Analysis
-
max time kernel
427s -
max time network
429s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 07:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/aDarkDev/ConF-Malware
Resource
win10v2004-20240412-en
Errors
General
-
Target
https://github.com/aDarkDev/ConF-Malware
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Birele.exe" Birele.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0002000000022ab1-1354.dat mimikatz -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\spoclsv.exe Gnil.exe File created C:\Windows\SysWOW64\drivers\spoclsv.exe Gnil.exe File opened for modification C:\Windows\SysWOW64\drivers\spoclsv.exe Gnil.exe File opened for modification C:\Windows\SysWOW64\drivers\spoclsv.exe Gnil.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000023548-1089.dat acprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation msedge.exe -
Executes dropped EXE 7 IoCs
pid Process 4908 spoclsv.exe 1660 spoclsv.exe 3020 spoclsv.exe 5440 msedge.exe 4088 msedge.exe 5872 system.exe 2672 39DF.tmp -
Loads dropped DLL 11 IoCs
pid Process 5744 Floxif.exe 3120 Floxif.exe 4348 Floxif.exe 4980 Floxif.exe 5472 Floxif.exe 5440 msedge.exe 5440 msedge.exe 4088 msedge.exe 4088 msedge.exe 3488 rundll32.exe 4528 rundll32.exe -
resource yara_rule behavioral1/files/0x0008000000023548-1089.dat upx behavioral1/memory/5744-1092-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/5744-1095-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3120-1098-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/3120-1100-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/4348-1111-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/4348-1113-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/4980-1115-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/4980-1117-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/5472-1119-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/5472-1121-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/5360-1408-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/5360-1412-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Birele.exe" Birele.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 33 raw.githubusercontent.com 35 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 xpaj.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_cy.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libvisual_plugin.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_fr.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_ro.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll xpajB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsharpen_plugin.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll xpaj.exe File opened for modification C:\Program Files (x86)\Internet Explorer\sqmapi.dll xpaj.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\psmachine_64.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll xpaj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\eula.dll xpajB.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_zh-CN.dll xpaj.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll xpaj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll xpajB.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll xpajB.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll xpaj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe xpaj.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\RTC.DLL xpajB.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_am.dll xpaj.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\libGLESv2.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLCALL32.DLL xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdaurl.dll xpajB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msador15.dll xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe xpajB.