Resubmissions
10-04-2024 19:40
240410-ydkgescg9z 110-04-2024 19:27
240410-x6ewzace5s 1010-04-2024 19:16
240410-xzannshb36 610-04-2024 19:04
240410-xq4kdsca2y 1010-04-2024 18:56
240410-xlmq3sbg4y 1010-04-2024 18:54
240410-xka1wsbf9s 710-04-2024 18:49
240410-xga7gsgd82 610-04-2024 18:41
240410-xbrmaabd2x 8Analysis
-
max time kernel
633s -
max time network
635s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-04-2024 19:27
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win11-20240221-en
Errors
General
-
Target
sample.html
-
Size
467KB
-
MD5
12b9d6652e7d1689ed510c50c53bd38c
-
SHA1
013a1cc01a97a97d9b18dfbafcfec91a57e6232a
-
SHA256
4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce
-
SHA512
0ce40b9a4d137d99330f7bc2776734d121d485d3f1e3af23ede4bbebead330c30de2c4568029303259812d591ef7bbc52bd1f16d8912dd5ea006523008346e7c
-
SSDEEP
6144:DFoiM/iMTiMkiMriM2iMSiMliMziMViMuMt:D2iciiiViQibiRimiIiOiXMt
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000200000002a9df-930.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
CryptoLocker
Ransomware family with multiple variants.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 14 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 5024 attrib.exe 3524 attrib.exe 2448 attrib.exe 3248 attrib.exe 4576 attrib.exe 1420 attrib.exe 3272 attrib.exe 1960 attrib.exe 3564 attrib.exe 3480 attrib.exe 1640 attrib.exe 3512 attrib.exe 4956 attrib.exe 4312 attrib.exe -
Executes dropped EXE 11 IoCs
pid Process 1020 {34184A33-0407-212E-3320-09040709E2C2}.exe 5064 {34184A33-0407-212E-3320-09040709E2C2}.exe 448 winupdate.exe 2544 winupdate.exe 4288 winupdate.exe 2424 winupdate.exe 864 winupdate.exe 5040 winupdate.exe 432 dlrarhsiva.exe 3500 8834.tmp 3912 eulascr.exe -
Loads dropped DLL 10 IoCs
pid Process 200 MsiExec.exe 200 MsiExec.exe 200 MsiExec.exe 200 MsiExec.exe 200 MsiExec.exe 200 MsiExec.exe 200 MsiExec.exe 200 MsiExec.exe 3656 rundll32.exe 3912 eulascr.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3912-1217-0x0000000000040000-0x000000000006A000-memory.dmp agile_net behavioral1/memory/3912-1225-0x000000001AF20000-0x000000001AF30000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\tbibra_dreb = "C:\\ProgramData\\Hdlharas\\dlrarhsiva.exe" dlrarhsiva.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe -
Drops file in System32 directory 37 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files\mrsmajor\reStart.vbs wscript.exe File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg wscript.exe File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur wscript.exe File created C:\Program Files\mrsmajor\DreS_X.bat wscript.exe File created C:\Program Files\mrsmajor\Launcher.vbs wscript.exe File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGui.exe wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat wscript.exe File created C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\Doll_patch.xml wscript.exe File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\default.txt wscript.exe File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 wscript.exe File created C:\Program Files\mrsmajor\def_resource\f11.mp4 wscript.exe File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico wscript.exe File created C:\Program Files\mrsmajor\WinLogon.bat wscript.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\8834.tmp rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3536 2156 WerFault.exe 126 -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4632 schtasks.exe 704 schtasks.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "187" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe -
