ba96
SHA1c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA5125ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf
-
C:\Users\Admin\Documents\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
139KB
MD5c6f3d62c4fb57212172d358231e027bc
SHA111276d7a49093a51f04667975e718bb15bc1289b
SHA256ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c
SHA5120f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44
-
Filesize
393KB
MD561da9939db42e2c3007ece3f163e2d06
SHA14bd7e9098de61adecc1bdbd1a01490994d1905fb
SHA256ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa
SHA51214d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e
-
Filesize
198KB
MD53500896b86e96031cf27527cb2bbce40
SHA177ad023a9ea211fa01413ecd3033773698168a9c
SHA2567b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6
SHA5123aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884
-
Filesize
916KB
MD5f315e49d46914e3989a160bbcfc5de85
SHA199654bfeaad090d95deef3a2e9d5d021d2dc5f63
SHA2565cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7
SHA512224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e
-
Filesize
2.7MB
MD5d354445d455d61677847867acb7e2c4a
SHA122737b7ddd6b1975d2f657976be383099aba05b4
SHA2569409db2ecc6db7ba98274848c6052031674db20289f6c6c7f20cfdbd6cf567d5
SHA512ea93876f0bdd233d27a066d59aafea35f84fe409c9684453fcf28015a9b82db102631c456adf215a6b5986d8fe2ffeaad7c98187e49a26658a49b4e0de17f6fc
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113