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_ca-Es-VALENCIA.dll xpajB.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll xpajB.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll xpajB.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe xpaj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe xpajB.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll xpajB.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll xpaj.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll xpajB.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mce.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_ur.dll xpajB.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll xpaj.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\39DF.tmp rundll32.exe -
Program crash 5 IoCs
pid pid_target Process procid_target 4624 5744 WerFault.exe 162 4884 3120 WerFault.exe 166 4476 4348 WerFault.exe 169 3000 4980 WerFault.exe 172 3216 5472 WerFault.exe 175 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1900 SCHTASKS.exe 3068 schtasks.exe 4632 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Kills process with taskkill 1 IoCs
pid Process 3220 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{C9005FA5-E247-4FE3-9EEB-CCD6000A2B1B} msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5900 WINWORD.EXE 5900 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 1996 msedge.exe 1996 msedge.exe 4604 msedge.exe 4604 msedge.exe 816 identity_helper.exe 816 identity_helper.exe 5836 msedge.exe 5836 msedge.exe 4784 msedge.exe 4784 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 5924 msedge.exe 5924 msedge.exe 5744 Floxif.exe 5744 Floxif.exe 2500 Gnil.exe 2500 Gnil.exe 2500 Gnil.exe 2500 Gnil.exe 2500 Gnil.exe 2500 Gnil.exe 4908 spoclsv.exe 4908 spoclsv.exe 4536 Gnil.exe 4536 Gnil.exe 4536 Gnil.exe 4536 Gnil.exe 4536 Gnil.exe 4536 Gnil.exe 1660 spoclsv.exe 1660 spoclsv.exe 1452 Gnil.exe 1452 Gnil.exe 1452 Gnil.exe 1452 Gnil.exe 1452 Gnil.exe 1452 Gnil.exe 3020 spoclsv.exe 3020 spoclsv.exe 3488 rundll32.exe 3488 rundll32.exe 3488 rundll32.exe 3488 rundll32.exe 2672 39DF.tmp 2672 39DF.tmp 2672 39DF.tmp 2672 39DF.tmp 2672 39DF.tmp 2672 39DF.tmp 2672 39DF.tmp 4528 rundll32.exe 4528 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5536 OpenWith.exe 4508 xpajB.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
pid Process 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 5744 Floxif.exe Token: SeDebugPrivilege 3120 Floxif.exe Token: SeDebugPrivilege 4348 Floxif.exe Token: SeDebugPrivilege 4980 Floxif.exe Token: SeDebugPrivilege 5472 Floxif.exe Token: SeShutdownPrivilege 3488 rundll32.exe Token: SeDebugPrivilege 3488 rundll32.exe Token: SeTcbPrivilege 3488 rundll32.exe Token: SeDebugPrivilege 2672 39DF.tmp Token: SeShutdownPrivilege 4528 rundll32.exe Token: SeDebugPrivilege 4528 rundll32.exe Token: SeTcbPrivilege 4528 rundll32.exe Token: SeDebugPrivilege 3220 taskkill.exe Token: SeShutdownPrivilege 440 shutdown.exe Token: SeRemoteShutdownPrivilege 440 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe 4604 msedge.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5536 OpenWith.exe 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 5900 WINWORD.EXE 2580 xpaj.exe 1988 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4604 wrote to memory of 3224 4604 msedge.exe 86 PID 4604 wrote to memory of 3224 4604 msedge.exe 86 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 3956 4604 msedge.exe 88 PID 4604 wrote to memory of 1996 4604 msedge.exe 89 PID 4604 wrote to memory of 1996 4604 msedge.exe 89 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90 PID 4604 wrote to memory of 1500 4604 