Modifies registry class 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17 notepad.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{6D820CB4-8B3F-4A68-B996-6DF51288D32C} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Blackkomet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile wscript.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff notepad.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings notepad.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU notepad.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 notepad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell notepad.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 notepad.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags notepad.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ notepad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202 notepad.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff notepad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ notepad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff notepad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000 notepad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202 notepad.exe Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\SniffedFolderType = "Documents" notepad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile wscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "17" notepad.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 492569.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\BabylonClient12.msi:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA CryptoLocker.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{0825CFE7-889B-400A-AD53-3005A5F5C407}\8tr.exe:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 704 WINWORD.EXE 704 WINWORD.EXE 4516 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 4324 msedge.exe 4324 msedge.exe 4900 msedge.exe 4900 msedge.exe 2156 msedge.exe 2156 msedge.exe 4948 msedge.exe 4948 msedge.exe 1884 identity_helper.exe 1884 identity_helper.exe 4700 msedge.exe 4700 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 1840 msedge.exe 4972 msedge.exe 4972 msedge.exe 3656 rundll32.exe 3656 rundll32.exe 3656 rundll32.exe 3656 rundll32.exe 3500 8834.tmp 3500 8834.tmp 3500 8834.tmp 3500 8834.tmp 3500 8834.tmp 3500 8834.tmp 3500 8834.tmp 3912 eulascr.exe 3912 eulascr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4452 msiexec.exe Token: SeIncreaseQuotaPrivilege 4452 msiexec.exe Token: SeSecurityPrivilege 2080 msiexec.exe Token: SeCreateTokenPrivilege 4452 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4452 msiexec.exe Token: SeLockMemoryPrivilege 4452 msiexec.exe Token: SeIncreaseQuotaPrivilege 4452 msiexec.exe Token: SeMachineAccountPrivilege 4452 msiexec.exe Token: SeTcbPrivilege 4452 msiexec.exe Token: SeSecurityPrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeLoadDriverPrivilege 4452 msiexec.exe Token: SeSystemProfilePrivilege 4452 msiexec.exe Token: SeSystemtimePrivilege 4452 msiexec.exe Token: SeProfSingleProcessPrivilege 4452 msiexec.exe Token: SeIncBasePriorityPrivilege 4452 msiexec.exe Token: SeCreatePagefilePrivilege 4452 msiexec.exe Token: SeCreatePermanentPrivilege 4452 msiexec.exe Token: SeBackupPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeShutdownPrivilege 4452 msiexec.exe Token: SeDebugPrivilege 4452 msiexec.exe Token: SeAuditPrivilege 4452 msiexec.exe Token: SeSystemEnvironmentPrivilege 4452 msiexec.exe Token: SeChangeNotifyPrivilege 4452 msiexec.exe Token: SeRemoteShutdownPrivilege 4452 msiexec.exe Token: SeUndockPrivilege 4452 msiexec.exe Token: SeSyncAgentPrivilege 4452 msiexec.exe Token: SeEnableDelegationPrivilege 4452 msiexec.exe Token: SeManageVolumePrivilege 4452 msiexec.exe Token: SeImpersonatePrivilege 4452 msiexec.exe Token: SeCreateGlobalPrivilege 4452 msiexec.exe Token: SeCreateTokenPrivilege 4452 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4452 msiexec.exe Token: SeLockMemoryPrivilege 4452 msiexec.exe Token: SeIncreaseQuotaPrivilege 4452 msiexec.exe Token: SeMachineAccountPrivilege 4452 msiexec.exe Token: SeTcbPrivilege 4452 msiexec.exe Token: SeSecurityPrivilege 4452 msiexec.exe Token: SeTakeOwnershipPrivilege 4452 msiexec.exe Token: SeLoadDriverPrivilege 4452 msiexec.exe Token: SeSystemProfilePrivilege 4452 msiexec.exe Token: SeSystemtimePrivilege 4452 msiexec.exe Token: SeProfSingleProcessPrivilege 4452 msiexec.exe Token: SeIncBasePriorityPrivilege 4452 msiexec.exe Token: SeCreatePagefilePrivilege 4452 msiexec.exe Token: SeCreatePermanentPrivilege 4452 msiexec.exe Token: SeBackupPrivilege 4452 msiexec.exe Token: SeRestorePrivilege 4452 msiexec.exe Token: SeShutdownPrivilege 4452 msiexec.exe Token: SeDebugPrivilege 4452 msiexec.exe Token: SeAuditPrivilege 4452 msiexec.exe Token: SeSystemEnvironmentPrivilege 4452 msiexec.exe Token: SeChangeNotifyPrivilege 4452 msiexec.exe Token: SeRemoteShutdownPrivilege 4452 msiexec.exe Token: SeUndockPrivilege 4452 msiexec.exe Token: SeSyncAgentPrivilege 4452 msiexec.exe Token: SeEnableDelegationPrivilege 4452 msiexec.exe Token: SeManageVolumePrivilege 4452 msiexec.exe Token: SeImpersonatePrivilege 4452 msiexec.exe Token: SeCreateGlobalPrivilege 4452 msiexec.exe Token: SeCreateTokenPrivilege 4452 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4452 msiexec.exe Token: SeLockMemoryPrivilege 4452 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 704 WINWORD.EXE 704 WINWORD.EXE 704 WINWORD.EXE 704 WINWORD.EXE 704 WINWORD.EXE 704 WINWORD.EXE 704 WINWORD.EXE 704 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4488 MrsMajor3.0.exe 1016 notepad.exe 1480 PickerHost.exe 4652 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 4092 4900 msedge.exe 79 PID 4900 wrote to memory of 4092 4900 msedge.exe 79 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 3260 4900 msedge.exe 80 PID 4900 wrote to memory of 4324 4900 msedge.exe 81 PID 4900 wrote to memory of 4324 4900 msedge.exe 81 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 PID 4900 wrote to memory of 2252 4900 msedge.exe 82 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe -
Views/modifies file attributes 1 TTPs 14 IoCs
pid Process 4576 attrib.exe 1640 attrib.exe 4312 attrib.exe 1420 attrib.exe 3512 attrib.exe 4956 attrib.exe 2448 attrib.exe 1960 attrib.exe 3248 attrib.exe 3564 attrib.exe 3272 attrib.exe 5024 attrib.exe 3480 attrib.exe 3524 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce3dd3cb8,0x7ffce3dd3cc8,0x7ffce3dd3cd82⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:22⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:2384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5236 /prefetch:82⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5580 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:1832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:12⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:12⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:12⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:12⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:12⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,4975270337996776395,14858166641231319560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:12⤵PID:400
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5076
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4656
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC1⤵PID:4536
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1580