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/aDarkDev/ConF-Malware1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0fff46f8,0x7ffd0fff4708,0x7ffd0fff47182⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:82⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:5484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5804 /prefetch:82⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:5824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4824 /prefetch:82⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6440 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵PID:2196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵PID:2600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1936 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵PID:5952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:12⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7718384878519816603,7632217130322830298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4088
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1376
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3388
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5168
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5536 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_ConF-Malware-main.zip\ConF-Malware-main\README.md2⤵PID:5376
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x424 0x3001⤵PID:5452
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Virus\Melissa.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5900
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"1⤵PID:1928
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 4322⤵
- Program crash
PID:4624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5744 -ip 57441⤵PID:1904
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 4002⤵
- Program crash
PID:4884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3120 -ip 31201⤵PID:228
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 4002⤵
- Program crash
PID:4476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4348 -ip 43481⤵PID:4188
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 4002⤵
- Program crash
PID:3000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4980 -ip 49801⤵PID:5352
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 4002⤵
- Program crash
PID:3216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5472 -ip 54721⤵PID:1908
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:2500 -
C:\Windows\SysWOW64\drivers\spoclsv.exeC:\Windows\system32\drivers\spoclsv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4908
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:4536 -
C:\Windows\SysWOW64\drivers\spoclsv.exeC:\Windows\system32\drivers\spoclsv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1660
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:1452 -
C:\Windows\SysWOW64\drivers\spoclsv.exeC:\Windows\system32\drivers\spoclsv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"1⤵PID:3940
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"1⤵PID:3188
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpajB.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpajB.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4508
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpaj.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpaj.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2580
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
PID:5800
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"1⤵PID:4360
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
PID:5872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:1036
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1900
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:5196
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:5976