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt1⤵PID:2700
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2080 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6990A3A8949E73C89753D4979F9B6070 C2⤵
- Loads dropped DLL
PID:200 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.babylon-software.com/redirects/redir.cgi?type=terms_of_use&lang=03⤵PID:4888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce3dd3cb8,0x7ffce3dd3cc8,0x7ffce3dd3cd84⤵PID:1560
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"1⤵PID:2156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 2962⤵
- Program crash
PID:3536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2156 -ip 21561⤵PID:792
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"1⤵
- NTFS ADS
PID:1260 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1020 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002343⤵
- Executes dropped EXE
PID:5064
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3284 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2448
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1960
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4956
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3512
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3832
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3248
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3564
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4576
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:5024
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1920
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1640
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3480
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3524
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4312
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\notepad.exenotepad8⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1580
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1420
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3272
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe8⤵PID:4816
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe6⤵PID:3928
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵PID:468
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe2⤵PID:656
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"1⤵PID:2924
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:432
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Pony\metrofax.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:704 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:224
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4516
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:2336 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3656 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:4508
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:712
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3743275979 && exit"3⤵PID:4976
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3743275979 && exit"4⤵
- Creates scheduled task(s)
PID:4632
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:55:003⤵PID:448
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 19:55:004⤵
- Creates scheduled task(s)
PID:704
-
-
-
C:\Windows\8834.tmp"C:\Windows\8834.tmp" \\.\pipe\{0A8530BB-8C86-4C30-887E-410D019FA514}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:3732
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:4460
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:4488 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2D1F.tmp\2D20.tmp\2D21.vbs //Nologo2⤵
- UAC bypass
- System policy modification