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:856
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:4864
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:1596
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:5444
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵PID:1948
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:4400
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵PID:1496
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:5228
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵PID:6072
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:5324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:5444
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:3744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:4792
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:3940 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:4848
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3120795481 && exit"3⤵PID:4468
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3120795481 && exit"4⤵
- Creates scheduled task(s)
PID:4632
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:25:003⤵PID:5724
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:25:004⤵
- Creates scheduled task(s)
PID:3068
-
-
-
C:\Windows\39DF.tmp"C:\Windows\39DF.tmp" \\.\pipe\{FC2AD3A0-1701-4336-B369-A9277BF14E36}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:4708
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:2432
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:2852 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:5360 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38b6855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171.5MB
MD5b229cad3ce9ae1f64cf5743708361702
SHA18f168c7297f8588d0154f1e966b37fb2e4cab2d6
SHA25653c8769560ac0cd39f2638491a0f71c678afbe330bfa99f7f22e1954f9a0ac6d
SHA512461327706aa5f1319571a9a5bf3fc4e0058cdc48fe7b243c6d23995c1478a3356fb1868a4eda7be17cbd9317443db5aebac9662683acb2d5397f3b5a14056d39
-
Filesize
1.2MB
MD5d2bddb1b48b3c5d0d35479662eab0f59
SHA162cfed69a68edbb156ce45e7425859ecf7d594a5
SHA2569a7486d838a4ea36a4287593042cb16265fe1c6cb3baf8c1b5aa5e319df5f081
SHA51244fde54e4b00dc2636c152d66928e3d2872e71e14ae733e18489950c1401cbfbd1fa8c69752b920167a7839e670b28137daaa4d9231fd789b6c3c78f20ee8f29
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c
-
Filesize
152B
MD564836d9ed0fa36504e81806dfddba79d
SHA1ce09ebf37aebaf90664fcf7f20d9361c7473a372
SHA256ca4ff89e62d8fa19b959aee20a3eb90a032317329e392dc4e455dc7720651cb3
SHA51299debdc52571e358b1da6c4086d085f818d5a27b8cddecf68aeff0aa4600d9952277d4578c5d411d4cc4024c54704f5f4583d2b8d2146aef00c031b1ebad412e
-
Filesize
152B
MD5f89eacc173016441580a1298f148d46e
SHA17e27c79728f54be41984235f7bfdd8a0bdcd3a54
SHA25668bc2993e25bb9f44bdd514acb1ad122806ffba33f21730a201ccc347f496625
SHA5128c966c08f3decb560b58816dcc8115f927eb58b96e3acfc2b7cc512654479fda45a3de77f9d4639713c8bbce65f202696613bdc66bb33444e9b5451f6cd7481b
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
69KB
MD5aac57f6f587f163486628b8860aa3637
SHA1b1b51e14672caae2361f0e2c54b72d1107cfce54
SHA2560cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486
SHA5120622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a
-
Filesize
36KB
MD5541dbccc44626d3a427714ff8bf96ec0
SHA1a7a459e479cf7bb7d70b8a7b6c47fa7e83cccce4
SHA25647f186fb4d1790e744213506d89a1c3caea0e79231952c32ae53a451634762b4
SHA5120dd33e0908ad3ae9c31966bad65a7c199c579146230d4ef8b5a67e6e7090fe818454f616d4ebd989bd2f872cafcfaaff09798fe9bfe4303c9428878e9f35499c
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.1MB
MD51f557ae943b3a1e823b56cf9d410e7c3
SHA11340fc7fa2cf9fade7bebcc8b4dc62a1686aad54
SHA25640f47bca0281df7ada22465ba6c706a9ccf9580288915aad5d42c2949521a7bb