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\2D1F.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\2D1F.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3912
-
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor2.0.7z"1⤵PID:3476
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe"1⤵PID:492
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8FD0.tmp\8FD1.vbs2⤵
- Drops file in Program Files directory
PID:4576 -
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1016
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:4120 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"4⤵PID:1988
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"5⤵PID:1568
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon5⤵PID:3100
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT6⤵
- Enumerates connected drives
PID:496
-
-
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 034⤵PID:2092
-
-
-
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1480
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39e5055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4652
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD559b225b2643635625318f45170a5dcc9
SHA1e86282dd7732151e8abaccbf5ef6df429ab802b1
SHA25624f735df095240b813f72327811d656fbceebf26c95f84a9aaf1e2a4a961a188
SHA512442ab01f1637c3cc765b9c12583cc91fe9c0dcc72d7c00c70fcbe4b712c7700043d3afccf3695c2c958ab4879dd0cbf5fdf84aa8c3c81bc90628273d74e25ec1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_2E76130AF11138F39D76E0D756C0740A
Filesize727B
MD593065be855ccffb6891fb5868f87add3
SHA16991ea4623fbf855a98e95d21566a79cbfe8ed2d
SHA25611bb7b62c46a3c2cc7b75b0b03c43e8db804238f1793ccee44bdb244bb32856e
SHA51212371b2feccbcfc4723f7cd4802793307c41c3fee204f788263832d9e48e003f2727103a41570fb9aa773a0be5affc27e2c8493422485cff28bd65a6614c8f87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD551a9466e6d36465e3dc3523f9279bb8d
SHA1604b1e64cb78919f00cd16da2b311d501e55ffb3
SHA256229295be7045b80c030477ddcc973b5af1da76179f4e9b4cf83bfdb3c598341a
SHA512c9fa86b4772142279f9799f9f1a6f17668d3809c792b7043fb43b1542970cb5523413f943f901e126182239ed4a6c03438f138cc61a80462f4bfab6a49240376
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD57cc84467f884c5434c9b78ed29fd3739
SHA1a9e7c6875bfbb5c1c397c0e6e8288f27e15fb9e1
SHA2565b517308204b75895cbdab95393379346161d05fb5508a5ddec82b7e6ce81be3
SHA51277ab01f74320bc98b4379e6048739fb888582e643e3ed0778ab362680efc750116bfba3fcc75ee4d2bdd0421329480f5b8090d413434d3a2261a22e3685de14d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_2E76130AF11138F39D76E0D756C0740A
Filesize404B
MD5d2614d26a7037dd82aefd6d5bc76717b
SHA1301b3245b836ddae6a41b47d2502fb63615f3be6
SHA256dfd45835915378ef726eda26fe20113f66a48bb17f1bbd59790f531c9f601235
SHA5122794a5387a0997cde9c5569c8c8d2c6cae6c4e1f9a2900196f75a1a805e43b3bbf90a4e3e9c6e95887e2f535502950f38846ac356fe5435b03617335de9d2e39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5c39ae8e930745cb38f33e29cbcce8181
SHA10a41d9778b7dd62e299200ffce48e8e7cb8320d1
SHA256ea8d0943052f1d67fc8e915f476b0450b7d09ed9ac1566871ec9b05324808857
SHA5121ef6256970e4e49fab2ee352bfb6e4a633f955f7c339ad518682507c2f887d701f2290f77851135b9faeb10525bfbde737352854163b20cf5135aaf963ec6975
-
Filesize
152B
MD5a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA51265162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136
-
Filesize
152B
MD5ded21ddc295846e2b00e1fd766c807db
SHA1497eb7c9c09cb2a247b4a3663ce808869872b410
SHA25626025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5405f8f15de115de9657f8ab5289473a6
SHA1c8221070259bbe068fad48f15df6d6e2c969aa5f
SHA256c88d427a4b526cc67931c4515a65123c13471a2c89ce644739d2e5ccec5d117d
SHA512bdb966d4fd090acb421122449892fc393e3dc1f2ce49a3d45e610f365a388572937334652169d8e712f51b7ef21b047e18b51b356f2a64ed10c1a159277d0ba9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD50abdeaa1ee2cf6804655f5d69b45a98d
SHA1e01b578639f694476f192cee52122646766a16ad
SHA256d03a6698d9c33509cbeb5da67cc34f877f41e0c9117bdf893c0ee5143fd77dae
SHA5123bf502ee36924db431fb1f497e3bb6658189e56542acecba1068df4b1b2633c43d0b58eb824c41044a0c4db8a8fe8de8c301dda0c0c6f6884abb0d820c16c0a3
-
Filesize
2KB
MD5fd174a0e6befe4fd0db7d483c0d27231
SHA1a97576d5f6f7472447239ea5e41dddb942f378cc
SHA25648eeff7d195cb1984e64472975151225a86a67cd19390960964352496ff279cd
SHA512bfce5b70d4ffa14758d63acbb19d35f0fcf1b8246a74b64c22d7fe96b35f8b1b36e870bf0db4f67bdf2f52ee180f4ab617fe837abe01b818df8561bd068a9061
-
Filesize
1KB
MD5501ca11ab205b6a9b60864aa05ecde4f
SHA11ed13c02c6c98d5f2f2646414820a7e4c32d9367
SHA25669f55ddefcff8cd44667439be3ab498c170726d5eed112cff3fcdc5b1cdf0d84
SHA5123361aa35e187a7ee91e22577a0ccc6980077f5cda0bbf96aa4e38e19793a31b127397d5216beeac3771d4e83104de2e51350a3b50a098af72ea252cbd30c07ce
-
Filesize
1KB
MD549851463c2224d960479bd175236e3de
SHA1c204ebf125bed5a8e0d3613546dbad296600ab41
SHA25666036d2090c5df227ce9daa34dc136f08a10d9733b045a0284f5b249967089bb
SHA51208f2178ab375a01a0ea0ff83ee0afb21fb2109f00ae90d07bc401f5d3e367a200876a1f389cc6101e6275edc23902969daa11bbb9df24df498d035e8e2926f16
-
Filesize
1KB
MD57d915469dfa593852ddbfd93055a6079
SHA16847c9d5045580e39d08d27c1bc16418e5ff82c8
SHA2561e223effe2e12fff5e7a088a1a0e68c2a0a862d4c8ecb0c9cd9ec4a984adb07a
SHA512f4e291fcb35c63c1cdf809e60093f97b29c10100dd467296ef8b8863d3168371575e1a439302773c422d0996d7e37d16c3b6521cf87143b199e1383340d95b01
-
Filesize
5KB
MD58d81aa986b7e77d4d8a25af6cdbba33d
SHA1df918e2da1fb5bbc1baaf738e7efe7391d6a092c
SHA2564958dd3688d7ec3aa75ce82d916b7be49b6a569c648ba9e7578992603b629f43
SHA512b6ade1f98861c36d12c467af806fc32e19ab2b18b28f95c8257bb28e8cd7b8d049738416646afe76656b5175bdbdcae48dd47b00a7653bc743fc92ecad89f285
-
Filesize
6KB
MD55f50f4cddda348a221d8d6e19655c712
SHA1a49718fd2f632ec00a05365f53948985918298f2
SHA2563d9dc88a5555d1ca29897e507292c8cd9a6be42ba620c11b400e95eb9cfac2d5
SHA512f459edfe188c220fbfe4f3a0c6b2dfd3d6c5c0a8489a3158cfa7e9531de5d1409b190d124dd401de0f1fcdd42d9620c3628692da3c86abb431cc9678182d1adc
-
Filesize
6KB
MD5473a5cc1842ced6b874378d0db865bc1
SHA162012085f5a6068891d80d6248326e8c8d5c47e8
SHA256fc5b0c00b8fddc25df326069d10b9b15c4c64e8e3f139838da3ad0e8f0ed55b5
SHA51212b1363b84dd083ad070cfbd581e284330b347ef710e41e1ea2d4ed7d4281f6c2d11136604a8332ac3ba0eee79dbb337963857010b4af3238e921b0b5987a926
-
Filesize
7KB
MD5da525553eede864e8055dd4eadc53675
SHA148cd079b40676ab5853abc39315e2da5a87afca8
SHA256b5700e7fa3ab6f8f84f7ab798ca305e9c2d1f962a2fbff24610bf00e0e35f5aa
SHA512517e6674e8426ffa249c87105ce4ea704c3e66ea472cd317df1221f44cca21dd76692ae68de2d2930d9a5523d155b0c8be933e7606ffb479e565957250ae3cf8
-
Filesize
6KB
MD5f0addacc14e2cfeb3cd916d7808f0c7c
SHA15ac5b4bbbb256d71ad4238666584ce2c1010cd7f
SHA25633861d275f4b11b35732aad06e78d1714c86a24fe5b2d30cc8f9c60f93f1f002
SHA512f07d40f0effa48a492b26b6ae0b88c45ed318d3c58d964546c977458436d6177d591622e98e6d493e012acb3ececd862844a49471223e704c503044d862f1045
-
Filesize
5KB
MD53145c22741d24f27a4caf493da6a83fc
SHA1da076ab060a18ff7c94163e5bc1fedba9a218a28
SHA2567f1b15005f6d22fb06cd8d683d056455fb17da13e1fcbf8604676b27c0b63a1d
SHA512102bdc7b8648bddbe023368fdcfc1dd4a3fdcf603ecd201f1ccab15c66d9bc42a0a98eed58ef78a9e4e1907c72ded5d424f2737c2c08d0ece6e1bc1d84938431
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt
Filesize73B
MD5d6845f1dd8746c28e2cfca3b61dc16f0
SHA1555d9258fdc501e4fc10843ac7f97e44b1f53b4c
SHA2563ba04f2aa9ac58007b74c35701c64575578324528824299b76515d260a9e3e61