SHA51232d8f83a30ed7179a74ebc7bdcd454d2f5895592f078910564c8bf40490d92c24a836f50b359345cdf4f0288f9a922b0185beeccbc4007205ba50f585de20169
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5fe68e0af3d9137d685d7f72d00cdd238
SHA10a5b0b848f15300c7a5c78fa3a13e8d0dadcfc2e
SHA2563076b57c77ba7672ee21f0666917368e791eeb8f75022f561e94623004777b29
SHA512a320510c835ed2e8c5fc0d4eb6d81b2b7ac7af94a87868cd1a9ec0bfe210c08b39a43edabaf67da3176a4ddaec01870bab2f708dc0f3944773d1258494827b1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5b1e15565a257af728bfc46c79c9dc080
SHA1b67655e478185cea89fb1a945a45d51dbb5333be
SHA25633a20b9d5f0126c82bf54542f11688ec8db925738f4bee76a0b4a820d4c1941d
SHA5128bd5b5964b4c224d87f7308352f0f2b2e00924e070e5602ca7102c8ee2a1937b869e1c863cab1a891a0b5e1e38be4fa8ba9b4ad32eb89d1fc30a2e85ae40d4ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5c0f56c078849523f5a1ce90954d0aed2
SHA150d0a2b2ae596eb52028caa222a3cf24a0f90d97
SHA256a824f0418d0d5c253a987f291bd96cb99ca9b1837460046e55bd739e350b3336
SHA512798292cbe0058c1eff7d1866e87dd697ca71cf2aa2e81183bb1b8505535aa26796bf56748a22557dae454e0c5d2e4f1871630fb8ea25ae797b37f932a60a8028
-
Filesize
1KB
MD5dad79615487e78d754dd333683fd55f2
SHA175abe21f6344d64b8ff34af73fcf443ad0682cdc
SHA25655faec9c6d565dfc2fc5c3f09221353bab4a90d3f3ecc3f21c1a581a3eeb84c4
SHA512109f7a3dbf7147c939242db3e26feb0c707cdf51847494cce6c9edf3544ac421a855966b35edab0c5ad9222ce9b012f76a13bdb7b3a12a271fc2667a3d36ef71
-
Filesize
656B
MD5d4cadd072cced5bb866fa6437e3630d5
SHA107661dde57a57aedef54b9ff862e5705c3d06422
SHA256a284bf1593b6e91dd7038f1e3d3ee912ef31e613aea5f4414ae2c07f91ae4d67
SHA51277bdf5d7d0069d8c46066dde6823015c2a2150539c1fb71d290f8cb79641e0067019fed626ee4f4c578c5f47d966b0b56650c600acb6456174eb5131897f871e
-
Filesize
1KB
MD58897786ddbd4c520f57a921de3ece4f9
SHA17a0595be0528f6c59283116d54eb023db233310d
SHA2565eacc67c600f4e5bf8449567f8f7a855420814ff5fcfcc0e3834cfb477105466
SHA512da9c1b5d7ebd4980bb728069b122c8be3dc24c308099ee443aaa12dc12eede0bebc519fc86dc33ea4de95137292b2180e10b2be5ef747d814a662e6ffc2c0954
-
Filesize
5KB
MD5d2f8f20b38901d76c2f36fc0f91561d5
SHA1ae322f996fb1cd7093d972b824230fc1857700ec
SHA2563945ad0bf9b8c65edef5c5deb3c7ab450e1bf397a664fba77c547347cae11fd6
SHA512f909ca93be6080a699728c92083b969080d5d3c5d847d95dc6e2de278c8712f84b06251ff3f7bfada085f61f2960c9ae54c5ff40f92b54aa25499071b34cd84d
-
Filesize
6KB
MD5a85d763146784a233cdf53048b42b54d
SHA17c845bb9fbef212d18d9f2ece36a9e12f34c141e
SHA256ed19ba689bf99c4d6bc2e2965c2965b939daf198919457671fba797fb828c0e1
SHA512c81f112222d7a2622bd5f43e34c18010680443590ee1009ae43ce55f469f1862b288509356500870ca115aaca2eab35239d45aaf99a362855c2c27cd0293f658
-
Filesize
7KB
MD5f8b054b0979b9192000230880735268a
SHA1016c3e8e4d2aa2b3ca56c3a9388f8d00b7595d4b
SHA2568e8aacfff0d6dc4660ca604f5a01a8bc86a1e78d3ef819470446c6a6fcbd2c0c
SHA512bbe88a586397ac4c879c0ed63436c44541a262b440999feeaf82bf576a1ab07f81d3ed7d38f33ebf00cd8d588a69fe0949af1a21e7700a131dc981518801ef28
-
Filesize
6KB
MD59ea5ab6a0efb7814af63d4b54392a1dd
SHA1691024ec3b1afae1139a7a73f39c7ec60ad02dbe
SHA256d4700a381b91e0aeaf5bce645e80159692558377980c2db39e04c22def8ad5cb
SHA51218b76062d091f00ad9b21d197c39c821be04c84452e2fdd8dc5384bbc920d5d34847487eb0310a19d2977256a22349d3b1f00012f14272ee92372b7df268bfdf
-
Filesize
7KB
MD55056ab937ef638ce686bac091b691e4b
SHA14b80637c3d85b3d453a93248a0e5de5af8258cb5
SHA25696b18cfc03d05dc7710cf566659d9f389a2e5a97f7e5a86886c92dc698bde285
SHA512a59a957006a7fd76148f9dcf8772e05f14737fdf7da280e94c5aec9ea40336109cbc12b58f930bd0d3dc80068fe6d965de4f7c3b7061e0a5c0c6c0290c2393e5
-
Filesize
6KB
MD5940b5136bfe0acf009b67a81bf0b5d16
SHA14aea9e0d5a16fe98d536b0c1492f2698a3b21ff8
SHA2567975a0b5c750cc108c578748f5ffa273ff280efedccc6a3fa935df673deba159
SHA51270be8c79cbfce656c311697f7fe5b2ecfc6977ca80ea99276f729952ac8a1bbe24b0338722919a549650e5d05ecb57ee6a094a1086e53dfe388cd9add645ed23
-
Filesize
7KB
MD5d6354889332626349f7de885e1df7b68
SHA131fd2c4a9b592875e319c335cf17d4cc0ce6f0c5
SHA2566e8898054f8cef1899fdff8382e3886a7f5142d089901823db5c54adb8803094
SHA51240597245c1457a877404bae7de18b6c820f1afbd679a42a074b3854fbb40df0e33ecc2db28460ce60f1cfd1d4a085817c3ec431a948ae19bae926a79e9171bbd
-
Filesize
6KB
MD58eb7ce9c7145dd7df1145358077bfd9f
SHA17b6460dd87e98f767f26267543dcbb979d96cf1e
SHA256de79285c351a446acd12882856af823137887941116aac6cb92af7f6358b0c8d
SHA512773e2a4086e2dd10a3cf32fc43b64eb5f47844f9a6cad18eff8aca01e91c81ee48d8c472530c8c04ca2de5456ce7e238b54ac21f86198fcc842d09de11f8f72c
-
Filesize
7KB
MD5056bcd3510f2659ecc4fc3a373182cd2
SHA1801c00d2ad7dac37259db9594a734e99fd2021a2
SHA2567104c02fe0449122519401c504ab93b72b74eecba0a058f9ef9e054812a32e76
SHA512ce9c4fd9eaa5a9bfabee568d84d72c8d7ea9ea213500f8d2c7de391a4782c8fcf00e235d13476e0c7b85dc47765c39e2c76c7347d927a84c1f921f4e0426c605
-
Filesize
24KB
MD55e5f9bd32aae6854212a031b6e300523
SHA1cc8669258e1434751286afd57da411a05c9998db
SHA25625750dcc8a27581ee9b900318146ab470cc1b7c57fb483eba9133cf44de6414d
SHA512c32061bf863417242b480540c28fcda97cca5cc0d16d72d2d1523a35a087a7479d74ef9f871ae0e328c378af07e58eb1a6d17aa3cd1c41d426a61bb6a02b27a4
-
Filesize
1KB
MD577143a708e1ac08ae0af6912836539c9
SHA1e68ce2d002b8938eee8cdfb34c02904a373830d8
SHA256624f750359fcc00b5b04985b51a5c894555d30ba7e68b4d2aa0f1d5c716cae8b
SHA5128ad27809a30854b4f7dc154a569af9eb6bf2dc6ba319789c1c488779430d91309ad7992106a7d8ae5e9b422f727534849467fb88368bf39de1adbc6cf30e258d
-
Filesize
1KB
MD5db48c6638e3e997926fe2bf854aec812
SHA17a446ab20fcb9884c20738b8bf5dbc74217aa52c
SHA2564c625ddbed351b8df7d8134f0f91b3f48f9d508238ac354b9e513937617ccabe
SHA5126dda6592c6d00937880becbe3d7f0f05c9f81aab01f5e94d023bfcce1e6f832336ae42a2af5332cc9644188e8754242c4beb8725c17f2e6abc14beb7d2805eeb
-
Filesize
1KB
MD5b76ca9e10a9ecbdef6dc4b99c8800855
SHA166fe2b45498cf0242d1b8b429a325dd27ed86d8f
SHA256c8148fdc27dc2e4f627d2ca9d02257c56cdc10a5b0c9498b4d84c2c8c20524a8
SHA512f080d5e77c6fa1e9955071ff3451f622a500e7df631d29a1f5ea69543bb77d8cadf8045507f0fb4d988884b8ef077db998f06f5d09c55571003cffc298ac6c5d
-
Filesize
1KB
MD5d19be1080bf622c0bf18b88b5c760aa9
SHA173593366116ee7354c3fd81faf097ebcda5b28c8
SHA25600cc505fdf5bd131a2e946519e762f7c5ca39c328c883ecea271367d7dd47059
SHA512a2ab9f60b3e12b4e2f5730b64586b1f463687b7445ad22721cec2e0555a3c9f853ad76add4a182280068e025dbee0946bc9a5dd6173b8ad1760354ee3f63a370
-
Filesize
1KB
MD5df08a060d71d0cb34e667470514270bb
SHA11bb90c1113e6ff8209e1891b5e66210c817a774b
SHA256cc016bc545d1b4a65745ffe316959600c9039a1f9790d758ad19411779532ce9
SHA51215f58e949d4cb37ec4f4c9933a0e501ae805b8ee6809440edd3acb5cdd8f9096531ee71e7c5b94ecf605dab163c695b1cefceac1022af3a7b8737c390435afaa
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5606b2582a7bf4d32207b1f9e8e0b3981
SHA187aff480906a23e909e51c8ab942b301967a2fbc
SHA256b2b848b89e9bc4d4b420493e447bf716338f25005bf76ac7d689774dd38d761f
SHA512c296f923397de04eb212cd48809440565814ab428180fa53fa06e5abaa9b119717040b3d91e7abd8b88d121937fd913ce64d91fe38ee8589c961f432545a311d
-
Filesize
10KB
MD55893857037b5d72f72d53f2f4e25310e
SHA1d99ee7d648ced9c8d0e65d793b26f3f966f97c6f
SHA2566f1fc8aa8e0a0cc56f1c5a24f32acbf9d4a94efa0e6aa6280e151e782f530023
SHA512aa7fdf14d65e17136e1f8df38ce7120c6639ebe61c3480e56a4986749dc8afae69a0198add0c5e29b7798a24e56fe8fe20a1b7b38ad9f9879b87c6fb7240824a
-
Filesize
12KB
MD5596441f463cadbce5d4c8e2937dcb7bb
SHA1fbb3295077a49411c05ed71a24961fcd5d5770b7
SHA256559ae10e9cb8ddfedbf4686840e20676a0c7ca7a9ac24f1b328872a5fb3a2679
SHA512c90a053b7dfac826a501a8fb465427e3ebf38155d2b8624241808422fe2987c43b47c67ca373f0860e13c827f631e6079be92ac376f611bfc8242fc1b9c337e6
-
Filesize
12KB
MD5d909fa90efb2015d495ec99091760faf