SHA5128a62235aaf58dfc694f1c71976049cdb15212292fcc2785b106d8b4eff05a92218a7299b766738e7e890ccafe833f62222e5cc969b6b50620065d0e8be70c994
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt
Filesize130B
MD5a92fd0d27e35a0fbd2b63eb8bb90fe3d
SHA14fa66329035c91792737c7b3aa9b2c0a42f83938
SHA2566fb57d2d7fdb61c7b2e8c94869f6d351baf2d4237f3a37d5aea238e754b1ab46
SHA51238b83f130ff9d0061157a5f4a4c7ef6eb87c7a3c9d30957f9c8bbda33f131af1c7869031242abc477987118bffb7c4d1998fb4fb5be585c9689af0d2167fad5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt
Filesize66B
MD583ded9ee50cb3f6376edfc3369f4bc44
SHA154483383faa5dbfc376458bc90424e25091ff174
SHA2569a15a48d6436fd714d671242543c0002a878f474cbf1c0a27d90da98e7ac4ced
SHA51207bb06eaaf050f11efff2ac84b69e9ec05fc8f5f1a44a033d366f297dc388d4b9da2470ed58c7714a495a51544d10860fa1ac51d147cdcefa3803196a2c428cd
-
Filesize
1KB
MD50f8e7a9cdbfd2b7466c6ecdccb2b42b9
SHA1c53679b7ca40de5fa19ae1f8edf14ec39fddb9ed
SHA256079d278ccf0999627bd8166b17787e860d3930a45109e81b33bf0443592c55a6
SHA5126d1433785bb376cc4ad192cada26552987eccc15e5cab8110b69077835fa0fcae22fbb939eb0562aa8872b9cfacd6ddbcbd9797350bb1207104c5dc007d15730
-
Filesize
1KB
MD5111b96665f2072d046fac53a722b82fb
SHA1d1fcb0672af9b05bba7cc2c83e183af3db3de7bd
SHA25639ac298cced1e2a1c5b34a8e193e512a7717c0544edd772670ab21627f321d9e
SHA51267ef7d789436835e0754fb9e1d001e51f5db397e1a18f16b249aaf554a4f849fc55238822eb1f9b7dca203eed272aa1927986ab1ca598d17edfbf85059836913
-
Filesize
1KB
MD5222dfd840ced8aceb134b706f0451d14
SHA1447e77cffe85a4dd40d46c1c6688fceb17880f73
SHA256471718e503f44cd025e626daef5542512b026ac80b86ca7f8676e35234073271
SHA512c6dfb8f846c7463e7b6e97c4db952d91de2d5514f55a23b940786e1960bab00c534c2dd10fbef103666c6af576309c5a79702309fcd4f2231fc783ed65cdbd5e
-
Filesize
1KB
MD52e4358c0b107ce89e19c4b734a2067a3
SHA1caafe59ee6deb99a2f3a28e534350cd09c882a6a
SHA256a63e3c5ab0cc2cb8310e0f717e09d851feeb883f01f59e2bbe14d130d147ff88
SHA512253bc06cd428314e824c1412b7168619974119cf04190b82fc92cd18eb905d81d2f76841a8360f0e2631351f15d244026349df727688081057a9cd038068a2a3
-
Filesize
705B
MD5755a8171203a0a9a43f82bcd19e487f3
SHA1ab7695508e9b5bf606671e3795576f2fc7a88c86
SHA256ac9bea099ea0988d69dd860d3b73acbbb24867023cfccf4d82735a612f009381
SHA51253428bb4154bda1ea5f5f6da5cfc9dff3973f9da429303939d65fe2144ffd06e8f8640da9769c558042a3eb5445ae5907ebf2dfccfc48a751af1267e09eaa4dc
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD559ddd551bd93ee919e3120fc54212e35
SHA1111239ea7d232f90d3d288f4c6d2e0115a92a767
SHA2563620b8d2f0b21233b3e435803da2c50a7cf9d8306ca2afaa1b904d9f130c29a9
SHA512f38e3462dc3abe12491e1ba6c3791424719f9efb78dc9a30846edea45eacb4c4cf069099bec7a141ae64a86749be7e6a852d128cbbc860df4ff77edd41b7344a
-
Filesize
11KB
MD55840e86f38bc620b2050e4a1af8514c0
SHA11f65f0efe35852c43617419017426a053eee8cbe
SHA256dcb812c22125368801748aaf276c288fad8bf0640fa97c6344363d946a9ca3af
SHA51232c6c5a2885a2d87b1c7753abb190f402828799d6dad0d19d105d3b553f733b4c0f2da1f16484b8f0481bfc8d5e6fb0d3679f39cc9894b18cbfec061df51da9b
-
Filesize
11KB
MD5c29aaa17cb97185c070094ed67bc56e9
SHA16860ed48cd4a278aaa3dd74475b0d7686957c8ce
SHA2569a045f214de144ec67b009bfc5f2cc27e5fad7d00d0b3c25c8059929777c0b10
SHA51284b5f8fe16b220032b3c98a80c7af7d791fdabbddf83e6fcff8c8f9362e56a9ce191d6395ddbb0a31f6af3b43250f1a96844bc877097654773c936b6dfc6ee20
-
Filesize
11KB
MD59f28fe61ff73af557bb617f76747baeb
SHA14c67967368925739a68b9acfbeb0deadddfefc08
SHA25637fa065756a08b197cff005ba7bc0f0508e1b8946e98d18c6cdbc63be5bd7860
SHA512d0a8a593026adc335102709eba269d0aa3b035956fdbfe46caa530829859bfe1254cdf7c97e573527913ab1f35e4066ef3546c8f9a9c5474e323746bdfb58e6b
-
Filesize
11KB
MD57aa15ebbbd3a79c931324c38b91cb323
SHA16208a14dee26fdc7a80a21257ebe5ebcfeb1e170
SHA256179f1583014bfc6100ff8d9f2347b8543d74aa0a366621bbdf574e02ffddeab8
SHA51296dfde8e1d7cd3b7f8012f8045c06cbc1a5180ec310000feaef402091d227d36d4dc6f2db51d999ef078d263535449f9345b82caf6e3bee6d2d4bd05b50820ee
-
Filesize
512KB
MD5abca28f8164d18f9278071524027ccae
SHA183ef20b6b164251eec63d14749b5f99c3991c67a
SHA25685fbf727d583bf7431dca320477829f6eb32ecc34b7e4a30556ecacd0f1c489a
SHA5129ed59fd7aa0cf45f0e0c6f6eeb87f815d10a63365186871405ab15a32b183741369f054d38c7d76dce7e31eba31768cb76ff226fdc0c61ecc5751dcdec4ad03d
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
5KB
MD50ed5bc16545d23c325d756013579a697
SHA1dcdde3196414a743177131d7d906cb67315d88e7
SHA2563e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
421KB
MD56425466b9a37d03dafcba34f9d01685a
SHA12489ed444bce85f1cbcedcdd43e877e7217ae119
SHA25656f8ca5b2079bc97a7af9c015ed4b6163635baef0d9a287d19fc227fc330c53d
SHA51262f4c79d165282db14b662d4242a065af4c8a642f2023032ab5a059e2d6001f0b80e9a0562989013acf01a80a67491be9b671e6bd99220cf9d4fb44a17719371
-
Filesize
816KB
MD5dc46ac7f71efc560b179e237b1466bcd
SHA16347c17ec137478cacc2014ddcd7d754fffde09d
SHA2569dac94cbdeaa9527c5c934b1ec1503b7ec80458c058d986f5b798e410ad3dbf3
SHA512a731e3d877a4739cbe7350c1bbb663fec6f84435aee712252e0f33dcf0d89b0772d5b30755d913807b175e2c7aa0f6f45241495a1e7a120a4a8fa6837938ba98
-
Filesize
142KB
MD5a2d4928c9836812735b3516c6950a9ec
SHA101873285eec57b208fa2d4b71d06f176486538c8
SHA25679ca108d5c51259d8fb38ed1cfcc5a70e9cf67a5954e52a4339b39ff04fa20c8
SHA512d03964a2bb597bf0fdefb787de3b462010c4cd02d286b16587a03b5228553a307d1b8f472c312e0d8bb53f21570aa5b112d85193cf42b83ef33fb7905855eba7
-
Filesize
922KB
MD511bf30b923d096bc73918c6079a927d3
SHA1c75809bb25651e4e94a0dcdb2d124e64dd49287f
SHA25660e601066d4a203e39eefe70ac05e1aac9b45f47f532e038affa8dae4e009275
SHA5123f22b336df3a311ae707132a0451c83642683a01e1d0dd1b01f7c4f182efcd0bdec4c3effe02321d0aa619226f80853356e7e8692c443bf2f74a9ea382b3f03c
-
Filesize
249B
MD574635f6e5554ebd726fdca0c002dbee2
SHA1278e66625144f9d89050b0bedb482a68855b97d4
SHA256483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424
SHA512bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD5debf2417b2479d01dffb16afa2c3f8c1
SHA1cd8b244234ad6c02b8c3839141a7942c7af205e3
SHA2562ebf0f5745df59220f08ac1f7586c9fd6f2b88b6bb5c6eaa4c44f9e9c5551541
SHA5128cc8a55ebd1c66ecae28f27b0862ef530c209c63da796810c7bf0f2f7dbf680a6958a5796e55bca3205ec332b79fdac350f6978cf06a88e670b1bce43bc07909
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55cbb0c1693c1ef6067dd51d88016e8bf
SHA13e088d9817d9b71ea1108c101ab8914cff2d55e5
SHA25654874a2451267ceda04e73a029d5904009b3ce8e8feff8a58d98580155b6667e
SHA5126a39934eae83791562de302f0dbe540bf502e872aa055c75c7e31632eb4cf0e64a38ecce535e476001ef9fb8e9b35883bb2e3bc01f195e47ab094d0141bbdf00
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
27B
MD5e20f623b1d5a781f86b51347260d68a5
SHA17e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA5122e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b
-
Filesize
198.8MB
MD5af60ad5b6cafd14d7ebce530813e68a0
SHA1ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA51281314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
61.0MB
MD532f50b7ac8b2a5850a2afc07eae0ff4b
SHA1fdce14d6365ed429674c7f8e2ba86420c43ebfee
SHA256aac5e21db3d28de95e8d05580a27c802a24b7af8da055db12671551e2bb2321a
SHA5123e0677f6b17d9c617a84412541461a798992a35d6de20730c3b9d662e539fdcd2f24e505109cdd9e072180218abf6a0a4de838c65ebeceae28fd7669e067c54a
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
92B
MD5c6c7806bab4e3c932bb5acb3280b793e
SHA1a2a90b8008e5b27bdc53a15dc345be1d8bd5386b
SHA2565ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a
SHA512c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93