SHA13a79eae64911669249d668f2dd3467e5e4c6bf78
SHA256a957e20515cba64fd467fbe4d933b4ae02c0b1d9d3e949618337c1d629eb707e
SHA5120310bcd6764f8152f4f438bb0d02b05ad6a24daca19e19948ba22496ce3d4148eeebd221a35ab513cfe656fb7763c758ceb9251ba4f05b898b376e07db317daf
-
Filesize
12KB
MD51457894ac870ebe74dea2881416ef49f
SHA15b6bbeaaeb6ae741adf8f663bdb679c6dce8ba8a
SHA256052415c8d56d648af26dec3df513fe178a0d2bcb53350371a695e6efe3819f08
SHA512cc29d3da36dcd16f612fd85f7a6c344463b3d421e8bbdd17eb895cea819383ca70ffa91409fbb2f849fbe3500915421e5e25ea4e2bad8ebc7e64e5933a11c1c7
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5340f18e42d3d1b6208cf09ee9fd605fa
SHA1980582724f8e4430dfbf8a83081139d7903566be
SHA256cd76cb2f809154227536a0005e30dfe7c54aeb8d511e53a538702900df7d1879
SHA5124b110947c54b3c9d6780597a35c9caf12c40e5743e1d9ffa09e30d53d4863d39fe017e93724bc932486b305d58603c742a903227074783d83ce62ff9bc077236
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres
Filesize2KB
MD58a20df831ca6fae99dfb4bee9ce6cbb0
SHA1858804fcba46094d2d9dbaecfe433732093e86a8
SHA2564d05de09eb0734021e27ab97b64c8597c165d1f653966a2370b4a25a50336855
SHA512516cc438bc73a3ae5f77d7a8ec32728e8b9977e087dcc479c0d73d0a8f379e6c91008266ac8afe82b323f414a60b6bd0c77a4b0de576b1a45d5c5c81c051e5af
-
Filesize
115B
MD5f3517cbd484198b25b6e67eb202232e2
SHA1bddc5645eca791472ae438f6099459983bb42419
SHA256c7d853927c93ced4b6c6c44d0f2ccbbcfcfd569fddbf1add0505c89358d3b8d9
SHA51244cc42c49d54ab885ed846aca80579bd56e639af9e3f9c8f5fd737e9472197bd53ab5f64cce4145c952035bac382078f0743f918a7b581f2a7758083f94eb06d
-
Filesize
315KB
MD585f1a8765f380669390de3ce2de8a8f8
SHA1006697ee6244a06372d2540f1f64d7b2022eace2
SHA256cba24647f82eecc726c5ee0ab314306b1c565de7d0b70b692610a725714f188f
SHA5120ebf704e36c8e90274c240726a8cfc72a9bcb5918a0f8f45b721a6cbb5a4216d5c7439c8e1b33dc3bba7cfef4dc45e723d120907a37555abeb0d0f85be8fd0ad
-
Filesize
31KB
MD50ede4a776d25cdd9132e81c023f6fcdf
SHA1c232251fdd895de67bd92510990a686de969fa6f
SHA2562b02fcc719dcd5c35ac9ae6673538fca17f0841285d474c340af1932815522c1
SHA5121a6470189c484ff824c74921790f482e05385d403bcd823c7071b32349c272e9686c460ef2958c99b83ee0a158aa20db966b3eba831d916cc19dbb6d8d7a46fb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD5026b96bfd2665b577783e1a91c5aaf7c
SHA1e4ca8d6eedbcc6a69d06d0ceaf330c84a2e712ef
SHA25627c45e7bfbe9a12ce7866030fecff8a4d33bae6d4a28491a5a90f0a15e206a67
SHA5123e23f63320fe002c0146edaf8af6e7740f83dfbdec4585e09fa81899598555532e9d9453ccb09753b05049f4ccc5b669375140868282d752cc2cfef2ecd59de2
-
Filesize
124B
MD554ba0db9b8701f99a46ae533da6fe630
SHA12bd5aea2aceea62deb7ba06969ff6108f3381929
SHA256bb1455630e747e00b60910f9eadf47641ecc46e917034d08530430569d8eaeac
SHA51227fa4e43cf1a1b79a597cfb28aa29457aa096d8c485f84d7b2754268148bfa7430e53abdee4897f911af51aabbae3942ff57cbae02765bbea27e1c181bfecc1a
-
Filesize
848KB
MD56070fda554e464717698e12b7f7e6378
SHA1d7db1af2e30347075fc2077f1fdc59b18fd47de1
SHA25661219e2e94975a36b5e1c4210f639f716f3b3efff2d905f0ee7d0bfa6ae4de4b
SHA512d5c930b57acb0e2cb3e1df623563c00857bd12acb13fd69a0322d6c48de29452bb0e95cc7cb6b822886d8ed1e18774593e1397cf4a9ceef76267fcbc5fcc9595
-
Filesize
198.8MB
MD5ca39d5d3d690a621ae05df4eaa200546
SHA1d87c1d9fde29db13ab887baab58431ad13d57ff1
SHA2564e528fc44bfe522e3b4d2338aab17a8321c8549f4dfe3a0cf566c173a678c328
SHA512fba450346b7913dc666e87c1037abfd23f47aab2089f6b53caa7ddddb24898e9d2621b1119315bae42f51df442d5fa42cab639655b0febbf625f423ba5b92220
-
Filesize
198.8MB
MD5af60ad5b6cafd14d7ebce530813e68a0
SHA1ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA51281314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
73KB
MD537e887b7a048ddb9013c8d2a26d5b740
SHA1713b4678c05a76dbd22e6f8d738c9ef655e70226
SHA25624c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b
SHA51299f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113